I have a script done by myself that uses jQuery Ajax functions to log some data from a web page when I access it. It takes some info and sends it to my local Apache host to save in a text file.
It worked for months, but I now getting an error related with this Same-Origin Policy(I know how it works and its purpose) and the browser is now ending the script execution showing this message:
The page at https://www.website.com/ displayed insecure content from
http://127.0.0.1:8081/whatever.php
Followed by this:
Refused to connect to connect 'http://127.0.0.1:8081/whatever.php?arguments=1' because it
violates the following Content Security Policy directive: "connect-src
https://www.website.com/* https://*.website.com/
https://*.website.net xhr: error: SECURITY_ERR: DOM Exception 18
That last domain is colored in red on the error message. A curious detail is that on the JavaScript code on Tampermonkey I have the @includes of those domains but not the red marked domain. I’ve added it and tested, but didn’t work.
Every discussion I’ve found on Google tells how to disable this policy but in case that you’re developing an extension, that is not my case.
This code will just run in my machine, I didn’t have the intention to distribute it in any way so any solution will be appreciated, even if the solution is to change browser configuration directly.
If this’ useful, I’m using Windows 7.
Tampermonkey Beta fixed its
GM_xmlHttpRequestto be independent from the page’s CSP.Unfortunately it can not fix jQuery AJAX requests cause it doesn’t have a clue what sites are going to be contacted.
If the page you’re contacting is Facebook, then the CSP is sent only to Chrome 21-23, but not Chrome 24. So you can use Tampermonkey’s
@user-agenttag to simulate Chrome 24.