Closed rand256 closed 6 years ago
derjanb
commented
7 years ago In normal a page's CSP should not interfere with extensions, but that's the case at Firefox. That's why TM needs to workaround this and unfortunately there is a bug. 🙄😁
Will be fixed at the next beta version at the development channel.
Tanookirby
commented
7 years ago I have tested a script on the beta version on both Firefox and Chrome. It is called Autopagerize, and there are certain sites that won't work on it even on beta.
The script: https://greasyfork.org/en/scripts/28887-autopagerize-modified-by-blademight
Sample site: http://esoaparte.com/paella_01.html
derjanb
commented
7 years ago @Tanookirby I'm sorry, but your issue is not related to CSP, but a script issue. It's even not working with Greasemonkey at the mentioned page. Please ask the script author for a fix.
Tanookirby
commented
7 years ago The author has fixed the issue. There is, however, another issue with sites such as https://addons.mozilla.org/en-US/firefox/extensions/?sort=hotness . In Firefox, the Autopagerize script will work on Greasemonkey but not on Tampermonkey. Because I thought this would be a CSP issue, I tested it with Tampermonkey Beta, which was said to solve the problem; and it still won't work.
tophf
commented
7 years ago @Tanookirby, WebExtensions can't run on AMO, the browser explicitly forbids that. Just like Chrome with its own web store.
Lartza
commented
7 years ago Firefox 57.0a1, Tampermonkey 4.4.5533beta and AAK-Cont(uBlock Origin version) causes Nextcloud to be unable to load it's scripts.
Content Security Policy: The page’s settings blocked the loading of a resource at https://sub.domain.com/core/vendor/core.js?v=9b6cd8b2827567b5f7aedce892bbb054-10 (“script-src 'unsafe-inline' 'unsafe-eval'”).
Disabling AAK-Cont in Tampermonkey or disabling "Add Tampermonkey to the site's content security policy (CSP) if there is one" fixes script loading in NC.
derjanb
commented
7 years ago @Lartza Fixed. Please check the latest version from the development channel.
Lartza
commented
7 years ago @derjanb Can confirm 4.4.5546beta fixes the issue :) Thank you
Eeems
commented
7 years ago I'm on the latest version in the development channel and I'm getting CSP errors. I'm running Firefox Nightly build 57.0a1 (2017-09-01) (64-bit).
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://vandiepen.ca 'unsafe-eval' 'nonce-NTlhOTg1MGZkNzc2NA=='”). Source: (function(a,q,n,A){var c={safeWindow:{},....
Could it be due to the nonce?
I don't currently have the site live to give you a proper test case, but if it's required I can do so.
derjanb
commented
7 years ago @Eeems Hi, this is due to a known bug in Firefox. However, it should not break anything. If this log message bothers you, you can set "Config mode" to "Advanced" and then "Inject Mode" to "Instant" to workaround this issue.
fireattack
commented
6 years ago @derjanb it does break some scripts, not just logs. for example:
This script is supposed to add link on "x songs" that leads to large size cover art:
It doesn't work in Firefox unless I changed to instant inject mode.
derjanb
commented
6 years ago Fixed at the most recent beta version: 4.5.5637beta
fireattack
commented
6 years ago I think it's may already known for you, but I still encounter CSP problem on Firefox occasionally on beta 4.6.5694.
The script is this one I wrote myself: https://github.com/fireattack/scripts/blob/master/itunes_cover_art_click_to_show_original.user.js
Test page: https://itunes.apple.com/jp/album/the-idolm-ster-live-the-ter-performance-01-single/1125337612
Warnings from console:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: call to eval() or related function blocked by CSP. 1125337612:11
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: window["__u__1935881.4830085929"] = func.... 1125337612:1Edit: manually change to "instant" inject mode can fix it. So basically the status as I mentioned before at https://github.com/Tampermonkey/tampermonkey/issues/418#issuecomment-348105082
fireattack
commented
6 years ago On a side note, I sometimes can even reproduce this bug on Chrome (albeit ver. 4.5):
But normally freshing the page can fix it (unlike Firefox, which is consistently error). I have no idea why, though.
derjanb
commented
6 years ago Hi, the fix for this issue broke many pages. Therefore it's now a experitmental config option until the used Firefox API becomes stable.
