Tampermonkey: [Firefox] Tampermonkey failed with CSP error (again)

Created on 3 May 2019  Â·  13Comments  Â·  Source: Tampermonkey/tampermonkey

This is a follow-up of #361 because we got CSP errors in Firefox again.

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Completely disabling Tampermonkey in the Firefox Add-On manager removes the errors. Note that blacklisting the site, or disabling Tampermonkey in the toolbar _does not_ remove these errors.

Tampermonkey: v4.9.5921 (Firefox)

firefox

Most helpful comment

For me "Add Tampermonkey to the sites content CSP" option had no effect either. The only working "workaround" is to switch to Greasemonkey.

All 13 comments

I have the same issue. It happens on Twitter. The script is not executed at all.

Tampermonkey is v4.9.5941 on Firefox.

I'm also seeing these errors in Slack. In the meanwhile, I've had to create a separate Firefox profile just for Slack where I turn off security.csp.enable.

I've got a script for Twitter which seems to be influenced by this issue as well. But oddly enough, while a "refresh without cache" somehow makes the script work, a normal refresh will break it again. Another strange thing that I noticed was that the script counter got bumped up by 1 every time I refreshed the page.

Turning off security.csp.enable also gave my script the green light to run but the counter issue still persisted. And by the way I didn't encounter this problem using Greasemonkey.

Also experiencing these errors on FF 69 and Tampermonkey v4.9.5941. Trying to inject CSS from Slack Night Mode (Black) into Slack.com generates the following errors on refresh:

TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
TypeError: a is undefined
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Only way to resolve the issue is to turn off security.csp.enable or via the "Experimental" option to "Add Tampermonkey to the sites content CSP". Enabling the "Security" option to "Add Tampermonkey to the site's content security policy (CSP) if there is one" had no effect.

For me "Add Tampermonkey to the sites content CSP" option had no effect either. The only working "workaround" is to switch to Greasemonkey.

This _might_ be solvable now that Firefox seems to have a userScripts API available. See my comment on #418 for details.

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Doing this will leave the user open to cross-site scripting attacks.

Please vote and comment on https://bugzilla.mozilla.org/show_bug.cgi?id=866522

That issue is 7 years old. Well good luck convincing Mozilla...

Violentmonkey tries to address the problem:
https://violentmonkey.github.io/posts/inject-into-context/

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

That issue is 7 years old. Well good luck convincing Mozilla...
You could help, you know. Will take all about 5 minutes of your time, and if enough people do it it may convince Mozilla.

Evaluating code in extension context is most probably not a permanent solution because of manifest v3 changes.

Perhaps. Hopefully Firefox (and other browsers) will not buy into v3 wholesale.
Still, the current "solution" of disabling CSP altogether is sub-optimal.

For those who just got new Firefox update and is facing this issue just go to "about:config" and set "security.csp.enable" to "false".

Please see https://github.com/Tampermonkey/tampermonkey/issues/952#issuecomment-638373937 for a better workaround.

I'm closing this in favor of #952

Was this page helpful?
0 / 5 - 0 ratings

Related issues

AhmetEmsal picture AhmetEmsal  Â·  4Comments

Mottie picture Mottie  Â·  5Comments

RussiaVk picture RussiaVk  Â·  4Comments

gituser823 picture gituser823  Â·  4Comments

Mottie picture Mottie  Â·  4Comments