RPC intercepts not possible for apps setting CSPs in meta tags

[jfschwarz]

We intercept RPC requests made by apps by enabling redirects to the fork RPC via declarativeNetRequest session rules. Unfortunately, the redirect target URL falls under the apps content security policies, so might be blocked. For that reason we disable CSPs for apps loaded in Pilot.

This works when CSPs are set in response headers, but there's an alternative way of setting them using <meta http-equiv> tags. Our header override solution only disables CSPs set in response headers, not those set through meta tags.
As a result RPC intercepts don't work for apps using such meta tags. An example is https://app.uniswap.org.

Unfortunately, there's no easy way to disable such CSPs. See this discussion about declarativeNetRequest: w3c/webextensions#169 (comment)

There's this extension that allows to fully disable CSPs set through either option: https://github.com/lisonge/Disable-CSP/blob/main/src/devtools.ts However, apparently it requires dev tools to be open for removing meta tags. 😒

We could try to build a service worker processing html doc responses and removing the tags, but not sure if this will work.