Open StephenLynx opened 9 months ago
Does the page have a content security policy (CSP)? Either via HTTP header or a meta tag inside the HTML.
If so your script probably ends up being executed inside a JavaScript-mode @sandbox
, which might require cloneInto and friends for unsafeWindow property modification, because Tampermonkey does not relax CSP by default anymore.
This change helps to better comply with the Mozilla add-on development policies
The old behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes' However, one of the next releases will disable CSP relaxing entirely.
Can you share the CSP?
connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com [www.google-analytics.com](chrome://devtools/content/netmonitor/www.google-analytics.com) [www.facebook.com](chrome://devtools/content/netmonitor/www.facebook.com) [accounts.google.com/gsi/log](chrome://devtools/content/netmonitor/accounts.google.com/gsi/log) [accounts.google.com/gsi/status](chrome://devtools/content/netmonitor/accounts.google.com/gsi/status) *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com [www.recaptcha.net/](chrome://devtools/content/netmonitor/www.recaptcha.net/) [www.google.com/recaptcha/](chrome://devtools/content/netmonitor/www.google.com/recaptcha/) [accounts.google.com/gsi/;img-src](chrome://devtools/content/netmonitor/accounts.google.com/gsi/;img-src) * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;o…2NWYyNzZmNDg4ZA==' 'self' *.torn.com *.google-analytics.com [www.google.com/recaptcha/](chrome://devtools/content/netmonitor/www.google.com/recaptcha/) [www.recaptcha.net/recaptcha/](chrome://devtools/content/netmonitor/www.recaptcha.net/recaptcha/) *.googletagmanager.com bat.bing.com [www.gstatic.com/recaptcha/](chrome://devtools/content/netmonitor/www.gstatic.com/recaptcha/) [accounts.google.com/gsi/client](chrome://devtools/content/netmonitor/accounts.google.com/gsi/client) [www.gstatic.com/charts/](chrome://devtools/content/netmonitor/www.gstatic.com/charts/) 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com [accounts.google.com/gsi/style](chrome://devtools/content/netmonitor/accounts.google.com/gsi/style) [www.gstatic.com/charts/;media-src](chrome://devtools/content/netmonitor/www.gstatic.com/charts/;media-src) *;base-uri 'self';worker-src 'self' blob:;
Now that you mention it, I did see some CSP errors that I didn't used to see.
Thanks, but the CSP is shortened at this point: fonts.gstatic.com;o…2NWYyNzZmNDg4ZA==
connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com www.google-analytics.com www.facebook.com accounts.google.com/gsi/log accounts.google.com/gsi/status *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com www.recaptcha.net/ www.google.com/recaptcha/ accounts.google.com/gsi/;img-src * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;object-src 'none';script-src 'nonce-MmQ3OTgyMTg5MDEzOWUzZjJiNzc0NDY4OTgwNTRiYzJiMTAzMmVjYTQ2ZDU0Y2FmMmRkMGM5YWU5YjUxOTIzNA==' 'self' *.torn.com *.google-analytics.com www.google.com/recaptcha/ www.recaptcha.net/recaptcha/ *.googletagmanager.com bat.bing.com www.gstatic.com/recaptcha/ accounts.google.com/gsi/client www.gstatic.com/charts/ 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com accounts.google.com/gsi/style www.gstatic.com/charts/;media-src *;base-uri 'self';worker-src 'self' blob:;
Hmm. This CSP should allow Tampermonkey to inject the script as usual. What is the output of
console.log("GM_info.relaxedCsp", GM_info.relaxedCsp);
console.log("GM_info.sandboxMode", GM_info.sandboxMode)
if put inside the script?
GM_info.relaxedCsp auto GM_info.sandboxMode js on 5.0
First one is undefined and the second one is raw on 4.19 iirc. Also, I can't access the specific page on the website at all times, I'll get the CSP again when I'm able in a couple hours. I assume this site doesn't use different CSPs for different pages, but I rather be thorough.
And here is the CSP header for the exact page I was running my script on
connect-src 'self' wss://*.torn.com wss://*.torncity.com *.torncity.com *.torn.com api.torn.com www.google-analytics.com www.facebook.com accounts.google.com/gsi/log accounts.google.com/gsi/status *.analytics.google.com wss://*.sendbird.com *.sendbird.com;default-src 'self';child-src 'self';frame-ancestors 'self';frame-src 'self' *.youtube.com youtube.com www.recaptcha.net/ www.google.com/recaptcha/ accounts.google.com/gsi/;img-src * data: blob:;font-src 'self' data: fonts.googleapis.com fonts.gstatic.com;object-src 'none';script-src 'nonce-MmFlMTc4ODU1ZjE3MzZkNDY2NzIxNDFhMzlkODU0MWQ5ODQwOWE4MDNiMzA4YWJhZTMyZDJlZGZlOWI4ZWFhZQ==' 'self' *.torn.com *.google-analytics.com www.google.com/recaptcha/ www.recaptcha.net/recaptcha/ *.googletagmanager.com bat.bing.com www.gstatic.com/recaptcha/ accounts.google.com/gsi/client www.gstatic.com/charts/ 'sha256-QadAYyrgjUxTbrkxFK8cNeNZjk4DwoTuU1tRHShWOsU=' 'sha256-U+5x0qCwsX+tGulrtCYIvR2cvHv88dzKyRwCO8yu7P0=';style-src 'self' *.torn.com 'unsafe-inline' fonts.googleapis.com accounts.google.com/gsi/style www.gstatic.com/charts/;media-src *;base-uri 'self';worker-src 'self' blob:;
Everything was working until my browser updated TM today
Tampermonkey needs to stop (automatic) CSP relaxing to better comply with the Mozilla add-on development policies
And here is the CSP header for the exact page I was running my script on
"sandboxMode js" means that the script runs inside a FF Xray Vision sandbox, but this CSP should not stop script injection into the page. Maybe they add a meta tag with an additonal CSP?
BTW, as a fallback for now: the old CSP behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes'. Can you please check if it is working then?
Setting "Content Script API" to "UserScripts API Dynamic" might also help. Can you please check?
Also can you please have a look at #1934. Does that help when unsafeWindow
is used?
Unsafewindow completely broke everything, I mention that on the OP. "Setting "Content Script API" to "UserScripts API Dynamic" might also help." Nothing. "BTW, as a fallback for now: the old CSP behavior can be restored by setting 'Modify existing content security policy (CSP) headers' to 'Yes'." Apparently this one works. I tried both with a simple test script.
This is the meat and potatoes of my script:
window.fetch = async function(...args) { //do a bunch of stuff here };
But the actual window.fetch is never changed. Requests are performed as usual and my function is never called. And if I remove // @grant none at the start and try to use unsafeWindow, then it completely breaks. Everything was working until my browser updated TM today, on my phone it still works. I'm using firefox 102.15.0esr (64-bit) on centos 7.
Just confirmed the issue is TM 5.0, I downgraded to the previous release and everything works fine.