uc.css.js icon indicating copy to clipboard operation
uc.css.js copied to clipboard
verified publisher icon aminomancer

[BUG]Another script (tabThumbnailTooltip.uc.js) stopped working in Firefox nightly 136 due to recent changes in Content Security Policy.

Open kaos-55 opened this issue 11 months ago • 15 comments

Link to the file containing the bug https://github.com/aminomancer/uc.css.js/blob/master/JS/tabThumbnailTooltip.uc.js

Describe the bug Annoying again, but another one of the scripts I use has stopped working due to the changes implemented in Nightly 136 regarding the Content Security Policy.

To Reproduce Steps to reproduce the behavior:

  1. Install Firefox nightly 136a1
  2. Install tabThumbnailTooltip.uc.js
  3. The tab thumbnail does not appear

Expected behavior The tab thumbnail appears when installing the script.

Screenshots This is what the browser console displays Image

Desktop (please complete the following information):

  • OS: Winwdos 10
  • Firefox update channel: Nightly
  • Version: 136.a.1
  • Build ID: 20250118

Additional context It seems that the problem is in line 98 of the script due to a csp violation which blocks the event handlers. Reading in the documentation I found that to avoid that violation you must replace the inline event handlers with addEventListener calls, I tried to fix it by rewriting the line with addEventListener but it didn't work, I don't know how to call MozXULElement.parseXULToFragment with addEventListener and then add it to the DOM using appendChild.

kaos-55 avatar Jan 18 '25 17:01 kaos-55

After trying a little bit I think I misunderstood and apparently you need to first create the function, in this case MozXULElement.parseXULToFragment and then add it to the DOM, then call that function with addEventListener. However, I have no idea how to create the new function and even less how to call it with addEventListener.😔

kaos-55 avatar Feb 26 '25 18:02 kaos-55

This issue seems to have spread to ALL scripts.

Image

LakesideMiners avatar Apr 06 '25 15:04 LakesideMiners

Those are two separate issues. The first is CSP blocking inline script attributes like <button onclick='doSomething(this)'/>, the second is CSP blocking eval() which breaks many script functions. For the first issue, we can just use javascript proper (like button.addEventListener(...)) and for the second, see this bug. It may take a while for this to be fixed, though. I'm looking for a workaround.

aminomancer avatar Apr 07 '25 03:04 aminomancer

This issue seems to have spread to ALL scripts.

Image

This should be fixed in the near future, at which point there may be a pref you need to add to enable unsafe-eval in the chrome. But for now, there's a way to restore the old CSP.

  1. Go to your Firefox install folder
  2. Find the browser folder in there
  3. There should be an omni.ja file. Open it in 7-zip file manager
  4. In there, navigate to chrome\browser\content\browser\
  5. Drag the browser.xhtml file from there to your own profile's chrome folder. If you have any of my stuff installed, you should have a chrome/resources/script-override folder. That's where I put it.
  6. Open chrome/utils/chrome.manifest, or wherever your file manifest is. If you don't have one, either get a script manager that has one, like fx-autoconfig, or make one in your profile folder and register it with the config.js file in your Firefox install folder (see fx-autoconfig install instructions).
  7. Add this line somewhere in your manifest: override chrome://browser/content/browser.xhtml ../resources/script-override/browser.xhtml (the second argument should be the relative path to wherever you put browser.xhtml in step 5)
  8. Open browser.xhtml in a text/code editor, find this line and delete it.
  9. Quit Firefox, clear your startup cache folder (in your local profile directory, it can be found through about:profiles), and relaunch Firefox. Things should be working again now.

aminomancer avatar Apr 07 '25 05:04 aminomancer

yah sorry about that, ment to say it looked like it just, got rid of all the fx-autoconfig stuff from the folders. attempting above fix now

LakesideMiners avatar Apr 07 '25 19:04 LakesideMiners

Still geting the same errors, I have attached a log file below and can provide any other files needed for debugging. the tabBrowser error occurs after resizing the window console-export-2025-4-7_16-35-44.txt

LakesideMiners avatar Apr 07 '25 20:04 LakesideMiners

Maybe you didn't do the steps properly. The above steps remove the chrome doc's CSP completely so it's impossible for it to block eval. What version are you on?

aminomancer avatar Apr 10 '25 22:04 aminomancer

Oh wait, I forgot to include a step. Sorry.

After step 7, open browser.xhtml in a text/code editor, find this line and delete it. Then do the last step.

aminomancer avatar Apr 10 '25 22:04 aminomancer

I am unable to find that line in the file. Version i am on is 139.0a1

Image

LakesideMiners avatar Apr 11 '25 19:04 LakesideMiners

Okay, I only support Nightly FYI. The readme is pretty clear on that. But deleting the meta line in your file should work fine in this case.

aminomancer avatar Apr 11 '25 23:04 aminomancer

This, is nightly. https://www.mozilla.org/en-US/firefox/139.0a1/releasenotes/

I'l try doing that tomorrow morning and will report back

LakesideMiners avatar Apr 12 '25 03:04 LakesideMiners

alright, I have done a clean reinstall of Firefox Nightly, and then attempted setup again while doing the mentioned steps above in which again only the one meta line showed up hitting enter while in the URL bar, does nothing, it won't open the URL typed into it. using alt+enter or ctrl+enter still works. Browser logs are attached

console-export-2025-4-12_15-50-42.txt

userchrome manager also shows up errors when picked from the hamburger menu or via the URL bar and just displays a grey blank page

console-export-2025-4-12_15-56-18.txt

LakesideMiners avatar Apr 12 '25 19:04 LakesideMiners

The CSP (the meta line) is different when you're not using Nightly, but deleting it should solve the problem you originally reported (scripts' eval calls being blocked by CSP). That doesn't mean you don't have other additional problems.

hitting enter while in the URL bar, does nothing, it won't open the URL typed into it. using alt+enter or ctrl+enter still works.

From your log, I'd assume that's caused by enterInUrlbarToRefresh.uc.js. I can't easily fix it right now, but I can see a few things that need to be updated. Fixing this may not fix the script, as there might be other issues I can't determine just by looking at it. But basically it's now referencing UrlbarPrefs and UrlbarUtils from a lazy getter rather than from the global scope. No matter. You can just write lazy = this; above line 24 of the script.

Most of the other errors are code issues that required an update, and I fixed them on my desktop but didn't get around to pushing them. Then my desktop broke this week. So pushing the fixes is delayed until I get my new desktop that can restore the data.

aminomancer avatar Apr 13 '25 18:04 aminomancer

I am on nightly, I only have Nightly installed. I have no idea why the line is not showing up. https://xbb.cyberslums.com/ZuWa4/lOBuMopu18.png

The lazy = this; did fix the URL bar issues though.

Wish you luck with your desktop, I know how hard that can suck.

LakesideMiners avatar Apr 13 '25 20:04 LakesideMiners

This should now be fixed by using security.allow_unsafe_dangerous_privileged_evil_eval = true.

aminomancer avatar May 11 '25 11:05 aminomancer