Possible fix to remove integrity checks
I may have found a (very ugly) fix for the SOP problem:
Removing the crossorigin
and integrity
attributes from <script/>
and <link/>
elements.
See the example code below:
{
'use strict';
function listener(details)
{
let filter = browser.webRequest.filterResponseData(details.requestId);
let decoder = new TextDecoder("utf-8"); //FIXME: get content-encoding from headers
let encoder = new TextEncoder();
filter.ondata = evt => {
//remove crossorigin and integrity attributes
//Note that this will not work if the crossorigin="anonymous" string is divided into two chunks, but we want to flush this data asap.
let str = decoder.decode(evt.data, {stream: true})
.replace(/<(link|script)[^>]+>/ig, m => m.replace(/\s+(integrity|crossorigin)(="[^"]*"|='[^']*'|=[^"'`=\s]+|)/ig, ""));
filter.write(encoder.encode(str));
}
filter.onstop = evt => {
let str = decoder.decode(); // end-of-stream
filter.write(encoder.encode(str));
filter.close();
}
}
chrome.webRequest.onBeforeRequest.addListener(
listener,
{'types': [WebRequestType.MAIN_FRAME], 'urls': [Address.ANY]},
[WebRequest.BLOCKING]
);
}
If i add this code to your extension and include it in the background.html
, it appears to work for some of the sites that are reported as broken.
WARNING this code might make pages load (much) slower because ALL html is scanned with regexes before being parsed by the browser.
Edited by nobody