philgrayson / chrome-csp-disable Goto Github PK
View Code? Open in Web Editor NEWDisable Content-Security-Policy in Chromium browsers for web application testing
License: The Unlicense
Disable Content-Security-Policy in Chromium browsers for web application testing
License: The Unlicense
I get this error when a script is redirected to a different site using a redirector extension (switcharoo):
Refused to load the script ... because it violates the following Content Security Policy directive: "script-src 'self' ... https: 'unsafe-inline' 'unsafe-eval'".
All over https, the redirected site is on http.
The failing site has an intense CSP policy in a Content-Security-Policy meta tag.
I do this kinds of redirection all the time with many other https sites without any CSP errors using your extension.
I am using Version 49.0.2623.112 m. If I try to access the contentDocument property of an iframe element where the iframes current location is on another server I am getting:
Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:51904" from accessing a frame with origin "http://10.200.200.211". Protocols, domains, and ports must match.
I have toggled the button in the add-on bar so it have had both appearences doing this.
Did I misunderstand the functionatlity of the plugin or is it not keeping up with newer browsers?
At line 4 in background.js, shouldn't the statement
if(!isCSPDisabled)
be replaced with the following statement?
if(isCSPDisabled)
I tried your script and it doesn't disable CSP. But, when I changed !isCSPDisabled to isCSPDisabled it works properly. It seems that you're returning from the function if CSP is not disabled, which doesn't make any sense.
how to deal web.whatsapp.om csp does not work
I try to copy the background.js code to my chrome extension
but it seems doesn't work in web.whatsapp.com
is the tab.id must?
After the website is disabled by csp, it is often forgotten to click to disable cps when it is opened again. It needs to be disabled again and the page is refreshed. I hope to support setting the domain name memory list, and the websites in the list are automatically disabled.
I wanted to use your plugin to disable CSP on the site riot.im (Riot Web Browser): https://riot.im/app/#/login.
But it is not disabled by the CSP.
And my script that I want to execute doesn't work.
Please take a look: element-hq/element-web#13855
https://microsoftedge.microsoft.com/addons/search/csp?hl=zh-CN
Edge will not synchronize the expansion of non-edge stores
This is fantastic! Thank you for making it!!
What is the license?
If your open to it, can I suggest the MIT license or public domain?
https://choosealicense.com/licenses/mit/
https://choosealicense.com/licenses/unlicense/
Thanks again, this saved my life!
Extension no longer disables CSP.
i downloaded your extension and installed it and it worked properly in chrome 63.0.3239.132, but now when i updated to chrome 67.0.3396.87, it doesn't work.
i opened developers tools and i see security policy header present there, and it also doesn't allow me to execute inline events anymore
can you please take a look and confirm the issue and let me know if i can somehow help on resolving the issue. thanks
Reloading the tab re enables CSP and I need to reenable the addon manually.
Rarely this doesn't happen though and CSP stays disabled.
Edit: I'm testing this on editor.construct.net btw. I'm guessing its service worker is messing with the addon
I first noticed this with my own website, but there I was able to temporarily remove the headers. However I've also recently discovered this on Flickr.
Refused to load the script 'https://www.ssa.gov/accessibility/andi/andi.js' because it violates the following Content Security Policy directive: "script-src https://securepubads.g.doubleclick.net https://adservice.google.com https://cdn.ampproject.org https://*.google.com https://*.google-analytics.com https://*.googleadservices.com https://*.doubleclick.com https://*.doubleclick.de https://*.doubleclick.net https://*.googletagservices.com https://*.googleadservices.com https://*.googlesyndication.com https://*.googleapis.com https://www.googletagmanager.com https://*.infolinks.com https://ads.pubmatic.com https://static.criteo.net https://hb.yellowblue.io https://cs.yellowblue.io https://cdn.jsdelivr.net https://shb.richaudience.com https://sync.richaudience.com/ https://prebid.a-mo.net https://ad.360yield.com https://ad.360yield-basic.com https://pbs.360yield.com https://hb.360yield.com https://player.ex.co https://channelexco.com/ https://*.connatix.com https://adserver.adtech.advertising.com 'unsafe-eval' 'unsafe-inline' 'nonce-58906aa79619ca6e43446fd2554ad394' https://flickr.com https://*.flickr.com https://*.staticflickr.com https://js.stripe.com https://boards.greenhouse.io https://*.trustarc.com https://trustarc.mgr.consensu.org https://cdn.siftscience.com https://assets.pinterest.com https://browser.sentry-cdn.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I need to have CSP enabled per tab globally. pls help
Originally posted by @mpatel1987 in #12 (comment)
If the target page has:
Content-Security-Policy: frame-ancestors 'none';
Chrome-csp-disable is unable to disable csp, I have done some tests, its ok on Firefox, but dont work on any webkit based browser, tested in Opera, Chromium and Chrome.
I have prepared my own domain for this test: https://jsfiddle.net/sombra2eternity/dtfL80am/
You will be unable to load this iframe on Chrome. I havent found any documentation describing this behaviour though :/
Like, maybe set a period, or automatically turn off when closing chrome?
People are forgetful and easily distracted. That doesn't go well with security. :)
I've installed the plugin and it turns out by default it will disable the content-security-policy on my sites. Could it be made so that the default behavior is to do nothing so the browser defaults are intact? Now I have to disable the extension when I'm finished doing my stuff.
Or add the 'whitelist' as mentioned in #4
I activated the plugin but i keep getting policiy errors (Refused to connect to..). The policy is set via the response header, I want to disable the policiy.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.