Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Firefox] Can't modify page properties on sites which use CSP

See original GitHub issue

This is my abiding issue with Violentmonkey (which I ❤️ - thank you!), but I can’t see an open issue for it. There are related closed issues, and this issue may point the way to a fix, but I thought it’d be better to track the bug explicitly rather than inferring it from the documentation[1] and scattered comments.

What is the problem?

It’s not possible to modify/mutate direct or nested properties of a page’s window object with the following combination:

  • Violentmonkey for Firefox
  • sites which use CSP (e.g. GitHub, Google, Twitter)

Sites which use CSP don’t run in Violentmonkey for Firefox unless @inject-into content is enabled, but @inject-into content is not compatible with @grant none, which is needed to modify page objects.

Userscript engines this works in:

  • Tampermonkey (tested on Firefox)

Userscript engines this doesn’t work in:

How to reproduce it?

// ==UserScript==
// @name          Hook XHR#open
// @version       0.0.1
// @include       https://twitter.com/*
// @include       https://github.com/*
// @include       https://*.google.tld/*
// @grant         none
// @inject-into   content
// ==/UserScript==

function hookXHROpen (oldOpen) {
    return function open (...args) {
        console.warn('inside XHR#open')
        return oldOpen.apply(this, args)
    }
}

// or unsafeWindow...
window.XMLHttpRequest.prototype.open = hookXHROpen(
    window.XMLHttpRequest.prototype.open
)

What is the expected result?

XHR#open should be hooked and the message should be logged on those sites.

What is the actual result?

XHR#open isn’t hooked and the message isn’t logged.

Related issues

Environment

  • Browser: Firefox v76.0.1
  • Violentmonkey: v2.12.7
  • OS: Linux (Arch)

Footnotes

  1. “Scripts requiring access to JavaScript objects in the web page will not work in [@inject-into content] mode.”
  2. “GM4 does not yet support @grant none.”
  3. @grant none isn’t supported. unsafeWindow is but I couldn’t get the XHR#open hook to work.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:17 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
sn260591commented, Jun 5, 2020

@chocolateboy How to determine that your script is working properly?

As for the example you’ve given, I don’t see any difference between that and assigning directly to console.log, e.g.:

unsafeWindow.wrappedJSObject.console.log = func

Try execute console.log("test") in the web console. Without exporting the function, an error will occur.

1reaction
tophfcommented, Jun 2, 2020

Don’t forget to use exportFunction or cloneInto with cloneFunctions:true option.

Read more comments on GitHub >

github_iconTop Results From Across the Web

[Firefox] Can't modify page properties on sites which use CSP
What is the problem? It's not possible to modify/mutate direct or nested properties of a page's window object with the following combination:.
Read more >
Content Security Policy - Mozilla - MDN Web Docs
Content Security Policy (CSP) is a mechanism to help prevent websites from inadvertently executing malicious content. A website specifies a CSP ...
Read more >
Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >
[meta] Page CSP should not apply to content inserted by ...
I want to run userscripts on a CSP-protected domain with restrictive script-src policies. And I cannot ; it feels like Firefox endorses the...
Read more >
Content-Security-Policy - HTTP - MDN Web Docs
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[feat] Option to let a userscript run upon page load via ajax

Next page

[Firefox] Can't modify page properties on sites which use CSP