Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scriptlets don't work on websites using Content-Security-Policy (CSP) #2352

Open
4 of 5 tasks
charlessuh opened this issue Jul 5, 2024 · 4 comments
Open
4 of 5 tasks

Scriptlets don't work on websites using Content-Security-Policy (CSP) #2352

charlessuh opened this issue Jul 5, 2024 · 4 comments
Labels
Bug Hold Priority: P4

Comments

@charlessuh
Copy link

charlessuh commented Jul 5, 2024
edited
Loading

Please answer the following questions for yourself before submitting an issue

  • Filters were updated before reproducing an issue
  • I checked the knowledge base and found no answer
  • I checked to make sure that this issue has not already been filed

AdGuard version

4.5.5

Environment

  • OS: 17.5.1
  • Device: iPhone XS

Ad Blocking

No response

Privacy

No response

Social

No response

Annoyances

No response

Security

No response

Other

No response

Language-specific

No response

Advanced protection for Safari

  • yes, I do

Which DNS server do you use?

DNS protection disabled

DNS protocol

DNS protection disabled

Custom DNS

No response

DNS filtering

  • yes, I do

Custom DNS filter

No response

DNS implementation

DNS protection disabled

Tunnel mode

DNS protection disabled

Low-level settings

Bootstrap server:
Fallback server:
Blocking mode, etc:

Issue Details

This was (partially) fixed in the Safari repo:

Expected Behavior

No response

Actual Behavior

The following code doesn't work on a website using CSP to restrict inline scripts:

AdguardForiOS/AdguardExtension/SafariWebExtension/extension/src/pages/content/content.ts

Lines 40 to 56 in 25f8f10

const executeScripts = (scripts: string[]) => {
// Wrap with try catch
const start = '( function () { try {';
const end = "} catch (ex) { console.error('Error executing AG js: ' + ex); } })();";
const updated = [start, ...scripts, end];
const scriptTag = document.createElement('script');
scriptTag.setAttribute('type', 'text/javascript');
scriptTag.textContent = updated.join('\r\n');
const parent = document.head || document.documentElement;
parent.appendChild(scriptTag);
if (scriptTag.parentNode) {
scriptTag.parentNode.removeChild(scriptTag);
}
};

Screenshots

No response

Additional Information

No response
@charlessuh charlessuh added the Bug label Jul 5, 2024
@charlessuh
Copy link
Author

One interesting strategy I noticed Noir is using is to embed a helper script like <script id="noir-helper" class="noir noir-helper" src="safari-web-extension://E0D31760-3AB2-4B4D-B79D-58B41AF2DEFD/dist/noirhelper.js"></script>, which seems to get around CSP.

Maybe you could communicate from the content script <-> page helper script using a custom event or some other mechanism.

@Versty
Copy link
Contributor

Versty commented Jul 31, 2024

@charlessuh Thank you for reporting!
Could you please provide examples of problematic websites?

@Versty
Copy link
Contributor

Versty commented Aug 8, 2024

@charlessuh Any updates?

@Versty
Copy link
Contributor

Versty commented Aug 22, 2024

@charlessuh We have discussed this issue with development team.
We are currently working towards this direction, will do our best to improve this behaviour in future versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Hold Priority: P4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@charlessuh @adguard-bot @Versty