segment-boneyard/nightmare

Bypass CSP (Content Security Policy)

Open

#889 opened on Nov 15, 2016

View on GitHub
 (5 comments) (0 reactions) (0 assignees)JavaScript (19,507 stars) (1,076 forks)batch import
Help Wanted

Description

I am trying to bypass CSP in order to run some eval() code or spawn web workers.

I found this issue on electron: https://github.com/electron/electron/issues/3430 which suggests using webFrame.registerURLSchemeAsBypassingCSP(scheme) http://electron.atom.io/docs/api/web-frame/#webframeregisterurlschemeasbypassingcspscheme

I have tried to do that in a preloader script but it doesn't seem to affect the page's policy.

Have you ever faced this or have any clue what might be wrong or a possible solution?

Thanks!

Contributor guide

Tech stack
javascriptnodejselectron
Domain
security
Issue type
research
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
understanding of Content Security Policybasic Electron knowledgeNightmare usage
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the `webFrame.registerURLSchemeAsBypassingCSP` method in Electron (referenced issue: electron/electron#3430). Check if it affects the page's CSP when called in a preload script; test with a minimal Electron app. Review Nightmare's preload script execution context to verify if the method is correctly invoked. Consider that the method may need to be called before navigation, or that the page's CSP might override it. Also check if the Electron version in Nightmare supports this API. No linked PRs or maintainer responses were found.