chrome_cspmod icon indicating copy to clipboard operation
chrome_cspmod copied to clipboard

Published 20 hours ago verified publisher icon Rufflewind

Does not work on all sites (possibly service-worker related?)

Open martixy opened this issue 5 years ago • 4 comments

I tried using the following rule:

    ["https://twitter\\.com", [
        ["script-src", "'unsafe-eval' 'self' 'unsafe-inline' https://*.twimg.com   https://www.google-analytics.com https://twitter.com  'nonce-YzFkN2FkNmYtOWExNC00MjZjLThlZDYtNGY0YjgyMTVjZWRh'"]
    ]]

Which does not work. The only thing I can think of that might be an issue is the service worker twitter is using. (P.S. I know extensions can mess with service worker responses, because the "Disable Content-Security-Policy" extension successfully removes all CSP, I just want to modify it, not remove it completely.)

Additionally this failed:

    ["https://bugs\\.chromium\\.org", [
        ["script-src", "'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD'"]
    ]]

Resulting in the following CSP: default-src https: ; 'unsafe-eval' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-lpaAxZpfH7mMm3JoGYMEL9sz0bRwwqhD' 'report-sample' 'unsafe-inline' 'strict-dynamic' https://monorail-prod-default-v050-dot-monorail-prod.appspot.com/static/dist/ 'self' 'nonce-6hfHjRMVPEZUBt0k5PTwgDjuLU5FqyYn'; child-src 'none'; frame-src accounts.google.com content-issuetracker.corp.googleapis.com login.corp.google.com up.corp.googleapis.com;img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; base-uri 'none'; report-uri /csp.do

Notice that it is missing the script-src directive.

Also, we should be able to modify the policy, rather than completely replacing it - notice the nonces in the 1st example - those are different every page load. A simple regex search/replace should be enough. (Should I make this its own issue?)

Chrome: Version 80.0.3987.87 (Official Build) (64-bit)

martixy avatar Feb 10 '20 06:02 martixy 

["https://twitter\\.com", [
    ["script-src", "'unsafe-eval' 'self' 'unsafe-inline' https://*.twimg.com   https://www.google-analytics.com https://twitter.com  'nonce-YzFkN2FkNmYtOWExNC00MjZjLThlZDYtNGY0YjgyMTVjZWRh'"]
]]

Did you mean to leave out script-src on the right side of ,?

Notice that it is missing the script-src directive.

Given

["<url-regexp>", [
    ["<pattern-regexp>", "<replacement-string>"]
]]

the extension will replace instances of <pattern-regexp> with <replacement-string>. If <pattern-regexp> can't be found, then this would have no effect.

If the original CSP is missing script-src, you'll need to find a different substring to use as <pattern-regexp> (or maybe try $ and see if it can append to the end of the CSP).

Rufflewind avatar Feb 17 '20 21:02 Rufflewind

My misunderstanding of the syntax aside - it is a service-worker problem, as I've found in the meantime, but I suppose there is nothing you can do about it, apart from removing the service worker on every load to force a network request.

martixy avatar Feb 19 '20 18:02 martixy

… removing the service worker on every load to force a network request.

Yeah I think that is too invasive of a workaround :(

Rufflewind avatar Feb 27 '20 09:02 Rufflewind

why it's not working in twitter

[
    ["https://twitter\\.com", [
        ["connect-src", "connect-src data:"],
        ["script-src", "script-src 'unsafe-eval'"]
    ]]
]

both of this failed :arrow_down:

  • fetch('data:text/plain;charset=UTF-8;base64,dGV4dA==').then(data => data.text()).then(console.log)
Refused to connect to 'data:text/plain;charset=UTF-8;base64,dGV4dA==' because it violates the following Content Security Policy directive: 
"connect-src 'self' blob: https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api-stream.twitter.com 
https://ads-api.twitter.com https://aa.twitter.com https://caps.twitter.com https://pay.twitter.com https://sentry.io https://ton.twitter.com 
https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://accounts.google.com/gsi/status 
https://accounts.google.com/gsi/log https://app.link https://api2.branch.io https://bnc.lt wss://*.pscp.tv https://vmap.snappytv.com 
https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net 
https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net 
https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net 
https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com".
  • eval("console.log('')");
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: 
"script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ 
https://www.gstatic.com/recaptcha/ https://client-api.arkoselabs.com/ https://www.google-analytics.com https://twitter.com 
https://app.link https://accounts.google.com/gsi/client 
https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js  
'nonce-ODRmZTY0ZDYtYzdmMS00Y2EzLWI5MWYtYmI4YjAwNzVmNDQ0'".

assiless avatar Feb 12 '23 19:02 assiless