Tampermonkey script, Safari and CSP | Tools & Userscripts | TO…
Tampermonkey script, Safari and CSP
  • LDN xedx [2100735]xedx [2100735]
    • xedx [2100735]
    • Role: Civilian
    • Level: 88
    • Posts: 624
    • Karma: 447
    • Last Action: 6 hours
    • Quote
    • Report
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Thread created on 05:52:15 - 16/09/21 (1 month ago)
    |
    Last replied 02:32:05 - 18/09/21 (1 month ago)
    Has anyone had any experience running a script (for Torn) on Safari? I create a do-nothing script, such as this:

    // ==UserScript==
    // @name Safari CSP Test
    // @namespace http://tampermonkey.net/
    // @version 0.1
    // @description try to take over the world!
    // @author You
    // @match https://www.torn.com
    // @match https://www.google.com
    // @match https://github.com
    // @grant none
    // ==/UserScript==

    (function() {
    'use strict';
    alert("Hello, World!");
    })();

    If I go to Google, it works fine. If I go to Torn (or GitHub), it doesn't work at all. The error is:

    Refused to execute a script because its hash, its *****, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
    https://www.torn.com/js/script/lib/centrifuge.min.js.map

    GitHub solved this issue on their site by no longer supporting Safari :-) It seems the CSP rules are site specific, and from what I can gather, Tampermonkey for other browsers has options to get around this, such as:

    Modify existing content security policy (CSP) headers:


    which does not seem to exist in the Safari version. It seems that this is a Safari/Torn site specific issue that can't be fixed, by me at least. Has anybody come across this or have any advice?
  • LDN xedx [2100735]xedx [2100735]
    • xedx [2100735]
    • Role: Civilian
    • Level: 88
    • Posts: 624
    • Karma: 447
    • Last Action: 6 hours
    • Quote
    • Report
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 02:32:05 - 18/09/21 (1 month ago)
    Post link copied to clipboard Copy post link
    Follow up: this may provide a solution:

    injectJS, now Userscripts

    Main page link:

    Userscripts
Reply
Thread Title: