Website CSP can block AdGuard scripts in Firefox

[HanabishiRecca]

• AdGuard version: 3.5.23
• Browser and version: Firefox 83.0

Some websites using strict CSP rules can block AdGuard scripts injection.
E.g. here at github.com AdGuard can't make it's own scripts to work.

So all JS-related filters doesn't work with the such websites.

I've tried to override this behavior with a rule like this:
github.com^$csp=script-src 'unsafe-inline' 'unsafe-eval' *
But it doesn't work for some reason.

This is Firefox-only issue. Seems like Chrome allows extensions to inject scripts regardless of CSP.
For a practical example, try to use a such rule:
github.com#%#alert('Hi')
It works in Chrome, but not in Firefox.

[Chinaski1]

Hello!

It looks like there should be no CSP check for extension resources.
Apparently, this is a bug in the Firefox browser.

[isaak654]

I constantly see a red Content Security Policy warning in Firefox Console during the normal navigation on Github.com too.

I'm using Firefox 84.0.2 x64. With the same browser I can't make more than 5 edits to a comment because my changes are not correctly retained between an edit and another. Currently I'm waiting official Github confirmation about it.

I've already tried without success:

1. to disable "Filter update interval" option in Adguard
2. to include github.com in the Adguard whitelist

[HanabishiRecca]

With the same browser I can't make more than 5 edits to a comment because my changes are not correctly retained between an edit and another.

I don't think this is related. CSP errors means exactly the opposite: Adguard scripts don't work at this website. So there is literally nothing to interfere with.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[XX-J]

А я то думал, - почему scriptlet'ы на некоторых сайтах не работают, а тут вон оно что...
Не работают scriptlet'ы на GitHub'е, Яндексе и других сайтах, где они ОЧЕНЬ нужны.

Система	Фильтры	Антитрекинг
AdGuard v3.6.13	Базовый AdGuard         Русский	Стандарт
FireFox v78.13 ESR	Счётчиков и аналитики         Отслеживания по URL	+Блокировка WebRTC
Win7SP1	Виджетов социальных сетей         Раздражителей	+Удаление параметров отслеживания

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[XX-J]

Workaround this bug in FireFox is put security.csp.enable = false in about:config.

Странно, но GreaseMonkey как-то обходит эту проблему, а AdGuard и TamperMonkey - нет. Почему и, самое главное, Как?

[HanabishiRecca]

Workaround this bug in FireFox is put security.csp.enable = false in about:config.

Довольно жестоко глобально отключать CSP, безопасность страдает.

Странно, но GreaseMonkey как-то обходит эту проблему

Точно? Тогда нужно покопаться в его исходнике просто.

[XX-J]

Точно? Тогда нужно покопаться в его исходнике просто.

Точно! Использую версию 4.11 на FireFox v78.13 ESR, только он в iframe'ах скрипты не запускает. А TamperMonkey работает в iframe'ах, но не работает при строгом CSP.

А в коде я настолько сильно не разбираюсь - надо более опытного кодера.