https-everywhere icon indicating copy to clipboard operation
https-everywhere copied to clipboard
verified publisher icon EFForg

Https everywhere on sites with CSP also prevents other browser extensions from running

Open Owyn opened this issue 5 years ago • 6 comments

example sites: github.com - all pages, google - images section

If I set https everywhere into strict https only mode and visit a website with content security policy enabled (like github) - https everywhere also starts preventing my TamperMonkey extension from running its scripts on pages as you can see on screens

it doesn't happen without https everywhere in strict https only mode

not_running2 not_running1 ok1 ok2

Firefox: 73.0.1 (64bit) TamperMonkey: v4.10.6105 Https Everywhere: v2019.11.7 OS: Windows 10 Home Verson: 1903 Build: 18363

Owyn avatar Mar 07 '20 16:03 Owyn

I cannot reproduce your issue with HTTPS Everywhere EASE mode and TamperMonkey installed. AFAIK, HTTPS Everywhere upgrades the HTTP protocols in the CSP headers in EASE mode. It did not change the CSP for Github, however, as its CSP headers do not contain any HTTP protocol:

default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com

P.S. your user script work for me with both HTTPS Everywhere EASE mode enabled or not. Could this issue be related to the setting storage of the TamperMonkey extension?

cschanaj avatar Mar 08 '20 05:03 cschanaj

additional info: you need to be logged in into github, - without being logged in scripts work

  • I have CSP bypass enabled in TamperMonkey, it's just that it doesn't seem to work for me... изображение

I tried it with clean firefox profile and imported TamperMonkey settings and scripts - and it worked like you described, but... after browser restart it stopped working for good and went back to how I described the problem - try restarting browser and see again.

Owyn avatar Mar 08 '20 11:03 Owyn

I'm having the same issue on my Github Tampermonkey script while I was trying to modify Github Font style with HTTPS EASE mode enabled.

Here is the script I wrote:

// ==UserScript==
// @name        Github font changer
// @namespace   local.greasemonkey.githubfontchanger
// @include     https://*.github.com/*
// @include     https://github.com/*
// @version     2
// @run-at      document-start
// ==/UserScript==

var fontdef ="Fira Code, Monaco, Monospace ! important"; // Set your font here.

// Function helper to inject css
// Apply the font-family definition to code styles.

(function() {
    var css = '.blob-code { font-family: ' + fontdef + '; } ' +
        '.blob-num { font-family: ' + fontdef + '; } ' +
        '';
    var head, style;
    head = document.getElementsByTagName('head')[0];
    if (!head) { return; }
    style = document.createElement('style');
    style.type = 'text/css';
    style.innerHTML = css;
    head.appendChild(style);
})();

It worked while the EASE mode disabled but wont work with EASE mode enabled. Although I can always disable EASE mode on Github website but it just feels not right.

Firefox Version: Version 80.0.1 (64 bit) Tampermonkey Version: v4.11.6117 HTTPS Everywhere Version: Version: 2020.8.13

zer0pwned avatar Sep 18 '20 16:09 zer0pwned

@PatheticMustan go talk here about HTTPS Everywhere and PHEX I think you have something to say about this because you said something idk (btw you didn't reference it the right way on the issue in PMGH)

ghost avatar Oct 27 '21 12:10 ghost

additional info: you need to be logged in into github, - without being logged in scripts work

(THIS ONE IS IMPORTANT BUT IT WON'T LET ME BOLD) **> + I have CSP bypass enabled in TamperMonkey, it's just that it doesn't seem to work for me... **

изображение

I tried it with clean firefox profile and imported TamperMonkey settings and scripts - and it worked like you described, but... after browser restart it stopped working for good and went back to how I described the problem - try restarting browser and see again.

Same thing happens with PHEx (look it up on the Chrome web store)

ghost avatar Oct 27 '21 12:10 ghost

https everywhere

you guys know it's obsolete for Firefox since Firefox rolled out "open sites only via https" option long ago?

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

Owyn avatar Oct 27 '21 12:10 Owyn