HeaderEditor icon indicating copy to clipboard operation
HeaderEditor copied to clipboard
verified publisher icon FirefoxBar

[BUG] Cannot modify the Content-Security-Policy header of the main resource

Open dubrox opened this issue 6 years ago • 7 comments

Describe the bug On Chrome 79.0.3945.88 (Official Build) (64-bit), the rule to Modify response header matching by Regular expression executing a normal replacement of content-security-policy header value to * is not getting applied, getting external resources blocked by the CSP.

The same rule (imported from Chrome) works on Firefox (68.2.0).

Rule and Test address Test rule (matching all just to make it simpler):

Match type: All
Execute type: normal
Header name: content-security-policy
Header value: *

Test URL: https://content-security-policy.com/browser-test/

Extra informations I'm using your extensions flawlessly on Firefox (68.2.0).

I used to have no issues with extensions like this on Chrome, but since the last Chrome update, only Disable Content-Security-Policy is working to modify the CSP from the main resource response header.

Looking at their code I can see that it is using an extra "blocking" flag, missing in HeaderEditor code.

Probably related with:

  • https://stackoverflow.com/questions/53172613/modifying-response-headers-in-chrome-extensions
  • https://developer.chrome.com/extensions/webRequest#life_cycle (look for the changes since Chrome 79)

dubrox avatar Dec 24 '19 12:12 dubrox

Probably duplicated: https://github.com/FirefoxBar/HeaderEditor/issues/147 (translation to English from Chinese)

dubrox avatar Dec 24 '19 12:12 dubrox

This is a known bug and I have already released a new version a few days ago, now it is waiting Google's review, please wait.

sylingd avatar Dec 24 '19 12:12 sylingd

Is this fixed now?

sjehuda avatar Jun 14 '23 09:06 sjehuda

This is still an issue on latest Firefox.

lilithium-hydride avatar Nov 21 '23 23:11 lilithium-hydride

content-security-policy不能被修改? Firefox 124.0b6似乎是这样。

{
	"request": [],
	"sendHeader": [],
	"receiveHeader": [
		{
			"enable": true,
			"name": "CSP修改",
			"ruleType": "modifyReceiveHeader",
			"matchType": "all",
			"pattern": "",
			"exclude": "",
			"group": "未分组",
			"isFunction": true,
			"code": "for (const a in val) {\n  if (val[a].name.toLowerCase() === 'content-security-policy') {\n    const csp = val[a].value;\n    const fontSrcIndex = csp.indexOf(\"font-src\");\n    const scriptSrcIndex = csp.indexOf(\"script-src\");\n\n    if (fontSrcIndex !== -1 && scriptSrcIndex !== -1) {\n      const insertPosition = Math.max(fontSrcIndex, scriptSrcIndex);\n      const prefix = csp.substring(0, insertPosition);\n      const suffix = csp.substring(insertPosition);\n\n      val[a].value = prefix + \" https://*.loli.net\" + suffix;\n    }\n\n    break;\n  }\n}"
		}
	],
	"receiveBody": []
}

我这写的应该是没问题吧?

daiaji avatar Mar 09 '24 05:03 daiaji