I am trying to remove some inline scripts from a webpage and I’m not sure if there is an easier way than I am doing it or not. Currently I am stopping the page from loading and calling a XMLHttpRequest on the same page and stripping the script out and rendering the page again.
Is there any easier way of doing this?
You can modify the pages CSP with the webRequest API. I’m to sure if that is easier, but it doesn’t mess up quite as much stuff as your current approach will (I’m pretty sure you are preventing the page from receiving e.g. the “load” event).
Do you want to remove all inline scripts?
I am trying to remove/disable all inline scripts, yes. And this looks much easier and will break the page much less than my current approach.
If you want to disallow all inline scripts, then yes, this is also the easiest approach.
Just be aware that there is quite a number of different possible situations:
default-srcand script-src ==> add one that allows script-src all protocols (and 'unsafe-eval')script-src ==> remove 'unsafe-inline' if presentscript-src ==> if 'unsafe-inline' present in default-src, copy that (without 'unsafe-inline') to script-src
Also, a response can contain multiple CSP headers and CSPs with differnt names (X-Content-Security-Policy, X-Webkit-CSP) I don’t know if firefox normally uses either of these (if the standard Content-Security-Policy is missing).
And then there is <meta http-equiv="Content-Security-Policy" ....
Works perfect, thanks!
Yepp. But also consider malformed CSPs and report-url, you probably don’t want to cause reports.