2

I'm creating a Chrome Extension which modifies a script served by the server (which I have no control over) to add new functionality to the website, and I had the following idea:

  1. Block the original script via WebRequest, webRequestBlocking.
  2. Send the url of the blocked script to a script injected into the page.
  3. GET this url from the page's script.
  4. Edit a part of the code (string).
  5. Eval the string.

(Another working way is to redirect it to a local modified script return { redirectUrl: chrome.extension.getURL("modified.js") };, inside the Chrome Extension folder, but then it's impossible to modify it on the fly, that's why I want to eval a modified script)

When I try to eval the string in the 5th step, it says: ...'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com".

I've tried to use webRequest.onHeadersReceived to see if I could alter CSP headers (as some answers suggested: Edit Content Security Policy in onHeadersReceived), but there is no "content-security-policy" header.

I can see a Content Security Policy meta tag (I've omitted everything except 'script-src'):

<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com; base-uri 'none';">

From this answer (https://stackoverflow.com/a/27324485/10364842), Chrome Extensions cannot override CSP of Web pages. But someone replies: I know this is incredibly old, but I came across it while trying to inject Artoo.js into a page. The chrome extension does indeed allow you to modify the page you're looking at and let any content through.

Eval works in the content script, but I need to execute the script in the page's context, because it depends on the global scope.

I'm wondering if it's possible to alter CSP of a Web page through a Chrome Extension, or if there is any other way to accomplish this solely via a Chrome extension?

teg_brightly
  • 468
  • 6
  • 20
  • 1
    I don’t know if it’s possible to have the extension alter the page contents to change the value of the CSP policy in that `meta` element — but if turns out that’s in fact not possible, then there is no other solution that’d work. The reason is, even if you inject a Content-Security-Policy response header into the response, the CSP policy in that `meta` element would still be applied. For an explanation, see the answer at https://stackoverflow.com/a/51153816/441757 – sideshowbarker May 10 '20 at 12:04
  • 2
    chrome.webRequest API in Chrome can't alter the server response body, only Firefox offers such a feature. The only possible workaround in Chrome is to use chrome.debugger API when a tab starts loading (e.g. in chrome.webNavigation.onCommitted) to patch the response via Fetch.getResponseBody and Fetch.takeResponseBodyAsStream (see [CDP](https://chromedevtools.github.io/devtools-protocol/tot/Fetch/)). – wOxxOm May 10 '20 at 12:13
  • Thanks! Here is an extension removing CSP meta tag via modifying the response body: https://github.com/Sentero-esp12/Debugger-API-Fetch-example-Chrome-Extension It uses Debugger and Fetch APIs – teg_brightly May 12 '20 at 13:57
  • If Chrome cannot alter the policy, then why is there an extension that can do it ?? https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden – Matt Sep 30 '22 at 13:31

1 Answers1

-1

"Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load and resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.

You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax." https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

esquare
  • 3,947
  • 10
  • 34
  • 37
  • 1
    The question is not about CSP of Chrome Extensions, but about altering meta tag CSP of Web pages via a Chrome Extension – teg_brightly May 29 '21 at 13:57