search

StylishThemes / GitHub-Dark-Script

Archived - Please use https://github.com/StylishThemes/GitHub-Dark directly
https://greasyfork.org/en/scripts/15562
MIT License
550 stars 51 forks source link

Content Security Policy issues in Safari #13

Open michaelmesser opened 8 years ago

michaelmesser commented 8 years ago

Github does not change theme when I load this script. I am using safari with tamper monkey.

Mottie commented 8 years ago

I don't own any Apple devices, so I can't check. Are you seeing any errors in the console?

michaelmesser commented 8 years ago

GitHub-Dark-Script:0 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com".

michaelmesser commented 8 years ago

Works fine with chrome tamper monkey

Mottie commented 8 years ago

Very odd, I'm not sure why Safari isn't behaving like Chrome. I haven't found any reports about this particular problem.

Please do me a favor and add the following line just below the other @connect line near the top of the userscript.

// @connect      raw.githubusercontent.com

The only domain that is accessed within the script is githubusercontent.com which already has a defined @connect. It doesn't include the raw subdomain, which really shouldn't make a difference, but it's worth trying.

Also, I don't think the @require definitions that loads jQuery and a script from greasyfork should make a difference... I have been thinking about rewriting the script to use plain JS and not require jQuery, but I'm lacking the time and motivation. :smile_cat:

michaelmesser commented 8 years ago

No difference with @connect

On May 23, 2016, at 6:35 PM, Rob G notifications@github.com wrote:

// @connect raw.githubusercontent.com http://raw.githubusercontent.com/

Mottie commented 8 years ago

:disappointed: @silverwind would you please see if you can find the problem?

silverwind commented 8 years ago

Will check later.

silverwind commented 8 years ago

Pretty sure this is a Tampermonkey issue, filed https://github.com/Tampermonkey/tampermonkey/issues/296.

Mottie commented 8 years ago

Or maybe try NinjaKit?

silverwind commented 8 years ago

No luck with that either. On NinjaKit, it installs fine, but doesn't show any indicator that the script is active and nothing is logged on the console. The state of Safari extensions is a sad one.

Mottie commented 8 years ago

Have you heard anything about AdGuard? It looks like it supports adding userscripts (aka extensions) in Safari.

silverwind commented 8 years ago

Where does it say so? It looks like some kind of OS-level firewall thing to me, I'm not daring to install it. And it's not free.

Mottie commented 8 years ago

The good news is now MS Edge supports extensions... oh joy!

xt0rted commented 8 years ago

Tampermonkey was just released for Edge today. So far no luck getting github-dark to run on it though.

Mottie commented 8 years ago

@xt0rted I think the problem has to do with GitHub's CSP.

silverwind commented 8 years ago

Check if there's a CSP violation in the console. If there is, chances are that either the Tampermonkey or Edge developers have to fix it.

Mottie commented 8 years ago

Yeah, that's what I was seeing...

HTML1300: Navigation occurred. GitHub-Dark CSP14309: Unknown directive 'base-uri' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'block-all-mixed-content' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'child-src' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'form-action' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'frame-ancestors' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'plugin-types' in Content-Security-Policy - directive will be ignored. CSP14312: Resource violated directive 'script-src assets-cdn.github.com' in Content-Security-Policy: inline script. Resource will be blocked. HTML1512: Unmatched end tag. GitHub-Dark (1572,5)

silverwind commented 8 years ago

It's this one right here:

 CSP14312: Resource violated directive 'script-src assets-cdn.github.com' in Content-Security-Policy: inline script. Resource will be blocked.
Mottie commented 8 years ago

Here's a link: https://connect.microsoft.com/IE/feedback/details/2208881/csp-header-referrer-isnt-supported

chasingmaxwell commented 8 years ago

I'm seeing something similar in chrome (53.0.2785.143) on linux:

Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAIt0ABEAAAABQDwAAQABAAAAAAAAAAAAAAAAAAAAA…CwKGBmIIpVWLACJWGwAUVjI2KwAiNEswkKAwIrswsQAwIrsxEWAwIrWbIEKAZFUkSzCxAEAisA' because it violates the following Content Security Policy directive: "font-src assets-cdn.github.com".

I'm seeing about 45 of those in my dev tools console. This prevents Github Dark from functioning at all and started happening only yesterday (I think when I upgraded chrome).

silverwind commented 8 years ago

Check if the option to circumvent CSP is checked in Tampermonkey's option, and if it is, report it to Tampermonkey. I don't think there's anything we can do about these issues unfortunately.

christoff-1992 commented 7 years ago

Has anyone found any work arounds to this issue? I love this theme and really want to use it with Safari :) great work to all those involved!

skeith commented 7 years ago

So, instead of making a new issue for Microsoft Edge, I should use this issue as the errors were the same. Any news on this?

silverwind commented 7 years ago

Not really, the bug is pretty much on Edge and Safari. Extension scripts should be made exempt from CSP, which is what Chrome and Firefox already implement.

For Safari, the bug should be https://bugs.webkit.org/show_bug.cgi?id=149000, I haven't found a corresponding Edge issue, maybe someone wants to file one.

silverwind commented 7 years ago

Tried to submit the bug on https://connect.microsoft.com/IE/feedback/LoadSubmitFeedbackForm, but it won't let me, presumably because I don't use Edge:

You are not authorized to submit the feedback for this connection.

So if someone is able to submit, please go ahead. The gist of this issue is that extensions should not be subject to a site's CSP and that Chrome and Firefox already do it that way. Maybe also link them to this issue.

silverwind commented 7 years ago

Oh, and it's even in the spec: https://w3c.github.io/webappsec-csp/#extensions

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets

silverwind commented 7 years ago

I was able to report from within a virtual machine:

https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11320214/

silverwind commented 6 years ago

I hear this has been fixed in a recent Edge version, which makes Safari the only browser to still block the script. Not much we can do, except watch https://bugs.webkit.org/show_bug.cgi?id=149000.

Bluscream commented 6 years ago

@Mottie you can request a free developer/beta license if on the adguard forums. Also something else that allows js injections at OS level is Fiddler

Bluscream commented 6 years ago

Also why not have all deps locally that way there will be no csp violation

Mottie commented 6 years ago

I'm not sure how adguard is going to help with Safari? Please clarify.

And the dependencies are hosted on Greasyfork or GitHub (for GM4 polyfill), both of which should be supported by Tampermonkey's @require method. I don't think there's anything we can change in this userscript to make it work on Safari. If we do need to include all the dependencies, then sure we can try it, I still doubt it'll make a difference.