Development notes

A piggy bank of commands, fixes, succinct reviews, some mini articles and technical opinions from a (mostly) Perl developer.

Jump to

Quick reference

Add Javascript to a security protected page

If you want to run some JQuery (or any other script) on a page that doesn't have it already, you can load it like this in the web browser console:

var script = document.createElement('script');
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/1.6.3/jquery.min.js";
document.getElementsByTagName('head')[0].appendChild(script);

But on pages with a strict security policy, you may get an error:

Refused to load the script '......' because it violates the following Content Security Policy directive: .....

Solution: Edit the DOM and replace the security policy with this one:

<meta http-equiv="Content-Security-Policy" content="default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;">

(source)

Breakdown of policy from that guy:
  • default-src * self                 blob: data: gap:;
  • style-src   * self 'unsafe-inline' blob: data: gap:;
  • script-src  * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:;
  • object-src  * 'self'               blob: data: gap:;
  • img-src     * self 'unsafe-inline' blob: data: gap:;
  • connect-src self * 'unsafe-inline' blob: data: gap:;
  • frame-src   * self                 blob: data: gap:;
Hmm, that doesn't look quite right. Seems inconsistent.

Labels: , , , , , ,