Disabling javascript with javascript by injecting Content-Security-Policy

javascript dom content-security-policy

Solution 1:

script-src policy does NOT disable JavaScript. It disables loading of new content referenced with <script> tags that are inserted into a document after you declare your policy.

Policies in meta elements are not applied to content which precedes them.

https://w3c.github.io/webappsec-csp/#meta-element

You can see it working perfectly fine with new content and stopping output in console after a few successful calls if you change your "testing" tag to:

<script>
  var x =  0;
  setInterval(function(){
    var newNode = document.createElement("script");
    var newText = document.createTextNode("console.log("+ x++ +")")
    var bodyElem = document.getElementsByTagName('body')[0];
    newNode.appendChild(newText)
    bodyElem.appendChild(newNode);
  }
  ,1000);
</script>

CSP does not have means to somehow retroactively "cancel" content that was loaded before it was enforced. You need to look in browser-specifc extension API.

Related

Convert DataSet to List
the below code input o1ps will return oops but o2ps should return ooops is there any way we can execute o2ps has ooops
Replace the table body using DataTables
Multiple specifications for same function in Erlang header file
IIF in postgres
MacBook Pro Keyboard - How to Swap / Remap Keys?
Extra configuration required for ssh-agent forwarding?
How do I build a DIY NAS?
How can I see which DLLs included in Windows contain icons?
Blazor (Server) - Good Practice: Do i need a Controllers or is anything handled by Services
Is it possible to remove "Inspect Element"?
how to revert default Mac Apache install to original