[Firefox] seems specially crafted CSP rules make Tampermonkey scripts fail to run

[rand256]

I've found a site where the simpliest script just completely fails to run.

Example userscript:

// ==UserScript==
// @name         godvillegame
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  try to take over the world!
// @author       You
// @match        https://godvillegame.com/
// @grant        none
// ==/UserScript==

(function() {
    'use strict';
    // Your code here...
    console.log('asdf');
})();

Here's what is written to the browser console log:

> Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified  (unknown)
> Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.  (unknown)
> Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' 'unsafe-inline' https://godvillegame.com 'sha256-gfxb2zFv/yoINJHakyev+mQ0L6bEJ2nYlyoGOsl0GF4=' 'sha256-hzbYwosVtrs+58f6nBH0OWtcXDMPRup0StaR4boJv84=' 'sha256-9WMiX3LBTYJXnZojDLczdoRQ7wLa7WNnGHrRCxWFXcQ=' 'sha256-xja5o6I4Fp5n1IA4D2R4iG/HgUK4unuqkP/49L2c7IM=' http://ajax.aspnetcdn.com https://ajax.aspnetcdn.com https://www.google.com https://www.gstatic.com http://www.google-analytics.com https://www.google-analytics.com https://ssl.google-analytics.com http://connect.facebook.net https://connect.facebook.net https://graph.facebook.com”). Source: (function(a,r,n,G){var c={safeWindow:{},.... godvillegame.com:1
> content: normal start event processing for 10cd3590-d37d-4cf8-b88c-dda0404fbce6 (1 to run)  content.js:26:193
> content: Start ENV normally 10cd3590-d37d-4cf8-b88c-dda0404fbce6   content.js:12:441
> Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' 'unsafe-inline' https://godvillegame.com 'sha256-gfxb2zFv/yoINJHakyev+mQ0L6bEJ2nYlyoGOsl0GF4=' 'sha256-hzbYwosVtrs+58f6nBH0OWtcXDMPRup0StaR4boJv84=' 'sha256-9WMiX3LBTYJXnZojDLczdoRQ7wLa7WNnGHrRCxWFXcQ=' 'sha256-xja5o6I4Fp5n1IA4D2R4iG/HgUK4unuqkP/49L2c7IM=' http://ajax.aspnetcdn.com https://ajax.aspnetcdn.com https://www.google.com https://www.gstatic.com http://www.google-analytics.com https://www.google-analytics.com https://ssl.google-analytics.com http://connect.facebook.net https://connect.facebook.net https://graph.facebook.com”). Source: onfocusin attribute on DIV element.  godvillegame.com
> content: detected DOMContentLoaded 10cd3590-d37d-4cf8-b88c-dda0404fbce6   content.js:10:46
> Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'unsafe-eval' 'unsafe-inline' https://godvillegame.com 'sha256-gfxb2zFv/yoINJHakyev+mQ0L6bEJ2nYlyoGOsl0GF4=' 'sha256-hzbYwosVtrs+58f6nBH0OWtcXDMPRup0StaR4boJv84=' 'sha256-9WMiX3LBTYJXnZojDLczdoRQ7wLa7WNnGHrRCxWFXcQ=' 'sha256-xja5o6I4Fp5n1IA4D2R4iG/HgUK4unuqkP/49L2c7IM=' http://ajax.aspnetcdn.com https://ajax.aspnetcdn.com https://www.google.com https://www.gstatic.com http://www.google-analytics.com https://www.google-analytics.com https://ssl.google-analytics.com http://connect.facebook.net https://connect.facebook.net https://graph.facebook.com”). Source: if (!window.c_loaded){ window.c_load....  godvillegame.com:161

All addon settings are at defaults (except debug level).
Any ideas how to fix it?

[derjanb]

In normal a page's CSP should not interfere with extensions, but that's the case at Firefox. That's why TM needs to workaround this and unfortunately there is a bug. 🙄😁

Will be fixed at the next beta version at the development channel.

[Tanookirby]

I have tested a script on the beta version on both Firefox and Chrome. It is called Autopagerize, and there are certain sites that won't work on it even on beta.

The script: https://greasyfork.org/en/scripts/28887-autopagerize-modified-by-blademight

Sample site: http://esoaparte.com/paella_01.html

[derjanb]

@Tanookirby I'm sorry, but your issue is not related to CSP, but a script issue. It's even not working with Greasemonkey at the mentioned page.
Please ask the script author for a fix.

[Tanookirby]

The author has fixed the issue. There is, however, another issue with sites such as https://addons.mozilla.org/en-US/firefox/extensions/?sort=hotness . In Firefox, the Autopagerize script will work on Greasemonkey but not on Tampermonkey. Because I thought this would be a CSP issue, I tested it with Tampermonkey Beta, which was said to solve the problem; and it still won't work.

[tophf]

@Tanookirby, WebExtensions can't run on AMO, the browser explicitly forbids that. Just like Chrome with its own web store.

[Lartza]

Firefox 57.0a1, Tampermonkey 4.4.5533beta and AAK-Cont(uBlock Origin version) causes Nextcloud to be unable to load it's scripts.
Content Security Policy: The page’s settings blocked the loading of a resource at https://sub.domain.com/core/vendor/core.js?v=9b6cd8b2827567b5f7aedce892bbb054-10 (“script-src 'unsafe-inline' 'unsafe-eval'”).
Disabling AAK-Cont in Tampermonkey or disabling "Add Tampermonkey to the site's content security policy (CSP) if there is one" fixes script loading in NC.

[derjanb]

@Lartza Fixed. Please check the latest version from the development channel.

[Lartza]

@derjanb Can confirm 4.4.5546beta fixes the issue :) Thank you

[Eeems]

I'm on the latest version in the development channel and I'm getting CSP errors. I'm running Firefox Nightly build 57.0a1 (2017-09-01) (64-bit).
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://vandiepen.ca 'unsafe-eval' 'nonce-NTlhOTg1MGZkNzc2NA=='”). Source: (function(a,q,n,A){var c={safeWindow:{},....
Could it be due to the nonce?
I don't currently have the site live to give you a proper test case, but if it's required I can do so.

[derjanb]

@Eeems Hi, this is due to a known bug in Firefox. However, it should not break anything. If this log message bothers you, you can set "Config mode" to "Advanced" and then "Inject Mode" to "Instant" to workaround this issue.

[fireattack]

@derjanb it does break some scripts, not just logs. for example:

1. install this us: https://greasyfork.org/en/scripts/30358-itunes-cover-caption-image-links/code
2. Open https://itunes.apple.com/us/album/reputation/1274999981

This script is supposed to add link on "x songs" that leads to large size cover art:

It doesn't work in Firefox unless I changed to instant inject mode.

[derjanb]

Fixed at the most recent beta version: 4.5.5637beta

[fireattack]

I think it's may already known for you, but I still encounter CSP problem on Firefox occasionally on beta 4.6.5694.

The script is this one I wrote myself: https://github.com/fireattack/scripts/blob/master/itunes_cover_art_click_to_show_original.user.js

Test page: https://itunes.apple.com/jp/album/the-idolm-ster-live-the-ter-performance-01-single/1125337612

Warnings from console:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: call to eval() or related function blocked by CSP. 1125337612:11
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: window["__u__1935881.4830085929"] = func.... 1125337612:1

Edit: manually change to "instant" inject mode can fix it. So basically the status as I mentioned before at #418 (comment)

[fireattack]

On a side note, I sometimes can even reproduce this bug on Chrome (albeit ver. 4.5):

But normally freshing the page can fix it (unlike Firefox, which is consistently error). I have no idea why, though.

[derjanb]

Hi, the fix for this issue broke many pages. Therefore it's now a experitmental config option until the used Firefox API becomes stable.

