-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safari: Script unable to bypass CSP #296
Comments
According to the CSP spec a CSP should not interfere with extensions and add-ons [1], but Safari doesn't care and stops Tampermonkey when it injects a script into the page. Unfortunately there is nothing I can do to fix this. So this actually this is more a "can't fix" than a "won't fix". |
@derjanb I'm also curious why some adblocker extensions and some extensions that is actually a wrapper for some scripts work like a charm? |
@legendtang Can you please send a link to such an extension? |
@derjanb For example, uBlock Origin https://github.com/gorhill/uBlock |
@legendtang I have issues to find out how to define a custom JavaScript that is injected into the page. Can you please give some guidance or send a backup with that for example injects |
@derjanb They're restricting the use of external scripts and only applying pre-defined rule-based scripts in resource.txt instead. But it will not work in CSP websites for Safari. Don't be so upset. Below is where exactly I noticed the behaviors from. There're some extensions already achieving that. Safari-FIDO-U2F/Safari-FIDO-U2F#26 (comment) This extensions do successfully load the script on any websites, even for CSP-enabled GitHub. The |
So does this mean that no userscript will ever work in Safari? |
No, it means a site with a very strict CSP can prevent scripts from running or prevent some features from working. |
I think Userscripts solves this by using eval instead of creating a script tag when @inject-into content is in the script. https://github.com/quoid/userscripts/blob/14297fb38e46dc5f5a51a857d9c8f034a69b8730/extension/Userscripts%20Extension/UserscriptsSafari.js#L33 |
Hi @michaelmesser are you saying there is a solution to this issue? I only use Tampermonkey to add CSS to webpages to customise them. Decided to switch to Safari for one app, and its blocked. I use a addGlobalStyle function to add the style, but the script is blocked. I tried another app to add CSS called Cascadea and that works fine. So it is possible to at least inject CSS into webpages. I dont know if Tampermonkey has another working way, or just does not implement the same way as Cascadea does it. |
@amityweb, if you only need custom CSS, you could use Stylus. |
so it’s possible. unfortunately I cannot install userscripts since it requires mac v12 |
But may fail with disabled relax mode in 4.20 - I must found solution to move this to anohter addon. |
Using Tampermonkey 4.1 on Safari 9.1.1, a userscript seems unable to bypass a site's CSP, like for github.com in our case (here's the script). This error is being logged in the console:
I've been searching for an option menu with the CSP option, but there appears to be none available in the Safari version of this extension.
Ref: StylishThemes/GitHub-Dark-Script#13
The text was updated successfully, but these errors were encountered: