search

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
GNU General Public License v3.0
4.3k stars 424 forks source link

"Add Tampermonkey to the site's content CSP" breaks page content #957

Open Owyn opened 4 years ago

Owyn commented 4 years ago

step 1) have only TM extension installed on Firefox 77 step 2) have at least one script which runs at document-start step 3) upon opening any tab there's a good chance it'd load up empty or corrupted (the more scripts you have the bigger the chance - so about 50%+ if you have 3+ scripts)

e.g. you go to https://www.reddit.com/ and click top-left reddit link to itself to https://www.reddit.com/ and open 10 new tabs with it - and see just some of them loading correctly

Expected Behavior

it should work fine

Actual Behavior

it doesn't

Specifications

Script

(Please give an example of the script if applicable.)

// ==UserScript==
// @name         New Userscript
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  try to take over the world!
// @author       You
// @match        https://www.reddit.com/
// @grant        none
// @run-at       document-start
// ==/UserScript==

(function() {
    'use strict';

    // Your code here...
    console.log("test");
})();

test website: https://www.reddit.com/

screens: изображение

изображение

изображение

изображение

problem happens on all sites, not just reddit obviously

Owyn commented 4 years ago

edit:Factory reset in TM helps, but I lose all my scripts and their settings :-( could you take a look at my backup and see what broke during firefox upgrade?

I used zip export and deleted scripts from inside leaving only Tampermonkey.global.json and it seems importing it back after factory reset bring the problem back again so the fault is there

here's that faulty file:

{
    "script_blacklist_server": [
    {
        "severity": "2"
        , "rules": ["/https?:\\/\\/userscripts\\.org\\/scripts\\/(source|version)/(102614).*\\.user\\.js/"]
    }
    , {
        "name": "SaveFrom.net helper"
        , "severity": "3"
        , "rules": ["/https?:\\/\\/sf-addon\\.com\\/.*\\/.*\\.user\\.js/", "/https?:\\/\\/.*\\.sf-helper\\.com\\/.*\\.user\\.js/"]
        , "reason": "Shows advertisements"
    }
    , {
        "severity": "8"
        , "reasons":
        {
            "en": "Used for a phishing compain to compromise users of baon-nutrition.com"
        }
        , "rules": ["/https?:\\/\\/files\\.ulysse\\.travel\\/.*\\.user\\.js/"]
    }]
    , "enabled": true
    , "layout": "default#dark"
    , "layout_user_css": ""
    , "notification_showUpdate": "changelog"
    , "favicon_service": "google"
    , "configMode": 100
    , "webrequest_fixCSP": "yes"
    , "webrequest_modHeaders": "yes"
    , "script_file_access": "off"
    , "external_connect": "all"
    , "require_sri_mode": "supported"
    , "connect_mode": "ask"
    , "page_filter_mode": "black"
    , "page_whitelist": ["/https?:\\/\\/greasyfork\\.org\\/.*/"]
    , "forbiddenPages": ["*example.org/*", "*paypal.tld/*", "*stripe.com/*", "/^.*:\\/\\/apis\\.google\\.com\\/((?!render)([^\\/]+)\\/)+([^\\/]+)?$/", "*://www.facebook.com/plugins/*", "*://platform.twitter.com/widgets/*"]
    , "action_menu_scripts_hide_disabled": false
    , "action_menu_columns": "1"
    , "action_menu_scripts_sort": "auto"
    , "appearance_badges": "running"
    , "appearance_badge_color": "#696969"
    , "i18n": "en"
    , "webrequest_fixContentCSP": "yes"
    , "runtime_inject_mode": "default"
    , "appearance_badge_text_color": "#ffffff"
}
derjanb commented 4 years ago

It is most likely caused by the experimental content CSP setting.

Owyn commented 4 years ago

You're right, it's CSP setting breaking pages :-(

Now there's 100% no way to work on those, even with https everywhere disabled

derjanb commented 4 years ago

Just to be sure "Add Tampermonkey to the site's content CSP" ("webrequest_fixContentCSP") can break pages, while "Add Tampermonkey to the site's content security policy (CSP) if there is one" ("webrequest_fixCSP") should not.

Owyn commented 4 years ago

Yes, except safe option webrequest_fixCSP does not work on CSP sites (like google images or github), not sure if 1st one webrequest_fixCSP even does anything in Firefox

derjanb commented 4 years ago

Yes it does, at least at the latest beta. https://github.com/Tampermonkey/tampermonkey/issues/952#issuecomment-638373937 :-(

derjanb commented 2 years ago

Please disable all CSP modification and try the fix mentioned here: https://github.com/Tampermonkey/tampermonkey/issues/1186#issuecomment-1151485354