GitHub-Dark-Script
GitHub-Dark-Script copied to clipboard
StylishThemes
Content Security Policy issues in Safari
Github does not change theme when I load this script. I am using safari with tamper monkey.
I don't own any Apple devices, so I can't check. Are you seeing any errors in the console?
GitHub-Dark-Script:0 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com".
Very odd, I'm not sure why Safari isn't behaving like Chrome. I haven't found any reports about this particular problem.
Please do me a favor and add the following line just below the other @connect line near the top of the userscript.
// @connect raw.githubusercontent.com
The only domain that is accessed within the script is githubusercontent.com which already has a defined @connect. It doesn't include the raw subdomain, which really shouldn't make a difference, but it's worth trying.
Also, I don't think the @require definitions that loads jQuery and a script from greasyfork should make a difference... I have been thinking about rewriting the script to use plain JS and not require jQuery, but I'm lacking the time and motivation. :smile_cat:
No difference with @connect
On May 23, 2016, at 6:35 PM, Rob G [email protected] wrote:
// @connect raw.githubusercontent.com http://raw.githubusercontent.com/
:disappointed: @silverwind would you please see if you can find the problem?
Pretty sure this is a Tampermonkey issue, filed https://github.com/Tampermonkey/tampermonkey/issues/296.
No luck with that either. On NinjaKit, it installs fine, but doesn't show any indicator that the script is active and nothing is logged on the console. The state of Safari extensions is a sad one.
Have you heard anything about AdGuard? It looks like it supports adding userscripts (aka extensions) in Safari.
Where does it say so? It looks like some kind of OS-level firewall thing to me, I'm not daring to install it. And it's not free.
Tampermonkey was just released for Edge today. So far no luck getting github-dark to run on it though.
Check if there's a CSP violation in the console. If there is, chances are that either the Tampermonkey or Edge developers have to fix it.
Yeah, that's what I was seeing...
HTML1300: Navigation occurred. GitHub-Dark CSP14309: Unknown directive 'base-uri' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'block-all-mixed-content' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'child-src' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'form-action' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'frame-ancestors' in Content-Security-Policy - directive will be ignored. CSP14309: Unknown directive 'plugin-types' in Content-Security-Policy - directive will be ignored. CSP14312: Resource violated directive 'script-src assets-cdn.github.com' in Content-Security-Policy: inline script. Resource will be blocked. HTML1512: Unmatched end tag. GitHub-Dark (1572,5)
It's this one right here:
CSP14312: Resource violated directive 'script-src assets-cdn.github.com' in Content-Security-Policy: inline script. Resource will be blocked.
Here's a link: https://connect.microsoft.com/IE/feedback/details/2208881/csp-header-referrer-isnt-supported
I'm seeing something similar in chrome (53.0.2785.143) on linux:
Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAIt0ABEAAAABQDwAAQABAAAAAAAAAAAAAAAAAAAAA…CwKGBmIIpVWLACJWGwAUVjI2KwAiNEswkKAwIrswsQAwIrsxEWAwIrWbIEKAZFUkSzCxAEAisA' because it violates the following Content Security Policy directive: "font-src assets-cdn.github.com".
I'm seeing about 45 of those in my dev tools console. This prevents Github Dark from functioning at all and started happening only yesterday (I think when I upgraded chrome).
Check if the option to circumvent CSP is checked in Tampermonkey's option, and if it is, report it to Tampermonkey. I don't think there's anything we can do about these issues unfortunately.
Has anyone found any work arounds to this issue? I love this theme and really want to use it with Safari :) great work to all those involved!
So, instead of making a new issue for Microsoft Edge, I should use this issue as the errors were the same. Any news on this?
Not really, the bug is pretty much on Edge and Safari. Extension scripts should be made exempt from CSP, which is what Chrome and Firefox already implement.
For Safari, the bug should be https://bugs.webkit.org/show_bug.cgi?id=149000, I haven't found a corresponding Edge issue, maybe someone wants to file one.
Tried to submit the bug on https://connect.microsoft.com/IE/feedback/LoadSubmitFeedbackForm, but it won't let me, presumably because I don't use Edge:
You are not authorized to submit the feedback for this connection.
So if someone is able to submit, please go ahead. The gist of this issue is that extensions should not be subject to a site's CSP and that Chrome and Firefox already do it that way. Maybe also link them to this issue.
Oh, and it's even in the spec: https://w3c.github.io/webappsec-csp/#extensions
Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets
I was able to report from within a virtual machine:
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11320214/
I hear this has been fixed in a recent Edge version, which makes Safari the only browser to still block the script. Not much we can do, except watch https://bugs.webkit.org/show_bug.cgi?id=149000.
@Mottie you can request a free developer/beta license if on the adguard forums. Also something else that allows js injections at OS level is Fiddler
Also why not have all deps locally that way there will be no csp violation