Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypassing CSP #2270

Open
cyber-sec0 opened this issue Nov 29, 2024 · 2 comments
Open

Bypassing CSP #2270

cyber-sec0 opened this issue Nov 29, 2024 · 2 comments
Labels
feedback needed

Comments

@cyber-sec0
Copy link

cyber-sec0 commented Nov 29, 2024
edited
Loading

Expected Behavior

I can grab a CSS or HTML file containing inline styles or style tags from anywhere, in any manner, and inject it on the page.

Actual Behavior

Script breaks.

Script

// ==UserScript==
// @name               ddd
// @namespace          
// @description        
// @version            74
// @author             
// @include            *
// @grant              GM_getResourceText
// @grant              GM.xmlHttpRequest
// @run-at             document-end
// @connect            *
// @resource           css https://domain.com/cs.css
// ==/UserScript==

//Method 1 using GM_getResourceText

const container = document.createElement('div');

// Attach a Shadow DOM to the container
const shadowRoot = container.attachShadow({ mode: 'open' });

// Create a <style> element and inject the fetched CSS into it
const style = document.createElement('style');
style.textContent = GM_getResourceText("css");  // Inject the CSS content

// Append the style element to the Shadow DOM
shadowRoot.appendChild(style);

// Append the container (with Shadow DOM) to the body
document.body.appendChild(container);



//Method 2 using "fetch"

// Request the external CSS
GM.xmlHttpRequest({
  method: 'GET',
  url: 'https://domain.com/cs.css', // Replace with your CSS URL
  onload: function (response) {
    // Create a container for the Shadow DOM
    const container = document.createElement('div');

    // Attach a Shadow DOM to the container
    const shadowRoot = container.attachShadow({ mode: 'open' });

    // Create a <style> element and inject the fetched CSS into it
    const style = document.createElement('style');
    style.textContent = response.responseText;  // Inject the CSS content

    // Append the style element to the Shadow DOM
    shadowRoot.appendChild(style);

    // Append the container (with Shadow DOM) to the body
    document.body.appendChild(container);
  }
});

Testing page
https://www.icloud.com/shortcuts/7d4712f9ca6e4c60aeb5cf813873dcd3
@derjanb
Copy link
Member

derjanb commented Dec 1, 2024

What is your Tampermonkey, browser and OS version?

@cyber-sec0
Copy link
Author

cyber-sec0 commented Dec 3, 2024
edited
Loading

@derjanb

TM = Latest 5.3.2
Edge = Latest 131.0.2903.63 (Official build) (64-bit)
Win 11 = Latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@derjanb @cyber-sec0