Closed AdrianLech closed 4 years ago
trlkly
commented
4 years ago Might be the same bug I mentioned in #776. I had to use the same addon for disqus.com, whether it is embedded in an iframe or loaded in a separate window.
It doesn't seem to matter one bit what the content is in the script, if so. The CSP is just preventing any script from working. (Note that I have instant injection turned on, if that is relevant.)
derjanb
commented
4 years ago Firebase is makes a non-privileged XHR request which is forbidden by the page. You can try to overwrite XmlHttpRequest by having a local copy via
var GM_XHR = function() { ... };
var XMLHttpRequest = GM_XHR;before firebase.initializeApp.
The content of GM_XHR can be taken from here: https://gist.github.com/derjanb/10961253
Please note that it's not a good idea to do something like
unsafeWindow.XMLHttpRequest = GM_XHR
because this will make the GM_xhr visible to the page.
625781186
commented
4 years ago @AdrianLech Hi , I have the same question . Have you solved the problem?
AdrianLech
commented
4 years ago @625781186 I just used a chrome extension that disables CSP all together in a browser (on VM for security). The solution proposed above didn't work for me.
625781186
commented
4 years ago @625781186 I just used a chrome extension that disables CSP all together in a browser (on VM for security). The solution proposed above didn't work for me.
I also tried chrome extension. The original script is injected directly into the interface in tampermonkey, but in chrome it works on the HTML of the chrome plug-in, and we need to write the injection steps yourself, too much trouble.
trlkly
commented
4 years ago @625781186 My CSP problems were different, but maybe my solution will help.
I actually had to set "Add Tampermonkey to the site's content security policy (CSP) if there is one" to "NO".
I don't know why it worked, but it did. I have not had any more CSP problems since then.
"
625781186
commented
4 years ago @625781186 My CSP problems were different, but maybe my solution will help.
I actually had to set "Add Tampermonkey to the site's content security policy (CSP) if there is one" to "NO".
I don't know why it worked, but it did. I have not had any more CSP problems since then.
"
Sorry , It doesn't work for me.
You can add // @include http* to tampermonkey,
and browse github.com.
I test some website that can't occur CSP question when I use firebase.
trlkly
commented
4 years ago No, it looks like it made it worse. That error means that you were unable to insert your JavaScript into the page at all.
That said, you could try adding the following addon and then clicking the button to turn it on: https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden?hl=en
On Fri, Jan 24, 2020 at 12:47 PM 625781186 notifications@github.com wrote:
@625781186 https://github.com/625781186 My CSP problems were different, but maybe my solution will help.
I actually had to set "Add Tampermonkey to the site's content security policy (CSP) if there is one" to "NO".
I don't know why it worked, but it did. I have not had any more CSP problems since then.
"
Thanks , It does work! But another mistake occurred : [image: image] https://user-images.githubusercontent.com/30521429/73095192-fcbb7800-3f1c-11ea-9c12-81fc95e0e388.png I used Webpack.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Tampermonkey/tampermonkey/issues/817?email_source=notifications&email_token=ABJVFLRVWHN4RLIVS56R3IDQ7MZVNA5CNFSM4JPXNQVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ3XCCA#issuecomment-578253064, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJVFLRXLYHCTOCYTS6YNSTQ7MZVNANCNFSM4JPXNQVA .
625781186
commented
4 years ago No, it looks like it made it worse. That error means that you were unable to insert your JavaScript into the page at all. That said, you could try adding the following addon and then clicking the button to turn it on: https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden?hl=en … On Fri, Jan 24, 2020 at 12:47 PM 625781186 @.***> wrote: @625781186 https://github.com/625781186 My CSP problems were different, but maybe my solution will help. I actually had to set "Add Tampermonkey to the site's content security policy (CSP) if there is one" to "NO". I don't know why it worked, but it did. I have not had any more CSP problems since then. " Thanks , It does work! But another mistake occurred : [image: image] https://user-images.githubusercontent.com/30521429/73095192-fcbb7800-3f1c-11ea-9c12-81fc95e0e388.png I used Webpack. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#817?email_source=notifications&email_token=ABJVFLRVWHN4RLIVS56R3IDQ7MZVNA5CNFSM4JPXNQVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ3XCCA#issuecomment-578253064>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJVFLRXLYHCTOCYTS6YNSTQ7MZVNANCNFSM4JPXNQVA .
Ha, This plugin is great !
Hi, I made a profile scraper and auto window.close/message for linkedIn for my HR people to speed up their work, today i tried to add a firebase firestore to make sure that they don't message the same people from different accounts(nobody likes spam right) Currently i'm being blocked by linkedIn CSP when trying to make a call to firebase like so:
I managed to bypass that with some disable CSP extension for chrome but i don't really want the HR people to run that extension. Do you have any better ideas?