Skip to content
This repository has been archived by the owner on Nov 6, 2023. It is now read-only.

Https everywhere on sites with CSP also prevents other browser extensions from running #19008

Closed
Owyn opened this issue Mar 7, 2020 · 6 comments
Closed

Https everywhere on sites with CSP also prevents other browser extensions from running #19008

Owyn opened this issue Mar 7, 2020 · 6 comments
Assignees
@zoracon
Labels
broken CSP bug needs more info

Comments

@Owyn
Copy link

Owyn commented Mar 7, 2020

example sites: github.com - all pages, google - images section

If I set https everywhere into strict https only mode and visit a website with content security policy enabled (like github) - https everywhere also starts preventing my TamperMonkey extension from running its scripts on pages as you can see on screens

it doesn't happen without https everywhere in strict https only mode

not_running2
not_running1
ok1
ok2

Firefox: 73.0.1 (64bit)
TamperMonkey: v4.10.6105
Https Everywhere: v2019.11.7
OS: Windows 10 Home Verson: 1903 Build: 18363
@cschanaj
Copy link
Collaborator

cschanaj commented Mar 8, 2020
edited
Loading

I cannot reproduce your issue with HTTPS Everywhere EASE mode and TamperMonkey installed. AFAIK, HTTPS Everywhere upgrades the HTTP protocols in the CSP headers in EASE mode. It did not change the CSP for Github, however, as its CSP headers do not contain any HTTP protocol:

default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com

P.S. your user script work for me with both HTTPS Everywhere EASE mode enabled or not. Could this issue be related to the setting storage of the TamperMonkey extension?

@Owyn
Copy link
Author

Owyn commented Mar 8, 2020

additional info: you need to be logged in into github, - without being logged in scripts work

  • I have CSP bypass enabled in TamperMonkey, it's just that it doesn't seem to work for me...
    изображение

I tried it with clean firefox profile and imported TamperMonkey settings and scripts - and it worked like you described, but... after browser restart it stopped working for good and went back to how I described the problem - try restarting browser and see again.

@Hainish Hainish removed their assignment Mar 15, 2020
@derjanb derjanb mentioned this issue Mar 28, 2020
Closed
@zer0pwned
Copy link

I'm having the same issue on my Github Tampermonkey script while I was trying to modify Github Font style with HTTPS EASE mode enabled.

Here is the script I wrote:

// ==UserScript==
// @name        Github font changer
// @namespace   local.greasemonkey.githubfontchanger
// @include     https://*.github.com/*
// @include     https://github.com/*
// @version     2
// @run-at      document-start
// ==/UserScript==

var fontdef ="Fira Code, Monaco, Monospace ! important"; // Set your font here.

// Function helper to inject css
// Apply the font-family definition to code styles.

(function() {
    var css = '.blob-code { font-family: ' + fontdef + '; } ' +
        '.blob-num { font-family: ' + fontdef + '; } ' +
        '';
    var head, style;
    head = document.getElementsByTagName('head')[0];
    if (!head) { return; }
    style = document.createElement('style');
    style.type = 'text/css';
    style.innerHTML = css;
    head.appendChild(style);
})();

It worked while the EASE mode disabled but wont work with EASE mode enabled. Although I can always disable EASE mode on Github website but it just feels not right.

Firefox Version: Version 80.0.1 (64 bit)
Tampermonkey Version: v4.11.6117
HTTPS Everywhere Version: Version: 2020.8.13

@ghost
Copy link

ghost commented Oct 27, 2021
edited by ghost
Loading

@PatheticMustan go talk here about HTTPS Everywhere and PHEX I think you have something to say about this because you said something idk (btw you didn't reference it the right way on the issue in PMGH)

@ghost
Copy link

ghost commented Oct 27, 2021
edited by ghost
Loading

additional info: you need to be logged in into github, - without being logged in scripts work

(THIS ONE IS IMPORTANT BUT IT WON'T LET ME BOLD) **> + I have CSP bypass enabled in TamperMonkey, it's just that it doesn't seem to work for me... **

изображение

I tried it with clean firefox profile and imported TamperMonkey settings and scripts - and it worked like you described, but... after browser restart it stopped working for good and went back to how I described the problem - try restarting browser and see again.

Same thing happens with PHEx (look it up on the Chrome web store)

@Owyn
Copy link
Author

Owyn commented Oct 27, 2021

https everywhere

you guys know it's obsolete for Firefox since Firefox rolled out "open sites only via https" option long ago?

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

@zoracon zoracon closed this as completed Jan 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zoracon zoracon

Labels
broken CSP bug needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Hainish @Owyn @zer0pwned @zoracon @cschanaj @pipboy96