Refused to execute inline script because it violates the following Content Security Policy directive

andy-portmen / external-application-button

Communicate with external applications of your OS through a toolbar button or context menu item.

https://webextension.org/listing/external-application-button.html

174 stars 56 forks source link

Refused to execute inline script because it violates the following Content Security Policy directive #102

Open mat926 opened 5 months ago

mat926 commented 5 months ago

Hello, I get this error when trying to run the command on some sites like Github

VM326:4 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src github.githubassets.com". Either the 'unsafe-inline' keyword, a hash ('sha256-KIgcpH7gqwIKxznM7U5KZRvHsdti6BUhgTYeMgpZXjU='), or a nonce ('nonce-...') is required to enable inline execution.

Can this be worked around?

andy-portmen commented 5 months ago

Is this on Firefox? Unless there's an extension that can bypass the CSP restriction, I don't see a way around it.

mat926 commented 4 months ago

This is on Brave

andy-portmen commented 4 months ago

I couldn't find a way to execute user-defined pre/post scripts on a page with CSP restrictions. Google has limited dynamic script injection on manifest v3 to protect users. One workaround is to use the "CORS Unblock" extension, temporarily enabling the "Remove Content-Security-policy Headers" option, and refreshing the page. However, this approach is not advisable.

andy-portmen commented 4 months ago

I'll keep this open for suggestions.