Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to override content security policy while including script in browser JS console?

Tags:

javascript

content-security-policy

browser-extension

browser-security

I was trying to include JQuery on an existing website using console this way:

var script = document.createElement('script'); script.src = 'http://code.jquery.com/jquery-1.11.1.min.js'; script.type = 'text/javascript'; document.getElementsByTagName('head')[0].appendChild(script);

Then I got this error:

Content Security Policy: The page's settings blocked the loading of a resource at http://code.jquery.com/jquery-1.11.1.min.js ..

During development I might want to include external Javascript. I might not want to copy paste the entire JQuery code since it does not look neat. How to override the content security policy for development purposes?

This would be really useful for quick testing. I might want to convert the script I am writing to a browser extension later on.

Note (update): I am writing the script over an existing website and do not have control over setting the Content-Security-Policy header.

like image 409
Pranjal Mittal Avatar asked Dec 05 '14 19:12

Pranjal Mittal

People also ask

How do I use content security policy override?

Usage. To edit the configuration, go to chrome://extensions and click Options under Content Security Policy Override. The text area in the Options automatically saves as you edit.

How do I disable CSP in my browser?

Disable CSP while you use Document Builder. Disabling CSP should only be done temporarily as it removes security barriers intended to protect you. Turn off the CSP for your entire browser in Firefox by disabling security. csp.

How do I turn off content security policy?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

1 Answers

You can turn off the CSP for your entire browser in Firefox by disabling security.csp.enable in the about:config menu. If you do this, you should use an entirely separate browser for testing. For example, install Firefox Developer Edition alongside your normal browser and use that for testing (and not normal Web use).

As an alternative, it should be possible to alter the Content-Security-Policy response header before it gets to your browser (via an HTTP proxy). It is also possible to do this with extensions.

A Chrome extension can set its own CSP for its own chrome-extension://... pages, but it cannot alter the CSP of a normal webpage.

like image 65
apsillers Avatar answered Sep 19 '22 01:09

apsillers
Sign in to Comment

Related questions

Amazon Cognito "A client attempted to write unauthorized attribute"
How can I use an AngularJS filter to format a number to have leading zeros?
How do I round a number in JavaScript?
Avoid having to double-click to toggle Bootstrap dropdown
How do I add a separator between elements in an {{#each}} loop except after the last element?
Number prime test in JavaScript
js function to get filename from url
What are alternatives to ExtJS?
How do I use MS-XCEP and MS-WSTEP in .NET or JavaScript to get a certificate from AD CS?
node.js multi room chat example
Scrape web pages in real time with Node.js
What is the best JavaScript image processing library? [closed]
How to easily create Github friendly markdown for documented JavaScript functions?
How and why would I write a class that extends null?
keep placeholder on focus in IE10
ES6: import module from URL
Use of semicolons in ES6 [duplicate]
Why can't nested describe() blocks see vars defined in outer blocks?
Changing a CSS rule-set from Javascript
SecurityError: The operation is insecure - window.history.pushState()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!