Content-Security-Policy (CSP) Issues

[prinsss]

This script relies on modifying window.XMLHttpRequest to install network interceptors and therefore needs to be injected into the "page" context rather than "content" context.

The difference is that "page" context has access to the window object of the twitter.com page, while "content" context does not. See: Inject scripts into different contexts.

However, the "page" context is subject to the Content-Security-Policy (CSP) of the page, which may prevent the userscript from running. This is the case with Twitter's CSP.

This issue is opened to discuss potential solutions to this problem.

Related issues:

• violentmonkey/violentmonkey#1001
• Tampermonkey/tampermonkey#881
• violentmonkey/violentmonkey#173
• quoid/userscripts#106