search

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
GNU General Public License v3.0
4.17k stars 416 forks source link

5.0 broke fetch request interception on firefox #1919

Open StephenLynx opened 9 months ago

StephenLynx commented 9 months ago

This is the meat and potatoes of my script:

window.fetch = async function(...args) { //do a bunch of stuff here };

But the actual window.fetch is never changed. Requests are performed as usual and my function is never called. And if I remove // @grant none at the start and try to use unsafeWindow, then it completely breaks. Everything was working until my browser updated TM today, on my phone it still works. I'm using firefox 102.15.0esr (64-bit) on centos 7.

Just confirmed the issue is TM 5.0, I downgraded to the previous release and everything works fine.

derjanb commented 9 months ago

Does the page have a content security policy (CSP)? Either via HTTP header or a meta tag inside the HTML. If so your script probably ends up being executed inside a JavaScript-mode @sandbox, which might require cloneInto and friends for unsafeWindow property modification, because Tampermonkey does not relax CSP by default anymore. This change helps to better comply with the Mozilla add-on development policies

The old behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes' However, one of the next releases will disable CSP relaxing entirely.

Can you share the CSP?

StephenLynx commented 9 months ago

connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com [www.google-analytics.com](chrome://devtools/content/netmonitor/www.google-analytics.com) [www.facebook.com](chrome://devtools/content/netmonitor/www.facebook.com) [accounts.google.com/gsi/log](chrome://devtools/content/netmonitor/accounts.google.com/gsi/log) [accounts.google.com/gsi/status](chrome://devtools/content/netmonitor/accounts.google.com/gsi/status) *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com [www.recaptcha.net/](chrome://devtools/content/netmonitor/www.recaptcha.net/) [www.google.com/recaptcha/](chrome://devtools/content/netmonitor/www.google.com/recaptcha/) [accounts.google.com/gsi/;img-src](chrome://devtools/content/netmonitor/accounts.google.com/gsi/;img-src) * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;o…2NWYyNzZmNDg4ZA==' 'self' *.torn.com *.google-analytics.com [www.google.com/recaptcha/](chrome://devtools/content/netmonitor/www.google.com/recaptcha/) [www.recaptcha.net/recaptcha/](chrome://devtools/content/netmonitor/www.recaptcha.net/recaptcha/) *.googletagmanager.com bat.bing.com [www.gstatic.com/recaptcha/](chrome://devtools/content/netmonitor/www.gstatic.com/recaptcha/) [accounts.google.com/gsi/client](chrome://devtools/content/netmonitor/accounts.google.com/gsi/client) [www.gstatic.com/charts/](chrome://devtools/content/netmonitor/www.gstatic.com/charts/) 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com [accounts.google.com/gsi/style](chrome://devtools/content/netmonitor/accounts.google.com/gsi/style) [www.gstatic.com/charts/;media-src](chrome://devtools/content/netmonitor/www.gstatic.com/charts/;media-src) *;base-uri 'self';worker-src 'self' blob:;

Now that you mention it, I did see some CSP errors that I didn't used to see.

derjanb commented 9 months ago

Thanks, but the CSP is shortened at this point: fonts.gstatic.com;o…2NWYyNzZmNDg4ZA==

StephenLynx commented 9 months ago

connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com www.google-analytics.com www.facebook.com accounts.google.com/gsi/log accounts.google.com/gsi/status *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com www.recaptcha.net/ www.google.com/recaptcha/ accounts.google.com/gsi/;img-src * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;object-src 'none';script-src 'nonce-MmQ3OTgyMTg5MDEzOWUzZjJiNzc0NDY4OTgwNTRiYzJiMTAzMmVjYTQ2ZDU0Y2FmMmRkMGM5YWU5YjUxOTIzNA==' 'self' *.torn.com *.google-analytics.com www.google.com/recaptcha/ www.recaptcha.net/recaptcha/ *.googletagmanager.com bat.bing.com www.gstatic.com/recaptcha/ accounts.google.com/gsi/client www.gstatic.com/charts/ 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com accounts.google.com/gsi/style www.gstatic.com/charts/;media-src *;base-uri 'self';worker-src 'self' blob:;

derjanb commented 9 months ago

Hmm. This CSP should allow Tampermonkey to inject the script as usual. What is the output of 

console.log("GM_info.relaxedCsp", GM_info.relaxedCsp);
console.log("GM_info.sandboxMode", GM_info.sandboxMode)

if put inside the script?

StephenLynx commented 9 months ago

GM_info.relaxedCsp auto GM_info.sandboxMode js on 5.0

First one is undefined and the second one is raw on 4.19 iirc. Also, I can't access the specific page on the website at all times, I'll get the CSP again when I'm able in a couple hours. I assume this site doesn't use different CSPs for different pages, but I rather be thorough.

StephenLynx commented 9 months ago

And here is the CSP header for the exact page I was running my script on connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com www.google-analytics.com www.facebook.com accounts.google.com/gsi/log accounts.google.com/gsi/status *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com www.recaptcha.net/ www.google.com/recaptcha/ accounts.google.com/gsi/;img-src * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;object-src 'none';script-src 'nonce-MmFlMTc4ODU1ZjE3MzZkNDY2NzIxNDFhMzlkODU0MWQ5ODQwOWE4MDNiMzA4YWJhZTMyZDJlZGZlOWI4ZWFhZQ==' 'self' *.torn.com *.google-analytics.com www.google.com/recaptcha/ www.recaptcha.net/recaptcha/ *.googletagmanager.com bat.bing.com www.gstatic.com/recaptcha/ accounts.google.com/gsi/client www.gstatic.com/charts/ 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com accounts.google.com/gsi/style www.gstatic.com/charts/;media-src *;base-uri 'self';worker-src 'self' blob:;

derjanb commented 9 months ago

Everything was working until my browser updated TM today

Tampermonkey needs to stop (automatic) CSP relaxing to better comply with the Mozilla add-on development policies

And here is the CSP header for the exact page I was running my script on

"sandboxMode js" means that the script runs inside a FF Xray Vision sandbox, but this CSP should not stop script injection into the page. Maybe they add a meta tag with an additonal CSP?

BTW, as a fallback for now: the old CSP behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes'. Can you please check if it is working then?

Setting "Content Script API" to "UserScripts API Dynamic" might also help. Can you please check?

Also can you please have a look at #1934. Does that help when unsafeWindow is used?

StephenLynx commented 8 months ago

Unsafewindow completely broke everything, I mention that on the OP. "Setting "Content Script API" to "UserScripts API Dynamic" might also help." Nothing. "BTW, as a fallback for now: the old CSP behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes'." Apparently this one works. I tried both with a simple test script.