-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to disable Content Security Policy (CSP) include http-csp and html-csp #1
Comments
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39 |
csp |
@DreamNya |
emm 是公司内网OA系统,我在本地新建了一个html文件复现也报错CSP了 |
浏览器扩展是不能修改回复体的,只能修改回复头 firefox 的 我试图寻找 chrome 启动参数来 禁用 csp,但是没有找到 目前我发现可行的办法就是 使用 https://wproxy.org/whistle/ 来通过中间人攻击修改 html 还有一种轻量级的办法:如果你要注入的网页允许 |
好的 谢谢大佬 |
如果你要注入的网站是 https 的,你可能需要自签发证书工具,我推荐 https://github.com/FiloSottile/mkcert |
@DreamNya hello,我找到一种利用 并且这个方法无需中间人攻击 以 chrome 和 https://i.songe.li/csp 为例子,请确保你的 chrome 安装了 tampermonkey 扩展 首先我们要启动 chrome 并启用它的远程调试功能,设置调试端口为 chrome --remote-debugging-port=9222 接下来我们 clone 并启动 let-html-csp-fail git clone https://github.com/lisonge/let-html-csp-fail.git
cd let-html-csp-fail
pnpm install
pnpm start 它会自动打开 https://i.songe.li/csp 并拦删除 response.body 中的 接下来我们启动一个示例看是否生效 git clone https://github.com/lisonge/vite-plugin-monkey.git
cd vite-plugin-monkey
pnpm install
pnpm -F example run serve 如果 chrome 不是你的默认浏览器,你需要复制输出的链接 |
远程调试的方法测试有效 感谢大佬 |
https://cn.vitejs.dev/config/server-options.html#server-host
github 是 http header csp,修改响应头即可绕过,#1 (comment) |
我直接用原生的js脚本写的时候好像插入元素也没有触发,控制台并没有报错 |
这个脚本不属于当前源,会触发 csp ;(({ entrySrc = `` }) => {
window.GM;
const key = `__monkeyWindow-` + new URL(entrySrc).origin;
document[key] = window;
console.log(`[vite-plugin-monkey] mount monkeyWindow to document`);
const entryScript = document.createElement("script");
entryScript.type = "module";
entryScript.src = entrySrc;
document.head.insertBefore(entryScript, document.head.firstChild);
console.log(`[vite-plugin-monkey] mount entry module to document.head`);
})(...[
{
"entrySrc": "http://127.0.0.1:5173/__vite-plugin-monkey.entry.js"
}
]); |
懂了感谢大佬,这样其实打包以后也不会触发csp策略了 |
Disable-CSP
|
看下这个issue: #35 |
问题解决了,感谢 |
Now just use browser extension Disable-CSP
updated to 2023-07-20 20:48
The text was updated successfully, but these errors were encountered: