philgrayson / chrome-csp-disable Goto Github PK

If the target page has:
Content-Security-Policy: frame-ancestors 'none';
Chrome-csp-disable is unable to disable csp, I have done some tests, its ok on Firefox, but dont work on any webkit based browser, tested in Opera, Chromium and Chrome.

I have prepared my own domain for this test: https://jsfiddle.net/sombra2eternity/dtfL80am/
You will be unable to load this iframe on Chrome. I havent found any documentation describing this behaviour though :/

i downloaded your extension and installed it and it worked properly in chrome 63.0.3239.132, but now when i updated to chrome 67.0.3396.87, it doesn't work.

i opened developers tools and i see security policy header present there, and it also doesn't allow me to execute inline events anymore

can you please take a look and confirm the issue and let me know if i can somehow help on resolving the issue. thanks

Not working in Windows machine for chrome version 90.0.4430.85

This is fantastic! Thank you for making it!!

What is the license?

If your open to it, can I suggest the MIT license or public domain?
https://choosealicense.com/licenses/mit/
https://choosealicense.com/licenses/unlicense/

Thanks again, this saved my life!

https://microsoftedge.microsoft.com/addons/search/csp?hl=zh-CN

Edge will not synchronize the expansion of non-edge stores

Like, maybe set a period, or automatically turn off when closing chrome?

People are forgetful and easily distracted. That doesn't go well with security. :)

how to deal web.whatsapp.om csp does not work

I try to copy the background.js code to my chrome extension

but it seems doesn't work in web.whatsapp.com

is the tab.id must?

Extension no longer disables CSP.

I am using Version 49.0.2623.112 m. If I try to access the contentDocument property of an iframe element where the iframes current location is on another server I am getting:

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:51904" from accessing a frame with origin "http://10.200.200.211". Protocols, domains, and ports must match.

I have toggled the button in the add-on bar so it have had both appearences doing this.

Did I misunderstand the functionatlity of the plugin or is it not keeping up with newer browsers?

I get this error when a script is redirected to a different site using a redirector extension (switcharoo):
Refused to load the script ... because it violates the following Content Security Policy directive: "script-src 'self' ... https: 'unsafe-inline' 'unsafe-eval'".

All over https, the redirected site is on http.
The failing site has an intense CSP policy in a Content-Security-Policy meta tag.
I do this kinds of redirection all the time with many other https sites without any CSP errors using your extension.

I activated the plugin but i keep getting policiy errors (Refused to connect to..). The policy is set via the response header, I want to disable the policiy.

I wanted to use your plugin to disable CSP on the site riot.im (Riot Web Browser): https://riot.im/app/#/login.

But it is not disabled by the CSP.
And my script that I want to execute doesn't work.

Please take a look: element-hq/element-web#13855

At line 4 in background.js, shouldn't the statement

if(!isCSPDisabled)

be replaced with the following statement?

if(isCSPDisabled)

I tried your script and it doesn't disable CSP. But, when I changed !isCSPDisabled to isCSPDisabled it works properly. It seems that you're returning from the function if CSP is not disabled, which doesn't make any sense.

I've installed the plugin and it turns out by default it will disable the content-security-policy on my sites. Could it be made so that the default behavior is to do nothing so the browser defaults are intact? Now I have to disable the extension when I'm finished doing my stuff.

Or add the 'whitelist' as mentioned in #4

I need to have CSP enabled per tab globally. pls help

Originally posted by @mpatel1987 in #12 (comment)

After the website is disabled by csp, it is often forgotten to click to disable cps when it is opened again. It needs to be disabled again and the page is refreshed. I hope to support setting the domain name memory list, and the websites in the list are automatically disabled.

I first noticed this with my own website, but there I was able to temporarily remove the headers. However I've also recently discovered this on Flickr.

Refused to load the script 'https://www.ssa.gov/accessibility/andi/andi.js' because it violates the following Content Security Policy directive: "script-src https://securepubads.g.doubleclick.net https://adservice.google.com https://cdn.ampproject.org https://*.google.com https://*.google-analytics.com https://*.googleadservices.com https://*.doubleclick.com https://*.doubleclick.de https://*.doubleclick.net https://*.googletagservices.com https://*.googleadservices.com https://*.googlesyndication.com https://*.googleapis.com https://www.googletagmanager.com https://*.infolinks.com https://ads.pubmatic.com https://static.criteo.net https://hb.yellowblue.io https://cs.yellowblue.io https://cdn.jsdelivr.net https://shb.richaudience.com https://sync.richaudience.com/ https://prebid.a-mo.net https://ad.360yield.com https://ad.360yield-basic.com https://pbs.360yield.com https://hb.360yield.com https://player.ex.co https://channelexco.com/ https://*.connatix.com https://adserver.adtech.advertising.com 'unsafe-eval' 'unsafe-inline' 'nonce-58906aa79619ca6e43446fd2554ad394' https://flickr.com https://*.flickr.com https://*.staticflickr.com https://js.stripe.com https://boards.greenhouse.io https://*.trustarc.com https://trustarc.mgr.consensu.org https://cdn.siftscience.com https://assets.pinterest.com https://browser.sentry-cdn.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Reloading the tab re enables CSP and I need to reenable the addon manually.

Rarely this doesn't happen though and CSP stays disabled.

Edit: I'm testing this on editor.construct.net btw. I'm guessing its service worker is messing with the addon