Please set "Config Mode" to "Advanced" and scroll down to the "Experimental" section and now please change "Add Tampermonkey to the sites content CSP" to "Yes".
This should fix at least the Firefox issue, but as I said, depending on your Firefox version, it might also break some pages.

[raszpl]

Chrome(vivaldi), tempermonkey 4.5(also beta 4.6.5752), "Add Tampermonkey to the sites content CSP" set to "Yes".
https://www.hltv.org/blog/13538/cheating-on-professional-level-of-csgo
https://github.com/elundmark/Convert-Youtube-Embeds-to-Image-Links-UserScript
My script does document.location.replace("data:text/html;utf8,"+encodeURIComponent(iframeHtml));

Refused to frame 'data:text/html;utf8,%3C!DOCTYPE%20html%3E%3Chtml%20style%3D'margin%3A0!important%3Bpadding%3A0!important%3Boverflow%3Ahidden!important%3B'%3E%3Chead%3E%3Cmeta%20charset%3D'utf-8'%3E%3Cmeta%20name%3D'viewport'%20content%3D'width%3Ddevice-width%2C%20initial-scale%3D1'%3E%3Ctitle%3EPrOverwatch%20%23002%3A%20shox%20-%20YouTube%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%20style%3D'margin%3A0!important%3Bpadding%3A0!important%3Bbackground%3A%23FFF%3Boverflow%3Ahidden!important%3B'%3E%3Ca%20href%3D%22magnet3%3Ahttps%3A%2F...e-space%3Anowrap!important%3Btext-overflow%3Aellipsis!important%3Bborder-bottom%3A1px%20solid%20%23000000!important%3B%22%3E%3Cem%20style%3D%22font-style%3A%20normal%20!important%3B%20color%3A%20rgba(255%2C%20255%2C%20255%2C%200.8)%20!important%3B%22%3E2%3A07%20%20%3C%2Fem%3EPrOverwatch%20%23002%3A%20shox%3Cem%20style%3D%22font-style%3A%20normal%20!important%3B%20color%3A%20rgba(255%2C%20255%2C%20255%2C%200.8)%20!important%3B%22%3E%20-%20140%20views%3C%2Fem%3E%3C%2Fa%3E%3C%2Fa%3E%3C%2Fbody%3E%3C%2Fhtml%3E' because it violates the following Content Security Policy directive: "frame-src *".

EDIT: never mind, read some more and CSP is a mess. I just switched from injecting DATA: blob to modifying iframe directly :/

 var doc = document.getElementsByTagName('html')[0];
     doc.getElementsByTagName('head')[0].innerHTML = "<title>Example</title>";
     doc.getElementsByTagName('body')[0].innerHTML = "<p>This is an example.</p>";

[mikhoul]

@derjanb Just a quick question I'm new with TM I was using GM with Firefox but I'm migrating to Chromium and I'd like to know what is the most efficient setting for Chrome/Chromium for the CSP ?

My understanding is that with the security setting to yes TM inject headers to allow Userscripts on page like github.com since Firefox don't respect the standard for CSP and scripts. If my understanding is fine this setting is mainly for Firefox and Chrome/Chromium users should set it to "NO" to diminish the useless overhead of adding/injecting headers to allow Userscripts with Chromium.

Could you confirm or infirm my assumptions ?

---

One more extra question: If I import my Userscripts with a zip file does my settings in Userscripts that use DB will be imported too ?

Like here I have lot of sites saved over the years in my userscripts:

Regards

[Hapstyx]

For some reason disabling uBlock Origin on the page seems to be a workaround, at least it solves this issue for me, even when using Tampermonkey's default settings (Windows 7 64bit, Firefox 60.0.1, Tampermonkey v4.6.5757).

[derjanb]

My understanding is that with the security setting to yes TM inject headers to allow Userscripts on page like github.com since Firefox don't respect the standard for CSP and scripts. If my understanding is fine this setting is mainly for Firefox and Chrome/Chromium users should set it to "NO" to diminish the useless overhead of adding/injecting headers to allow Userscripts with Chromium.

