[✅Partially solved] [FF] Microsoft Teams v2 (new) CSP issue

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.

GNU General Public License v3.0

4.17k stars 416 forks source link

[✅Partially solved] [FF] Microsoft Teams v2 (new) CSP issue #2027

Open rRobis opened 5 months ago

rRobis commented 5 months ago

I'm trying to do inject a script with an eval(), but i get this error:

Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent.

If i try console log from the Tampermonkey before evaling this, the console logs seems to be working.

The most confusing thing is that sometimes the whole script works, and sometimes it doesn't work. I refresh bunch of times and sometimes it work, but it's very annoying.

I'm using latest TM Beta with latest FF 124.0.2 (64-bit)

Site: https://teams.microsoft.com/v2/

Script :

(()=>{
    const e="http://127.0.0.1:8080/GRobeTeamsBundle";
    const t=e=>{if(200===e.status&&e.responseText){eval(e.responseText)}else{console.error("Error loading Node.JS Script:",e.statusText)}};
    const n=()=>{GM_xmlhttpRequest({method:"GET",url:e,onload:t,onerror:t})};
    document.addEventListener("DOMContentLoaded",n)
})();

I tried to remove CSP entirely, but the problem still remains

7nik commented 5 months ago

What's wrong with using a more simple GM_addElement?

GM_addElement('script', {
  src: 'https://example.com/script.js',
  type: 'text/javascript'
});

rRobis commented 5 months ago

What's wrong with using a more simple GM_addElement?
GM_addElement('script', {
  src: 'https://example.com/script.js',
  type: 'text/javascript'
});

I never tried it like that. It seems that it works better. (although it still throws the CSP report error)

But now i have different problem: The injected scripts give "ReferenceError: GM_addStyle is not defined" error, although i have it granted in the header.

// ==UserScript==
// @name         GRobe™ Teams
// @namespace    GRobe
// @version      0.1
// @description  GRobe™
// @author       You
// @match        https://teams.microsoft.com/*
// @grant        GM_xmlhttpRequest
// @grant        GM_addElement
// @grant        GM_addStyle
// ==/UserScript==

So it seems that it just includes it as normal script, but it's out of TM context.

rRobis commented 5 months ago

OK, i somewhat managed to get rid of the GM_addStyle from my script, and the workaround with GM_addElement works in this case. But if there would be need to use GM_addStyle or other GM functions, it would not work.

I will leave it as open for now, maybe it could be fixed.

@7nik Thanks

7nik commented 5 months ago

If your script link is static, you can use even more simple // @require https://example.com/script.js and the script will have access to the GM API.

rRobis commented 5 months ago

If your script link is static, you can use even more simple // @require https://example.com/script.js and the script will have access to the GM API.

That one i knew about, but i'm using this method, because i update the script very often and i have to refresh page 2 or 3 times for changes to be visible. (I guess that's why you said that it's for static ones)

With this injection type it imports fresh each time.

Thanks for the tips.

7nik commented 5 months ago

Have you tried TamperDAV for it?

rRobis commented 5 months ago

I think i barely tried it long time ago, but don't remember what i didn't like.

For now i have Node.JS server, that i use to pack multiple .js files into one script that gets served to the route. And also it has some other things, like sockets.io etc, that i use to make advanced scripts.

This way i can keep the project organized into separate files without having to overburden one file with over 10000 lines.