NanoCoreFirefox
NanoCoreFirefox copied to clipboard
LiCybora
Scriptlet injection banned by CSP
Describe the issue (Required)
Extra resources of nano (e.g. nanop-click-elements-onready.js) mostly don't work when using it in own filters (and setting advanced setting ""). While the exact same rules do work in chrome. So looks like problem with firefox version to use these extra resources correctly?
Screenshots (Required)
Screenshot of console (Required, press F12 to open the console)
URLs where this issue occurs (Required if applicable)
https://radar.avrotros.nl/ https://www.gelderlander.nl
Reproduction Steps (Optional if trivial)
Go to site and see cookie wall/cookie message not getting clicked. Do it in chrome and the button will get clicked.
Anything else you believe to be useful (Optional)
Environment (Required)
- Operating System and Version: Win 7
- Browser and Version: Firefox/Waterfox latest
- Nano Adblocker Version: latest
- Nano Defender Version (Optional if you are not using it): lateset
Your filter lists (Required)
ootb
Your custom filters (Required if you have any)
avrotros.nl##+js(nanop-click-elements-onload.js, button.ccm_btn:nth-child(1)) myprivacy.persgroep.net##+js(nanop-click-elements-onready.js, button.button:nth-child(3))
My guess is race condition. Because your rules works for me when I clicking into another site. It just not works with refreshing page.
Edit: I tried Chromium (not Chrome) and it also not click the button sometimes.
The first one is already onload but still fail.
The second one will not work due to the CSP block all inline script, not sure how it can work on Chrome.
Btw, @jspenguin2017 how about add optional third argument for delay the click execution in the snippet?
Allowing timeout would allow complex operations, which has security implications. Although privileged script snippets are suppose to be powerful, they should not be too dangerous. I'll need to think about it.
Inline scripts injected by extensions should bypass CSP.
Yes if they are injected via Content Script (that's why ND activation console is not affected). However, snippet injection is via creation of <script> node to the document, which is therefore inline(?). But it works on Chromium, I may need to check documentation.
Edit: See https://bugzilla.mozilla.org/show_bug.cgi?id=1267027
Allowing timeout ...
The reason I ask for setTimeout is because the button is created by xhr via script, not the document itself. This cause the button not available during document ready state claimed as complete, and thus the clicking script not always work.
In worst situation, consider fixing in ND...
You can try this: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts
I'm not sure why gorhill didn't do it that way, there may be gotchas along the way.
I know the script snippets don't always work, and I have never claimed that they do. As I said, allowing custom timeout may have security implications, and I have to think about it.
I will not add annoyance fixes to ND.
1st site will not be fixed due to limitation of snippets. 2nd site is affected by browser bug. Issue will keep open until workaround is done or Mozilla fix it. I may try the workaround if I have time.
So if i understand correctly, some sites do not work with these snippets because of limitation? Strange i got it working with NB on Vivaldi (i said chrome, but tested with Vivaldi). Other sites work fine like f.e hardware.info##+js(nanop-click-elements-onload.js, #decision), that's because these sites don't have this limitation? Is there something i can do myself to get it working? Don't want to go back to i don't care about cookies addon, so hopefully there's something (maybe an other script click mechanism with addon or greasyfork or something)?
The first site is a won't fix as per Filters Policy: https://github.com/NanoAdblocker/NanoFilters
I'll land a fix for the second site for Chromium.
The privileged script snippets are not designed to be a replacement for I Don't Care About Cookies. You can make an Userscript or extension for yourself to implement missing pieces.