Cross site XMLHttpRequest Content Security Policy directive workaround?

1.6k views Asked by At

I'm using an userscript that plays a sound and sends some notifications to me, whenever something on a website does change according to my defintions.

Recently, a server-side change that fixed an unrelated XSS exploit prevent those two things as well, as cross site requests are being made:

Refused to connect to 'http://myhomepage.com/mysound.mp3' because it violates the following Content Security Policy directive: "connect-src 'self' https://websitetocheck.com".

What can I do to work around the new server-side restrictions to get back my little sound and notifier?

Any ideas or links would be highly appreciated!

2

There are 2 answers

0
tsh On

GM_xmlhttpRequest works cross domain and you may manually set HTTP headers. And also, you may embed the sound file as data URI in your script or use @resource to require the sound file. Once you have the file content in your script, feed the data URI to <audio> for palying.

3
Frank Einstein On

SOLUTION FOR FIREFOX USERS:

If you are using Firefox, there is a very useful extension that will let you modify every request headers and every response headers of Firefox using javascript. It can be used for many things but here I will show you how to bypass the "Content Security Policy".

There is also a (JSON) version of this extension but make sure to use the (JS) version, from the link I just provided.

Install the extension and restart Firefox. Now we need to configure it. I will give you all the steps here:

(It may looks long and complicated but in fact, it's very simple. I just give all the possible details so that everybody can be able to configure the options.)

  • Open the Firefox's Extension Manager.
  • Click the Options Button
  • Make sure that both "HTTP Requests" and "HTTP Responses" are ENABLED.
  • Makes sure also that both "Watch Interval" are set to at least "1000" (It will looks for changes made to the script files every 1 second. When you are done editing your scripts, you can set it back to "0" to save some CPU)
  • For the location of your two scripts, instead of using the find button, you can use the {ProfD} variable which is pointing to your Firefox Profile Directory. It is especially useful if you are using a portable Firefox that can be changing locations. Note that if you leave the boxes "empty", it's not going to work "by default".
  • Your two "location" boxes should look like this: "{ProfD}\moz-rewrite\requests.js" and "{ProfD}\moz-rewrite\responses.js"
  • The folders and the script files are not created automatically so you will need to create a new folder in your "Firefox's Profile Directory" named "moz-rewrite" and then create the script files.
  • Example:
    • "C:\Users\YourName\AppData\Roaming\Mozilla\Firefox\Profiles\qwertyui.default\moz-rewrite\requests.js"
    • "C:\Users\YourName\AppData\Roaming\Mozilla\Firefox\Profiles\qwertyui.default\moz-rewrite\responses.js"

Now that the configuration is done, all you need to do is open the "responses.js" with notepad, copy and paste the script below in this file, save it and you should be able to bypass this "XMLHttpRequest Content Security Policy".

// responses.js
// 
[
    {
    "url" : new RegExp('^https?://myhomepage\.com/mysound\.mp3', 'i'),
    "headers" : {
        "Content-Security-Policy"   : null,
        "Access-Control-Allow-Origin" : "*"
        }
    }
]
// End of script

Note that with the script above, you will need to modify the web address of the the Mp3 file for the real one. If you want to bypass the "Content Security Policy" for ANY mp3 files on "myhomepage.com", or if you have problems with the previous script, you can use this script instead:

// responses.js
// 
[
    {
    "url" : new RegExp('^https?://myhomepage\.com/.*\.mp3', 'i'),
    "headers" : {
        "Content-Security-Policy"   : null,
        "Access-Control-Allow-Origin" : "*"
        }
    }
]
// End of script

Here is a link to some very interesting little scripts for this extension. Example, there is a small "ad-blocker" script and another script is for redirecting search engine queries from Yahoo to Google. Link: https://github.com/warren-bank/moz-rewrite/tree/js/data/recipe-book

If you know how to write Javascript code, you really should take a look at this. For more information or to read the documentation about "Rewrite HTTP Headers (JS)". Link: https://github.com/warren-bank/moz-rewrite