search

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
GNU General Public License v3.0
4.12k stars 413 forks source link

GM_setElement to circumvent site's CSP on an existing element? #2053

Open tophf opened 3 months ago

tophf commented 3 months ago

Many sites use CSP to forbid setting unknown values in attributes like src and even forbid the inline style attribute entirely (mastodon and derivate sites), which userscripts can circumvent via GM_addElement.

Problem 1 is that GM_addElement can't change an existing element, so userscripts have to call GM_addElement to create a new element and replace the original, which can be problematic as it resets the state or even redownloads the content e.g. in case we need to change a forbidden style on video or iframe in a site like mastodon.

Problem 2 is that userscrips can't just set src on an element returned by GM_addElement, because to circumvent CSP the attribute must be set inside the JS world of the extension.

Proposing something like GM_setElement(elem, {attr1: val1, ....}). For convenience of chaining it can return the original element.

CC: @erosman for FireMonkey.

erosman commented 3 months ago

Can the issue be tackled from a different angle e.g. a GM_getElement that would get the element and then the user can do whatever they want with the element?

tophf commented 3 months ago

It can't because the attribute must be set in the JS world of the extension. I've updated the description.

Maxwelline commented 3 weeks ago

Just from a user perspective, TM can solve most CSP blocking issues by setting Modify existing content security policy (CSP) headers: to Remove entirely (possibly unsecure).

tophf commented 3 weeks ago

Remove entirely (possibly unsecure).

It's definitely insecure.