What's the point of including *://github.com/soscripted/* and *://soscripted.github.io/sox/* to sox.user.js?

[double-beep]

I am wondering why these lines are needed in the sox.user.js - the main file:

https://github.com/soscripted/sox/blob/e186e0c31362133840c71764ed4bcf66f3e24f68/sox.user.js#L21-L22

I suppose the userscript is made for Stack Exchange and not for GitHub, right? Plus the userscript is blocked on GitHub and throws some errors in console.

[shu8]

• *://github.com/soscripted/* is there for the Github issue injection, so the script can auto-fill environment information for users making new issues.

• *://soscripted.github.io/sox/* is there for this section of code. When users request an access token, we need to provide a redirect URI, and the https://soscripted.github.io/sox page is what we've defined. Once we detect we're on that page, that section of code extracts the returned access token and saves it in the GM variable SOX-accessToken.

There shouldn't be any errors in the console though, and I can't see any -- please could you paste/screenshot what you're seeing? I'm not sure what you mean by the userscript being blocked on Github either -- is there an extension blocking it?

[double-beep]

Let's open the console here:

Error 1:

Syntax error @ "Stack Overflow Extras (SOX)"!
##########################
JSHINT output:
##########################

EvalError: Αποκλείστηκε από την πολιτική ασφάλειας περιεχομένου
   at C.E_c (Unknown script code:3:391)
   at ja (Function code:62:80)
   at create (Function code:73:419)
   at e (Function code:14:351)

Error 2:

SCRIPT5: SCRIPT5: Αποκλείστηκε από την πολιτική ασφάλειας περιεχομένου

OK, the Greek stuff means:

Blocked by the content's policy

[shu8]

Do you have any content-blocking (or request-blocking) extensions installed?

[double-beep]

Nope, I don't have any.

[shu8]

Interesting, I can reproduce this on Edge (which I think is the browser you're using?), but not on Chrome or Firefox.

Github does have a very specific CSP:

default-src ;
base-uri 'self' ;
block-all-mixed-content ;
connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com ;
font-src github.githubassets.com ;
form-action 'self' github.com gist.github.com ;
frame-ancestors 'none' ;
frame-src render.githubusercontent.com ;
img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com ;
manifest-src 'self' ;
script-src github.githubassets.com ;
style-src 'unsafe-inline' github.githubassets.com

and it seems to be blocking Tampermonkey from executing SOX.

I'm not sure if there's much I can do about that, but will read up a bit more on CSP to see if there's a workaround.

---

I will be keeping both @match declarations though, as the github.io site seems to work in Edge, and the github.com injection seems to work in some browsers so will be useful for at least some users!