Safari: Script unable to bypass CSP

[silverwind]

Using Tampermonkey 4.1 on Safari 9.1.1, a userscript seems unable to bypass a site's CSP, like for github.com in our case (here's the script). This error is being logged in the console:

GitHub-Dark-Script:0 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets-cdn.github.com".

I've been searching for an option menu with the CSP option, but there appears to be none available in the Safari version of this extension.

Ref: StylishThemes/GitHub-Dark-Script#13

[derjanb]

According to the CSP spec a CSP should not interfere with extensions and add-ons [1], but Safari doesn't care and stops Tampermonkey when it injects a script into the page.

Unfortunately there is nothing I can do to fix this. So this actually this is more a "can't fix" than a "won't fix".

[1] https://www.w3.org/TR/CSP3/#extensions

[legendtang]

@derjanb I'm also curious why some adblocker extensions and some extensions that is actually a wrapper for some scripts work like a charm?

[derjanb]

@legendtang Can you please send a link to such an extension?
I assume they're running the script within the extension context, which is fine until the script uses extension functionality to modify the extension storage and for example installs a second script without user interaction.

[legendtang]

@derjanb For example, uBlock Origin https://github.com/gorhill/uBlock
In advanced options, they even allow you to change the website dynamically.

[derjanb]

@legendtang I have issues to find out how to define a custom JavaScript that is injected into the page. Can you please give some guidance or send a backup with that for example injects alert('foo') into every page?

[legendtang]

@derjanb They're restricting the use of external scripts and only applying pre-defined rule-based scripts in resource.txt instead. But it will not work in CSP websites for Safari.

Don't be so upset. Below is where exactly I noticed the behaviors from. There're some extensions already achieving that. Safari-FIDO-U2F/Safari-FIDO-U2F#26 (comment) This extensions do successfully load the script on any websites, even for CSP-enabled GitHub. The bridge.js is doing the real magic. You may take a glance of that.

[revolter]

So does this mean that no userscript will ever work in Safari?

[derjanb]

So does this mean that no userscript will ever work in Safari?

No, it means a site with a very strict CSP can prevent scripts from running or prevent some features from working.

[michaelmesser]

I think Userscripts solves this by using eval instead of creating a script tag when @inject-into content is in the script. https://github.com/quoid/userscripts/blob/14297fb38e46dc5f5a51a857d9c8f034a69b8730/extension/Userscripts%20Extension/UserscriptsSafari.js#L33

[amityweb]

Hi @michaelmesser are you saying there is a solution to this issue?

I only use Tampermonkey to add CSS to webpages to customise them. Decided to switch to Safari for one app, and its blocked.

I use a addGlobalStyle function to add the style, but the script is blocked.

I tried another app to add CSS called Cascadea and that works fine.
https://apps.apple.com/app/cascadea/id1432182561

So it is possible to at least inject CSS into webpages. I dont know if Tampermonkey has another working way, or just does not implement the same way as Cascadea does it.

[jesus2099]

@amityweb, if you only need custom CSS, you could use Stylus.
Here is a random example user stylesheet, that runs with Stylus.

[codeninja-ru]

I think Userscripts solves this by using eval instead of creating a script tag when @inject-into content is in the script. https://github.com/quoid/userscripts/blob/14297fb38e46dc5f5a51a857d9c8f034a69b8730/extension/Userscripts%20Extension/UserscriptsSafari.js#L33

so it’s possible. unfortunately I cannot install userscripts since it requires mac v12

[krystian3w]

But may fail with disabled relax mode in 4.20 - I must found solution to move this to anohter addon.