How to relax Content Security Policy in Chrome?

Lately, some websites such as Facebook use the Content Security Policy (CSP) to restrict loading of scripts from "untrusted sources". For example, when requesting Facebook HTML content (e.g. https://www.facebook.com ), Facebook's HTTP response includes the following response header:

x-webkit-csp:default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;

This has impact on some bookmarklets which require to load and execute Javascript libraries from untrusted sources.

For example, whenever I try to run the Show Anchors bookmarklet on a Facebook page, execution of this bookmarklet fails as it tries to load jQuery from an untrusted source. In Chrome's Developer console, it will say:

Refused to load the script 'http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js' because it violates the following Content Security Policy directive: "script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net".

I've found a Chrome documentation page about this topic, but it only applies to Chrome extensions.

I'm looking for solutions that allow me to

  • either for a single time deactivate CSP
  • or permanently whitelist my trusted sources.

Methods Endorsed by Chrome Apps

Use templating libraries

Use a library that offers precompiled templates and you’re all set. You can still use a library that doesn’t offer precompilation, but it will require some work on your part and there are restrictions.

You will need to use sandboxing to isolate any content that you want to do ‘eval’ things to. Sandboxing lifts CSP on the content that you specify.

Sandbox local content

Sandboxing allows specified pages to be served in a sandboxed, unique origin. These pages are then exempt from their Content Security Policy. Sandboxed pages can use iframes, inline scripting, and eval() (and the last two are the ones being prevented). That'll fix 'unsafe-inline' and 'unsafe-eval'.

  • Use inline scripts in sandbox
  • Include sandbox in manifest

Access remote resources

You can fetch remote resources via XMLHttpRequest and serve them via blob:, data:, or filesystem: URLs. This should fix the jQuery fetching issue.

Manifest requirement

To be able to do cross-origin XMLHttpRequests, you'll need to add a permission for the remote URL's host.

Cross-origin XMLHttpRequest

Fetch the remote URL into the app and serve its contents as a blob: URL.


I don't think you can do any of these. To fix the unsafe-eval and unsafe-inline response headers, only the script owner can fix the code or if it's in public domain, you can fix it. All this is probably a one-time fix.


Hacks

UnsafeWindow

http://wiki.greasespot.net/UnsafeWindow

Content Script Injection

http://wiki.greasespot.net/Content_Script_Injection


The hacks however have downsides because they've known to cause security holes atleast the first one, definitely.