Open martixy opened 4 years ago
["https://twitter\\.com", [ ["script-src", "'unsafe-eval' 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com 'nonce-YzFkN2FkNmYtOWExNC00MjZjLThlZDYtNGY0YjgyMTVjZWRh'"] ]]
Did you mean to leave out script-src
on the right side of ,
?
Notice that it is missing the
script-src
directive.
Given
["<url-regexp>", [
["<pattern-regexp>", "<replacement-string>"]
]]
the extension will replace instances of <pattern-regexp>
with <replacement-string>
. If <pattern-regexp>
can't be found, then this would have no effect.
If the original CSP is missing script-src
, you'll need to find a different substring to use as <pattern-regexp>
(or maybe try $
and see if it can append to the end of the CSP).
My misunderstanding of the syntax aside - it is a service-worker problem, as I've found in the meantime, but I suppose there is nothing you can do about it, apart from removing the service worker on every load to force a network request.
… removing the service worker on every load to force a network request.
Yeah I think that is too invasive of a workaround :(
why it's not working in twitter
[
["https://twitter\\.com", [
["connect-src", "connect-src data:"],
["script-src", "script-src 'unsafe-eval'"]
]]
]
both of this failed :arrow_down:
fetch('data:text/plain;charset=UTF-8;base64,dGV4dA==').then(data => data.text()).then(console.log)
Refused to connect to 'data:text/plain;charset=UTF-8;base64,dGV4dA==' because it violates the following Content Security Policy directive:
"connect-src 'self' blob: https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api-stream.twitter.com
https://ads-api.twitter.com https://aa.twitter.com https://caps.twitter.com https://pay.twitter.com https://sentry.io https://ton.twitter.com
https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://accounts.google.com/gsi/status
https://accounts.google.com/gsi/log https://app.link https://api2.branch.io https://bnc.lt wss://*.pscp.tv https://vmap.snappytv.com
https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net
https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net
https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net
https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com".
eval("console.log('')");
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/
https://www.gstatic.com/recaptcha/ https://client-api.arkoselabs.com/ https://www.google-analytics.com https://twitter.com
https://app.link https://accounts.google.com/gsi/client
https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js
'nonce-ODRmZTY0ZDYtYzdmMS00Y2EzLWI5MWYtYmI4YjAwNzVmNDQ0'".
I tried using the following rule:
Which does not work. The only thing I can think of that might be an issue is the service worker twitter is using. (P.S. I know extensions can mess with service worker responses, because the "Disable Content-Security-Policy" extension successfully removes all CSP, I just want to modify it, not remove it completely.)
Additionally this failed:
Resulting in the following CSP:
default-src https: ; 'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-6hfHjRMVPEZUBt0k5PTwgDjuLU5FqyYn'; child-src 'none'; frame-src accounts.google.com content-issuetracker.corp.googleapis.com login.corp.google.com up.corp.googleapis.com;img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; base-uri 'none'; report-uri /csp.do
Notice that it is missing the
script-src
directive.Also, we should be able to modify the policy, rather than completely replacing it - notice the nonces in the 1st example - those are different every page load. A simple regex search/replace should be enough. (Should I make this its own issue?)
Chrome: Version 80.0.3987.87 (Official Build) (64-bit)