Page 1 of 1

Allow Violentmonkey scripts

Posted: Thu Jan 04, 2018 12:03 am
by Reindeer
Violentmonkey is an add-on that lets users run custom userscripts.
When NoScript disallows a domain to run scripts, even Violentmonkey scripts are restricted from running. It would be highly useful if one could allow Violentmonkey scripts to run without allowing the website's domain. This would allow users to fix websites that (maybe purposefully) break themselves upon encountering a NoScript user. This was possible with Greasemonkey prior Firefox 57.
Currently Violentmonkey scripts are injected as blob objects as described here ... BLOB-URLs/

Re: Allow Violentmonkey scripts

Posted: Thu Jan 04, 2018 12:16 am
by therube
Yes it would be nice.
Suspect its the same as, well, take your pick, +bookmarklet*.

e10s, various browser versions, various NoScript versions.
In any case, point is, unless you allow the domain, bookmarklets (& likewise Violtentmonkey) scripts don't work, which sucks, which goes against the whole premise of not having to allow a site - just so bookmarklets work. (You don't know just how that bugs me - in Quantum. Many times, the only reason I allow a site is so that my bookmarklets work.)

(With some scripts you do have to allow particular domains, but that is an exception.)

Re: Allow Violentmonkey scripts

Posted: Fri Jan 05, 2018 12:18 am
by jscher2000
I think this is the old CSP problem, that Firefox interprets the bar on inline scripts to apply to bookmarklets and extensions' content scripts. There have been a few bugs pending to change this but no obvious movement. The bug fix to allow extensions to inject style sheets that otherwise are barred by CSP, coming in Firefox 59, has something like a dozen files, so it seems these changes are not trivial to code.

Re: Allow Violentmonkey scripts

Posted: Sat May 12, 2018 3:06 pm
by therube

Anything possible on this end to get things working as they should?

(I'll take it that security.csp.enable is NOT the thing to do :twisted:.)

What goes around, comes around.
Funny isn't it, that NoScript wasn't particularly feasible for me until ~2009, when bookmarklet support was introduced.

Re: Allow Violentmonkey scripts

Posted: Wed Jul 04, 2018 1:41 pm
by therube
(I'll take it that security.csp.enable is NOT the thing to do :twisted:.)
What are the ramifications of setting, security.csp.enable, to 'false'?

I'm sure, not good.
But just what does that mean?

Or is NoScript able to come up with a safe work-around?

Re: Allow Violentmonkey scripts

Posted: Wed Jul 04, 2018 6:49 pm
by skriptimaahinen
It would NOT be good idea to disable CSP as that is what NoScript uses to block inline javascript. For anything fetched with network request, NoScript is able to block in webRequest event, but scripts that come embedded in the main document need to be blocked with CSP as that is the only way available to WebExtensions since Mozilla prevented access to the javascript.enabled config setting.

This is also the reason why bookmarklets wont work on blocked pages. There is a bugreport to get it fixed though: Just don't hold your breath waiting. ;)

Not familiar how Violentmonkey executes its scripts, but I guess it tries to inject them as page scripts so they get blocked by the CSP. For example Greasemonkey works fine since the scripts are executed as contentscripts.

Re: Allow Violentmonkey scripts

Posted: Thu Feb 07, 2019 2:11 am
by barbaz

Re: Allow Violentmonkey scripts

Posted: Thu Feb 07, 2019 11:56 am
by therube

Re: Allow Violentmonkey scripts

Posted: Sat Jun 01, 2019 6:05 am
by therube
Breathe :-).

This doesn't fix everything, don't even know if it fixes Violentmonkey (?) (but it does fix Everything :-).)
So now you no longer need to Allow the site you're on in order for an Everything search to work - when NoScript is installed :-).

(FF 69, currently Nightly, required.)

Bug 1478037 Allow bookmarklets to run even when the CSP on the page would normally block javascript: execution

Boris wrote: I filed bug 1478037 to implement the basic "let the bookmarklet run" thing, so we don't let the perfect be the enemy of the good here. If the bookmarklet loads subresources, those will still be subject to CSP even with that bug fixed.
:-) :-) :-)