Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass CSP for img.src in Chromium #33

Closed
deevroman opened this issue Aug 24, 2024 · 4 comments
Closed

Bypass CSP for img.src in Chromium #33

deevroman opened this issue Aug 24, 2024 · 4 comments

Comments

@deevroman
Copy link
Owner

Currently, switching satellite images only works in Firefox. It is implemented by simply replacing the src tag

better-osm-org/better-osm-org.user.js

Line 749 in 00555e8

i.src = SatellitePrefix + xyz.z + "/" + xyz.y + "/" + xyz.x;

But this does not work in Chromium, which for some reason takes into account image-src CSP

  1. Possible workaround

Create an with the desired tile using GM_AddElement, and call replaceWith()

better-osm-org/better-osm-org.user.js

Lines 751 to 756 in 00555e8

const newImg = GM_addElement(document.body, "img", {
src: SatellitePrefix + xyz.z + "/" + xyz.y + "/" + xyz.x
})
newImg.classList = i.classList
newImg.style.cssText = i.style.cssText;
i.replaceWith(newImg)

But this breaks Leaflet: when zooming in, new tiles are not loaded (you can get around it by switching tiles twice)

replaceWith probably breaks tile object references that are important for Leaflet. (event handlers?)

I have no idea how to overcome this or even understanding how GM_addElement bypasses CSP

Interesting points in the ViolentMonkey source code

https://github.com/violentmonkey/violentmonkey/blob/692ffb97743fbbcd549d1ed81969e915125ebfd7/src/injected/content/gm-api-content.js#L31

https://github.com/violentmonkey/violentmonkey/blob/692ffb97743fbbcd549d1ed81969e915125ebfd7/src/background/utils/preinject.js#L625
@deevroman deevroman added the help wanted Extra attention is needed label Aug 24, 2024
@deevroman
Copy link
Owner Author

Not exactly about CSP, but probably solving this problem will also help to bypass bypass CORS for some imagery

@deevroman
Copy link
Owner Author

deevroman commented Feb 2, 2025
edited
Loading

https://chromewebstore.google.com/detail/allow-csp-content-securit/hnojoemndpdjofcdaonbefcfecpjfflh it can disable CSP on the site. ⚠️ Important: This can seriously weaken your security

also: https://chromewebstore.google.com/detail/csp-unblock/lkbelpgpclajeekijigjffllhigbhobd

@deevroman
Copy link
Owner Author

Perhaps a solution to problems with Leaflet may be available after: Tampermonkey/tampermonkey#2053

deevroman added a commit that referenced this issue Feb 4, 2025
@deevroman
#33 workaround for Satellite mode in Google Chrome (sosat CSP), overz…
92f51e4 
…oom for sat tiles
deevroman added a commit that referenced this issue Feb 5, 2025
@deevroman
#33 workaround for Satellite mode in Google Chrome (sosat CSP), overz…
b9631e4 
…oom for sat tiles
@deevroman deevroman removed the help wanted Extra attention is needed label Feb 5, 2025
@deevroman
Copy link
Owner Author

The solution is specific:

  1. Intercept the addition of a new image.
  2. Remove the loading error handlers (critical only for map tiles, so that there is no flickering)
  3. Upload the image via GM.xmlHttpRequest
  4. Insert it as dataURL

Chrome — сосать, CSP — сосать

deevroman added a commit that referenced this issue Feb 28, 2025
@deevroman
#33 workaround for Satellite mode in Google Chrome (sosat CSP), overz…
1e3c7ed 
…oom for sat tiles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@deevroman