@mikhoul Even if scripts at Chrome should work with this option set to "No" it's better to keep it on, because it simplifies the script injection.

If I import my Userscripts with a zip file does my settings in Userscripts that use DB will be imported too ?

If the zip was created by Tampermonkey: yes.

[derjanb]

For some reason disabling uBlock Origin on the page seems to be a workaround, at least it solves this issue for me, even when using Tampermonkey's default settings (Windows 7 64bit, Firefox 60.0.1, Tampermonkey v4.6.5757

@Hapstyx Edit: nevermind, I can reproduce this now.

[Hapstyx]

@derjanb I use the default configuration and filters, though it seems to be caused by EasyList and not uBlock filters. Also works on Ubuntu 18.04 and Debian stretch with both Firefox Nightly and Firefox Developer Edition

[one-github]

Is there an unstable version for Safari as well? I use 4.6.5757 on Safari and also (still?) have this issue... I cannot seem to find the configuration option "Add Tampermonkey to the sites content CSP".

[derjanb]

@one-github Safari does not support web request modification which is required to modify the CSP. :(

[one-github]

@derjanb Does this mean this issue will not be solvable for Safari?

[derjanb]

@one-github Please see #296

[derjanb]

For some reason disabling uBlock Origin on the page seems to be a workaround

@Hapstyx Should be fixed at TM BETA 4.7.5788 (http://tampermonkey.net/index.php?browser=firefox)

[jsamr]

@derjanb
A folk on this bugzilla ticket suggested to use contentScripts API to bypass this restriction.

Can’t you use the the contentScripts API¹?
¹ https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts

[derjanb]

A folk on this bugzilla ticket suggested to use contentScripts API to bypass this restriction.

That wouldn't help. Maybe bugzilla ticket 1353468 will be a solution.

[Arthaey]

So 1353468 was marked as a dupe of Bugzilla ticket 1437098, which looks done or nearly so!

It looks like we should be able to the new userScripts API: overview and example docs are available. (Verify in about:config that extensions.webextensions.userScripts.enabled is true.)

My Tampermonkey userscripts keep breaking because of CSP errors, so it would be awesome if it could move to the userScripts API. :)

[satnatantas]

@Arthaey "Closing as resolved-fixed, because as mentioned in comment 29 the API has been already enabled by default" - am I right that Tampermonkey now needs to use that API? Asking because I am still getting CSP errors.

[alexolog]

I am getting CSP errors as well, and scripts fail.

[dlenski]

@alexolog, I had to update from 4.10.6105→4.11.6114 and then completely clear the Firefox cache in order to fix some an issue with userscripts not running on CSP-secured pages.

https://www.tampermonkey.net/changelog.php?version=4.11.6114&ext=fire&updated=true&old=4.10.6105&intr=true

[alexolog]

Clearing the cache seems to have been the missing ingredient.

[alexolog]

Too quick to post. FF dev updated itself to 78.0b6 and now none of my scripts run on Google unless I disable CSP globally.

I am running the 4.11.6114 beta

Example page:
https://www.google.com/search?tbm=isch&q=cat&tbs=imgo:1

Sample scripts that fail to run:

• https://greasyfork.org/scripts/401432-google-image-search-show-image-dimensions/code/Google%20Image%20Search%20-%20Show%20Image%20Dimensions.user.js
• https://greasyfork.org/scripts/19210-google-direct-links-for-pages-and-images/code/Google:%20Direct%20Links%20for%20Pages%20and%20Images.user.js
• https://greasyfork.org/scripts/404103-google-image-search-show-image-dimensions/code/%11Google%20Image%20Search%20%7C%20Show%20image%20dimensions%11.user.js
• https://greasyfork.org/scripts/398802-google-images-direct-links-2/code/Google%20Images%20direct%20links%202.user.js
• https://greasyfork.org/scripts/398189-google-image-direct-view/code/Google%20Image%20Direct%20View.user.js

Errors in the log:

Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified

GreaseMonkey works.