external-application-button icon indicating copy to clipboard operation
external-application-button copied to clipboard
verified publisher icon andy-portmen

Refused to execute inline script because it violates the following Content Security Policy directive

Open mat926 opened this issue 1 year ago • 4 comments

Hello, I get this error when trying to run the command on some sites like Github

VM326:4 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src github.githubassets.com". Either the 'unsafe-inline' keyword, a hash ('sha256-KIgcpH7gqwIKxznM7U5KZRvHsdti6BUhgTYeMgpZXjU='), or a nonce ('nonce-...') is required to enable inline execution.

Can this be worked around?

mat926 avatar Apr 24 '24 18:04 mat926

Is this on Firefox? Unless there's an extension that can bypass the CSP restriction, I don't see a way around it.

andy-portmen avatar Apr 30 '24 08:04 andy-portmen

This is on Brave

mat926 avatar May 05 '24 20:05 mat926

I couldn't find a way to execute user-defined pre/post scripts on a page with CSP restrictions. Google has limited dynamic script injection on manifest v3 to protect users. One workaround is to use the "CORS Unblock" extension, temporarily enabling the "Remove Content-Security-policy Headers" option, and refreshing the page. However, this approach is not advisable.

andy-portmen avatar May 06 '24 05:05 andy-portmen

I'll keep this open for suggestions.

andy-portmen avatar May 06 '24 05:05 andy-portmen