Please set "Config Mode" to "Advanced" and scroll down to the "Experimental" section and now please change "Add Tampermonkey to the sites content CSP" to "Yes". This should fix at least the Firefox issue, but as I said, depending on your Firefox version, it might also break some pages.
raszpl
commented
6 years ago Chrome(vivaldi), tempermonkey 4.5(also beta 4.6.5752), "Add Tampermonkey to the sites content CSP" set to "Yes".
https://www.hltv.org/blog/13538/cheating-on-professional-level-of-csgo
https://github.com/elundmark/Convert-Youtube-Embeds-to-Image-Links-UserScript
My script does document.location.replace("data:text/html;utf8,"+encodeURIComponent(iframeHtml));
Refused to frame 'data:text/html;utf8,%3C!DOCTYPE%20html%3E%3Chtml%20style%3D'margin%3A0!important%3Bpadding%3A0!important%3Boverflow%3Ahidden!important%3B'%3E%3Chead%3E%3Cmeta%20charset%3D'utf-8'%3E%3Cmeta%20name%3D'viewport'%20content%3D'width%3Ddevice-width%2C%20initial-scale%3D1'%3E%3Ctitle%3EPrOverwatch%20%23002%3A%20shox%20-%20YouTube%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%20style%3D'margin%3A0!important%3Bpadding%3A0!important%3Bbackground%3A%23FFF%3Boverflow%3Ahidden!important%3B'%3E%3Ca%20href%3D%22magnet3%3Ahttps%3A%2F...e-space%3Anowrap!important%3Btext-overflow%3Aellipsis!important%3Bborder-bottom%3A1px%20solid%20%23000000!important%3B%22%3E%3Cem%20style%3D%22font-style%3A%20normal%20!important%3B%20color%3A%20rgba(255%2C%20255%2C%20255%2C%200.8)%20!important%3B%22%3E2%3A07%20%20%3C%2Fem%3EPrOverwatch%20%23002%3A%20shox%3Cem%20style%3D%22font-style%3A%20normal%20!important%3B%20color%3A%20rgba(255%2C%20255%2C%20255%2C%200.8)%20!important%3B%22%3E%20-%20140%20views%3C%2Fem%3E%3C%2Fa%3E%3C%2Fa%3E%3C%2Fbody%3E%3C%2Fhtml%3E' because it violates the following Content Security Policy directive: "frame-src *".
EDIT: never mind, read some more and CSP is a mess. I just switched from injecting DATA: blob to modifying iframe directly :/
var doc = document.getElementsByTagName('html')[0];
doc.getElementsByTagName('head')[0].innerHTML = "<title>Example</title>";
doc.getElementsByTagName('body')[0].innerHTML = "<p>This is an example.</p>";
mikhoul
commented
6 years ago @derjanb Just a quick question I'm new with TM I was using GM with Firefox but I'm migrating to Chromium and I'd like to know what is the most efficient setting for Chrome/Chromium for the CSP ?
My understanding is that with the security setting to yes TM inject headers to allow Userscripts on page like Github.com since Firefox don't respect the standard for CSP and scripts. If my understanding is fine this setting is mainly for Firefox and Chrome/Chromium users should set it to "NO" to diminish the useless overhead of adding/injecting headers to allow Userscripts with Chromium.
Could you confirm or infirm my assumptions ?
One more extra question: If I import my Userscripts with a zip file does my settings in Userscripts that use DB will be imported too ?
