How to inject JS scripts on GitHub? (bypass CSP)
Opened this issue · 3 comments
micalevisk commented
when I tried to inject a dumb JS script to https://github.com I got this error:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
triggered by this line:
Code-Injector/script/main/inject.js
Line 34 in 3ef819a
is there a way to bypass this?
The Content-Security-Policy response header is:
default-src 'none';
base-uri 'self';
block-all-mixed-content;
connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com;
font-src github.githubassets.com;
form-action 'self' github.com gist.github.com;
frame-ancestors 'none';
frame-src render.githubusercontent.com;
img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self';
media-src 'none';
script-src github.githubassets.com;
style-src 'unsafe-inline' github.githubassets.com;
worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
btw I do not want to use Tampermonkey/Greasemonkey
Filius-Patris commented
Same happens on MS Teams (https://teams.microsoft.com)
RobKohr commented
Seems to happen on twitter too
KrischnaGabriel commented
it's been three years from the opening of this issue and still no fix. 😑️
btw it also happens on spotify