Content Security Policy: If set, cannot load script from bookmarklet. Is a browser extension granted clearance?

StackOverflow https://stackoverflow.com/questions/17335380

Question

I'm working on browser automation tools (working at the JS level). It's pretty clear that loading external script can be considered an XSS attack. A few months ago I was able to run my scripts on Github.com so long as I served my js resources over HTTPS.

But this is no longer the case, i.e. Github has implemented an elegant standards-compliant barrier to this:

enter image description here

This is a great step forward I think: we can specify to the clients that we want them to put a more secure perimeter around our site's sandbox.

On the other hand it is making the options more limited on mobile platforms, though that's not entirely true because it's entirely possible to produce a standalone browser app which has these extension features built-in. Not exactly gonna be easy to accomplish compared to a browser extension, though.

Is it still possible to work around this with a (codesigned and reviewed) browser extension? What sort of user experience impact might this have? My hope is that it will be possible to set this up so that end-users only have to go through a short one-time setup. It's apparent to me that at least Google is making it so that Extensions published through their portal is distributed at least "reasonably" securely, and I imagine Apple (and eventually Microsoft) would be following suit for Safari and IE. I am only interested in Chrome and Safari for now (primarily Chrome for now).

If it turns out that somehow even extensions are subject to the content security policy, how might I write an extension that can reliably manipulate a page for me? I'm fairly sure this can't be the case as it would be the death of something like Tampermonkey.

Was it helpful?

Solution

Oh I just needed to read a little further (oh Github, you're awesome):

https://github.com/blog/1477-content-security-policy

The answer is yes! User configured scripts should always be granted clearance! (but we are off to a rocky start it seems)

I actually think there's significant opportunity for social engineering happening here; "Install this bookmark in your browser to use our cute emoticons in forums!" "oh bookmarks can't be viruses, right?"

OTHER TIPS

As a workaround, you can tell your bookmarklet to load an external CSS stylesheet with your JS code injected. This bypasses CSP. Have a look at my answer to a similar question.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top