Like here I have lot of sites saved over the years in my userscripts:
Regards :octocat:
Hapstyx
commented
6 years ago For some reason disabling uBlock Origin on the page seems to be a workaround, at least it solves this issue for me, even when using Tampermonkey's default settings (Windows 7 64bit, Firefox 60.0.1, Tampermonkey v4.6.5757).
derjanb
commented
6 years ago My understanding is that with the security setting to yes TM inject headers to allow Userscripts on page like Github.com since Firefox don't respect the standard for CSP and scripts. If my understanding is fine this setting is mainly for Firefox and Chrome/Chromium users should set it to "NO" to diminish the useless overhead of adding/injecting headers to allow Userscripts with Chromium.
@mikhoul Even if scripts at Chrome should work with this option set to "No" it's better to keep it on, because it simplifies the script injection.
If I import my Userscripts with a zip file does my settings in Userscripts that use DB will be imported too ?
If the zip was created by Tampermonkey: yes.
derjanb
commented
6 years ago For some reason disabling uBlock Origin on the page seems to be a workaround, at least it solves this issue for me, even when using Tampermonkey's default settings (Windows 7 64bit, Firefox 60.0.1, Tampermonkey v4.6.5757
@Hapstyx Edit: nevermind, I can reproduce this now.
Hapstyx
commented
6 years ago @derjanb I use the default configuration and filters, though it seems to be caused by EasyList and not uBlock filters. Also works on Ubuntu 18.04 and Debian stretch with both Firefox Nightly and Firefox Developer Edition
one-github
commented
6 years ago Is there an unstable version for Safari as well? I use 4.6.5757 on Safari and also (still?) have this issue... I cannot seem to find the configuration option "Add Tampermonkey to the sites content CSP".
derjanb
commented
6 years ago @one-github Safari does not support web request modification which is required to modify the CSP. :(
one-github
commented
6 years ago @derjanb Does this mean this issue will not be solvable for Safari?
derjanb
commented
6 years ago @one-github Please see #296
derjanb
commented
6 years ago For some reason disabling uBlock Origin on the page seems to be a workaround
@Hapstyx Should be fixed at TM BETA 4.7.5788 (http://tampermonkey.net/index.php?browser=firefox)
jsamr
commented
6 years ago @derjanb A folk on this bugzilla ticket suggested to use contentScripts API to bypass this restriction.
Can’t you use the the
contentScriptsAPI¹? ¹ https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts
derjanb
commented
6 years ago A folk on this bugzilla ticket suggested to use contentScripts API to bypass this restriction.
That wouldn't help. Maybe bugzilla ticket 1353468 will be a solution.
Arthaey
commented
4 years ago So 1353468 was marked as a dupe of Bugzilla ticket 1437098, which looks done or nearly so!
It looks like we should be able to the new userScripts API: overview and example docs are available. (Verify in about:config that extensions.webextensions.userScripts.enabled is true.)
My Tampermonkey userscripts keep breaking because of CSP errors, so it would be awesome if it could move to the userScripts API. :)
satnatantas
commented
4 years ago @Arthaey "Closing as resolved-fixed, because as mentioned in comment 29 the API has been already enabled by default" - am I right that Tampermonkey now needs to use that API? Asking because I am still getting CSP errors.
alexolog
commented
4 years ago I am getting CSP errors as well, and scripts fail.
dlenski
commented
4 years ago @alexolog, I had to update from 4.10.6105→4.11.6114 and then completely clear the Firefox cache in order to fix some an issue with userscripts not running on CSP-secured pages.
alexolog
commented
4 years ago Clearing the cache seems to have been the missing ingredient.
alexolog
commented
4 years ago Too quick to post. FF dev updated itself to 78.0b6 and now none of my scripts run on Google unless I disable CSP globally.
I am running the 4.11.6114 beta
Example page: https://www.google.com/search?tbm=isch&q=cat&tbs=imgo:1
Sample scripts that fail to run:
Errors in the log:
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specifiedGreaseMonkey works.
I've found a site where the simpliest script just completely fails to run.
Example userscript:
Here's what is written to the browser console log:
All addon settings are at defaults (except debug level). Any ideas how to fix it?