Content Security Policy issues in Safari #13
Comments
|
I don't own any Apple devices, so I can't check. Are you seeing any errors in the console? |
|
|
|
Works fine with chrome tamper monkey |
|
Very odd, I'm not sure why Safari isn't behaving like Chrome. I haven't found any reports about this particular problem. Please do me a favor and add the following line just below the other // @connect raw.githubusercontent.comThe only domain that is accessed within the script is Also, I don't think the |
|
No difference with @connect
|
|
😞 @silverwind would you please see if you can find the problem? |
|
Will check later. |
|
Pretty sure this is a Tampermonkey issue, filed Tampermonkey/tampermonkey#296. |
|
Or maybe try NinjaKit? |
|
No luck with that either. On NinjaKit, it installs fine, but doesn't show any indicator that the script is active and nothing is logged on the console. The state of Safari extensions is a sad one. |
|
Have you heard anything about AdGuard? It looks like it supports adding userscripts (aka extensions) in Safari. |
|
Where does it say so? It looks like some kind of OS-level firewall thing to me, I'm not daring to install it. And it's not free. |
|
The good news is now MS Edge supports extensions... oh joy! |
|
Tampermonkey was just released for Edge today. So far no luck getting github-dark to run on it though. |
|
@xt0rted I think the problem has to do with GitHub's CSP. |
|
Check if there's a CSP violation in the console. If there is, chances are that either the Tampermonkey or Edge developers have to fix it. |
|
Yeah, that's what I was seeing...
|
|
It's this one right here: |
|
I'm seeing something similar in chrome (53.0.2785.143) on linux: I'm seeing about 45 of those in my dev tools console. This prevents Github Dark from functioning at all and started happening only yesterday (I think when I upgraded chrome). |
|
Check if the option to circumvent CSP is checked in Tampermonkey's option, and if it is, report it to Tampermonkey. I don't think there's anything we can do about these issues unfortunately. |
|
Has anyone found any work arounds to this issue? I love this theme and really want to use it with Safari :) great work to all those involved! |
|
So, instead of making a new issue for Microsoft Edge, I should use this issue as the errors were the same. Any news on this? |
|
Not really, the bug is pretty much on Edge and Safari. Extension scripts should be made exempt from CSP, which is what Chrome and Firefox already implement. For Safari, the bug should be https://bugs.webkit.org/show_bug.cgi?id=149000, I haven't found a corresponding Edge issue, maybe someone wants to file one. |
silverwind
changed the title
|
Tried to submit the bug on https://connect.microsoft.com/IE/feedback/LoadSubmitFeedbackForm, but it won't let me, presumably because I don't use Edge: So if someone is able to submit, please go ahead. The gist of this issue is that extensions should not be subject to a site's CSP and that Chrome and Firefox already do it that way. Maybe also link them to this issue. |
|
Oh, and it's even in the spec: https://w3c.github.io/webappsec-csp/#extensions
|
|
I was able to report from within a virtual machine: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11320214/ |
|
I hear this has been fixed in a recent Edge version, which makes Safari the only browser to still block the script. Not much we can do, except watch https://bugs.webkit.org/show_bug.cgi?id=149000. |
|
@Mottie you can request a free developer/beta license if on the adguard forums. Also something else that allows js injections at OS level is Fiddler |
|
Also why not have all deps locally that way there will be no csp violation |
|
I'm not sure how adguard is going to help with Safari? Please clarify. And the dependencies are hosted on Greasyfork or GitHub (for GM4 polyfill), both of which should be supported by Tampermonkey's |
silverwind
changed the title
Github does not change theme when I load this script. I am using safari with tamper monkey.
The text was updated successfully, but these errors were encountered: