Firefox CSP issue

[gera2ld]

Firefox does not support script injection from extension when page has CSP restrictions. As a result, no script can be injected to such pages in Firefox. But it works well with Chrome.

Related issues:
#107, #172

Some examples suffered from this issue:

• scripts cannot work correctly on Github
• styles installed via userscript cannot be applied on Github

[d4k0]

If this is an issue with Firefox, then why do the scripts work in Tampermonkey? Or does Tampermonkey use some kind of workaround?

[gera2ld]

Because it has modified the CSP header. And this seems to be the only solution on Firefox if Firefox won't grant permission for extensions to inject scripts.

[nkestrel]

Upstream Bug 1267027.

[angelsl]

FWIW I'm currently working around this using an addon to modify the CSP per-page (slightly modified from the original Chrome extension).

E.g. to get GitHub Dark as a userscript to work, we add in 'unsafe-inline' to the script-src CSP.

[[["*://*.github.com/*"], [["script-src", "script-src 'unsafe-inline'"]]]]

[Geobert]

I can ditch Tampermonkey now! Cheers @angelsl !

[Geobert]

Good news: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027#c21

[Betsy25]

FYI, Normally this issue should be fixed in the latest Firefox Nightly.
https://bugzilla.mozilla.org/show_bug.cgi?id=1406278

EDIT: Please disregard, the script #172 still doesn't work in Violentmonkey.

[ghost]

Edit: never mind, it is not always applicable -- only under very specific configurations (that I cannot identify) can I run userscripts.

I didn't want to install another addon just to tinker with CSP headers so for the time being, short of disabling CSP altogether, I loosened the policy with the about:config switch security.csp.enableStrictDynamic = false to run (dynamically injected) userscripts while continuing to block normal page scripts.

[evilpie]

With both bug 1407056 and bug 1406278 fixed this should now work correctly. For example testing the script from #172 on github everything seems correct with Firefox 58 (2017-10-20). @gera2ld can you confirm?

[gwarser]

Not work. Even in Tampermonkey CSP hack is required.

[angelsl]

@gwarser

The changes in question will only land in FF 58.

You may wish to try the next Nightly containing those changes.

[gwarser]

I'm on Build ID 20171021100029

[Toora]

Is this script not working related to the CSP issues? Extract images for Twitter

Works with Tampermonkey and Greasemonkey 4, but not Violentmonkey. Also not on latest Nightly.

[evilpie]

Actually I was wrong, it still doesn't seem to work. Both the github script and the twitter script for extracting images above still run into CSP issues.
Talking to the developer following things are still missing:

<John-Galt> There is more to do, yes: inline styles, content injected from inline stylesheets, support for innerHTML, eval, inline scripts (which I probably won't actually implement)... a few other things. But most basic injections should work now.

Maybe the way Violentmonkey injects scripts could be changed.

[evilpie]

Checkout evilpie@18f5c60. This seems to make the script from #172 work for me. Extract images for Twitter also works, but it seems a bit broken, but this is probably unrelated to the CSP issue.

The fix is to use .src for injecting the scripts instead of using .textContent (i.e inline scripts), which might not even be fixed.

[Geobert]

It's broken again since a day or two :(

Had to use @angelsl workaround again

[jsamr]

@gera2ld
A folk on this bugzilla ticket suggested to use contentScripts API to bypass CSP restrictions.

Can’t you use the the contentScripts API¹?
¹ https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts

[danShumway]

What would be the biggest hurdle in moving over to contentScripts?

As far as I can tell:

• Chrome doesn't currently support them.

Otherwise, run-at seems to support the same options. If there was an alternate method for Chrome, would I be correct in assuming this is something that could be swapped in for the injection bridge? Since contentScripts will only register for the duration of the object lifecycle, seems like something that could be registered on each page load. Not sure if that would have performance implications.

I don't currently use Chrome, so I haven't looked into whether it suffers from the same problem. But I would prefer not to disable CSP restrictions for an entire domain, even though that is a workaround I suppose.

[gera2ld]

By using contentScripts, it's impossible for Chrome to access unsafeWindow.
Even in Firefox many scripts will be broken because of access to incorrect global objects. For example, there will be two different Array prototypes, one from the content script, and the other from the web page. When calling an array created in the web page from the content script, a DOM Exception will be raised. As a result, unsafeWindow becomes useless though you have wrappedJSObject.

[danShumway]

Yeah, you're right; forgot that @grants means that scripts can actually request access to that stuff.

I'd still be happy with even a limited way to get scripts interacting with CSP-blocked domains, since right now the alternative is nothing works at all; but since Firefox is theoretically still planning to just make CSP not apply to injected scripts, it's probably more efficient for me to just bug them about it.

[oifj34f34f]

I can't run userscripts on github.com, although everything works on Chromium. Has anyone found a solution? @angelsl :)

[tophf]

Set Injection mode to Auto in the options.

[oifj34f34f]

Doesn't work :(
and it was already enabled by default.

[vintprox]

Having the same problem while trying to activate a style script on Mastodon sites. Injection mode auto doesn't help and I still get this in the logs:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 [content-script.js:40:65](moz-extension://43ae36e6-c357-4bd6-882b-65212c3790bd/content-script.js)
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). [injected.js:1:6177](moz-extension://3a9fd357-8878-48d6-a4d0-1e42fe2b9ff5/injected.js)

[tophf]

Use GM_addStyle or GM_addElement.

[vintprox]

Hm, I tried this:

// ==UserScript==
// @name        Mastodon Wider Columns
// @namespace   https://greasyfork.org/en/users/830433-vintprox
// @match       https://techhub.social/deck/*
// @grant       GM_addStyle
// @version     1.0
// @author      vintprox
// @description Make an "advanced web interface" a little bit better on Mastodon by widening columns
// ==/UserScript==

GM_addStyle(`
  .drawer {
    width: 400px;
  }
  .column {
    width: 400px;
  }
  .column:last-child {
    flex-grow: 1;
  }
`);

Doesn't cut it, unfortunately.

[tophf]

37ec011 fixes it. Test build in CI.

[tophf]

Meanwhile, the workaround is to add the style element manually:

const el = document.createElement('style');
el.textContent = `.......`;
(document.head || document.documentElement).appendChild(el);

Note that it works because the script is automatically injected in content mode by default, but it won't happen if you use another extension to disable CSP of this page, so in that case add // @inject-into content to your script's meta comment.