Closed SimonAlling closed 3 years ago
The one thing I'm not really sure about is the default value of --bypass-csp
. It's already quite complicated to use Userscript Proxy, and now on top of that one has to know about CSPs too. CSP issues can also be very subtle and only arise in certain scenarios, because userscripts may inject resources conditionally and/or users may not realize that some resource is being blocked because they don't know exactly what functionality to expect from the userscript.
So I'm kind of torn between security and usability here. Right now, I'm actually leaning towards going with everything
as the default value instead of never
, because it makes it easier to get started, and anyone who decides to use Userscript Proxy in the first place has pretty much yeeted security out the window anyway.
⚠️ Also, please, future me, remember to document the new flag before merging this PR.
I have changed the default value to script
, because nothing
(previously never
) defeats the entire purpose of using Userscript Proxy in the first place. My rationale for not choosing everything
is that disabling CSPs should be a conscious choice, since it can be seen as quite a security risk. It's easy to change down the road if need be.
This looks excellent and completely addresses my use case. Thanks!
I have now pushed v1.1.0 to Docker Hub! :slightly_smiling_face:
As pointed out by @deatondg in #6, some sites have a CSP that prevents userscripts from running properly. This PR makes it possible to either bypass the CSP specifically for any userscripts that are injected (inline or not) or disable the CSP altogether whenever a userscript is injected. The latter is often necessary because userscripts tend to inject at least one resource into the page, be it an external image or just some inline CSS.
Resolves #6.
Co-authored-by: deatondg deaton.dg@gmail.com