Closed darkrain42 closed 10 months ago
default-src 'self'; script-src 'self' 'nonce-12345678901234567890123456789012' chrome-extension: 'unsafe-inline' 'unsafe-eval' https://example.com blob:; object-src 'self' https://example.com; style-src 'self' blob: chrome-extension: 'unsafe-inline' https://example.com; img-src 'self' data: blob: https://example.com https:; media-src 'self' https://example.com blob:; frame-src blob: mailto: https://example.com https:; font-src 'self' https: data: https://example.com; connect-src 'self' https://example.com blob: https://example.com wss://example.com
The "problem" is the CSP allows unsafe-eval
, but no unsafe-inline
, even though it is stated there, inline scripts are forbidden because of the required nonce nonce-12345678901234567890123456789012
.
TM 4.19.0 tries eval first and the falls back to inline scripts. This worked in many cases, because TM actively relaxed the CSP (if sent via header). CSP relaxing is kind of unwanted behavior and I reworked TM to not do it by default, while still being able to inject inline scripts if the CSP is sent via header.
In this case TM 4.19.0 is able to run the script in raw mode, because the meta tag CSP allows eval. Is this a real life CSP? It is quite unusual to allow eval, but then restrict inline scripts to use a nonce and therefore actively forbid unsafe inline scripts.
Note: Setting Modify existing content security policy (CSP) headers
to Yes
and enabling Add Tampermonkey to the HTML's CSP
successfully relaxes the meta tag CSP.
So after thinking a little bit further about this I tend to close this as "not planned". Sorry.
Please use "Content Script API" "UserScripts API Dynamic" to inject the script before the meta CSP is applied or even better prepare your code to run in "js" mode.
Is this a real life CSP? It is quite unusual to allow eval, but then restrict inline scripts to use a nonce and therefore actively forbid unsafe inline scripts.
Yeah. That's the CSP policy for a Salesforce Lightning domain ("blah.lightning.force.com"), at least the one I deal with. I sanitized all the actual hostnames / nonce values, but otherwise preserved the structure of the meta tag.
Please use "Content Script API" "UserScripts API Dynamic" to inject the script before the meta CSP is applied or even better prepare your code to run in "js" mode.
Alright. Thanks for taking a look!
Expected Behavior
TM 5.0 is unable to inject successfully in a 'raw' sandbox mode for pages that define a CSP via a meta header, and always falls back to the Javascript sandbox. For the same page with the same userscript, TM 4.19 has no issues even if I turn off Tampermonkey's modifications of the CSP header ("Modify existing content security policy (CSP) headers").
This is similar to #1934, except that I've never had to configure the "Instant Injection" setting for this userscript. It's possibly a duplicate of #1919
I (and my users) started seeing this problem with the official release of TM 5.0, but my testing for filing this bug report was done with the Beta build (5.0.6191).
Actual Behavior
In a fresh Firefox profile, these get a "raw" sandbox:
These see a Javascript sandbox, and page content has trouble accessing the things I'm overriding:
For testing purposes, I consider the test a pass if:
(Things do work if I rewrite using
exportFunction
andcloneInto
)Specifications
Script
The content of the page I'm testing with is reproduced below.