Breaks websites with strict CSP policies
Created by: da2x
- Install extension, leaving default settings ("Block requests for missing resources" is disabled)
- Visit https://trends.builtwith.com/Server/Fedora
Expected: Pretty graph.
Actual: Graphs fails to load.
The library is blocked from loading from the CDN by the extension, and the website itself blocks the replacement library from loading from the extension. (If I’m understanding the situation correctly.)
Proposed solution: Unless Block requests for missing resources
is enabled, the extension should parse the Content-Security
policy HTTP header (or meta element if no header) before blocking the request and attempting to replace it.
Decentraleyes 1.3.8, Firefox 53.0
Possibly introduced via #130 (closed).
Console output:
Content Security Policy: The page’s settings blocked the loading of a resource at data:application/javascript;charset=UTF-... (“script-src https://trends.builtwith.com 'unsafe-inline' https://cdnpi.pe https://d2z0lf9itclnw8.cloudfront.net https://www.google-analytics.com https://ajax.googleapis.com https://www.googleadservices.com”). (unknown)
ReferenceError: $ is not defined[Learn More] bw4.min.js:1:1752
ReferenceError: $ is not defined[Learn More] Fedora:499:1