Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP prevents scriptlets and extCSS rules from working #304

Closed
EivindArvesen opened this issue Dec 27, 2019 · 2 comments
Closed

CSP prevents scriptlets and extCSS rules from working #304

EivindArvesen opened this issue Dec 27, 2019 · 2 comments
Assignees
@Mizzick
Labels
Bug Something isn't working Medium P3: Medium Medium priority Priority: P3 Resolution: Won't Fix Status: Closed Version: Safari v1.8 Wontfix This will not be worked on
Milestone
1.8

Comments

@EivindArvesen
Copy link

Issue Details

  • Version of AdGuard for Safari:
    • Version 1.5.4
  • Environment name and version:
    • Safari 13.0.4 (15608.4.9.1.3)
  • Operating system and version:
    • macOS Catalina 10.15.2
  • Filters you use in AdGuard:
    • Ad Blocking, Privacy, Annoyances, Security
  • Any other browser extensions you have installed:
    • PiPifier Button, Tabs Saver

Expected Behavior

Setting a CSP that does not include 'unsafe-inline' for "script-src", I expect any inline scripts on a page I navigate to not to run (and trigger an error in the console).
Otherwise, I should see no difference in documents that comply with the policy.

Actual Behavior

Pages (even those without any script whatsoever) trigger an error,

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

in the console, referring to <URL>:0 – yes, line zero (!) – which contains only the code

<!DOCTYPE html>

and the error message Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

Screenshots

Screenshot: Skjermbilde 2019-12-27 kl 23 02 35

Additional Information

I'm getting a Content Security Policy error on the first line of the document on pages that disable script-src 'unsafe-inline', for some reason.
Seems to only be the case when CSP is set via HTTP-response headers, as opposed to meta-tags in the HTML document. This only happens in Safari.

I made a POC here (should be served with apache2).

Can be reproduced on the following pages:

https://www.eivindarvesen.com/blog/2019/07/19/introducing-cleave
https://github.com/EivindArvesen/prm
@ameshkov ameshkov added this to the 1.8 milestone Dec 31, 2019
@ameshkov ameshkov added Bug Something isn't working P3: Medium Medium priority labels Dec 31, 2019
@ameshkov ameshkov changed the title CSP-bug CSP prevents scriptlets and extCSS rules from working Dec 31, 2019
@ameshkov
Copy link
Member

I am not sure if this is possible to fully fix this, but we'll give it a closer look.

In the case of other browsers (Chrome or FF), content scripts are allowed to ignore the page's CSP and run with no issues. This is clearly not the case in Safari.

@Mizzick
Copy link
Contributor

Mizzick commented Apr 26, 2020

Unfortunately, this is still a problem for safari, check out this comprehensive comment:
Tampermonkey/tampermonkey#296 (comment)

@Mizzick Mizzick closed this as completed Apr 26, 2020
@Mizzick Mizzick added the Wontfix This will not be worked on label Apr 26, 2020
@AdamWr AdamWr mentioned this issue Oct 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mizzick Mizzick

Labels
Bug Something isn't working Medium P3: Medium Medium priority Priority: P3 Resolution: Won't Fix Status: Closed Version: Safari v1.8 Wontfix This will not be worked on
Projects
None yet
Milestone
1.8
Development

No branches or pull requests
4 participants
@EivindArvesen @ameshkov @Mizzick @adguard-bot