@@ -264,7 +264,8 @@ <h1 class=title style='position:absolute;left:0;right:0;margin:auto;top:-10px'>
264264
265265 < div class =description >
266266 < p >
267- I was in the process of answer this question< br >
267+ I was in the process of answering this question
268+ < br >
268269 < div class =br > </ div >
269270 < a href ='https://stackoverflow.com/questions/79833235/is-it-possible-to-connect-to-a-local-python-server-using-secure-web-sockets-from '>
270271 Is it possible to connect to a local Python server using secure web sockets from a browser console on an HTTPS webpage?
@@ -273,36 +274,34 @@ <h1 class=title style='position:absolute;left:0;right:0;margin:auto;top:-10px'>
273274 </ span >
274275 </ a > < br >
275276 < div class =br > </ div >
276- but i didnt qant to get -1'd for no reason ...
277- < a href ='https://stackoverflow.com/questions/28099493/running-ffmpeg-in-browser-options/79820132#79820132 '>
278- Running ffmpeg in browser - options?
279- < span class =link-domain >
280- stackoverflow.com
281- </ span >
282- </ a > < br >
283- < div class =br > </ div >
284- so i thought i'd write a blog post about it anyway< br >
277+ so i thought i'd write a blog post about it anyway
278+ < br >
285279 < div class =br > </ div >
286280 Discover how to overcome the content-security-policy for a website.
287281 </ p >
288282 </ div >
289283
290284
291285 < h3 class =blog-hdr style ='margin-bottom:0 '>
292- Manifest v2
286+ Browser Extensions Manifest v2
293287 </ h3 >
294288
295289 < section class =blog-text >
296- so right off the bat, manifest v2 is capable of removing the contest-security-policy on a web request< br >
290+ so right off the bat, manifest v2 is capable of removing the contest-security-policy on a web request
291+ < br >
297292 firefox still ( currently, at the time of writing ) supports manifest v2, it has the bindings for manifest v3 but
298- they are just stubs that do nothing< br >
293+ they are just stubs that do nothing
294+ < br >
299295 < div class =br > </ div >
300296 chromium and hence google chrome, edge, brave, opera and any of the myriad of browsers that are based on chromium do
301- not support manifest v2< br >
297+ not support manifest v2
298+ < br >
302299 < div class =br > </ div >
303- google's official stance on manifest v3 changes< br >
300+ google's official stance on manifest v3 changes
301+ < br >
304302 < div class =br > </ div >
305- To prevent extensions from weakening site security. Allowing CSP removal would undermine protections against XSS and remote code injection.< br >
303+ To prevent extensions from weakening site security. Allowing CSP removal would undermine protections against XSS and remote code injection.
304+ < br >
306305 < div class =br > </ div >
307306 < a href ='https://developer.chrome.com/docs/extensions/migrating/improve-security/ '>
308307 Improve extension security
@@ -311,21 +310,25 @@ <h3 class=blog-hdr style='margin-bottom:0'>
311310 </ span >
312311 </ a >
313312 < div class =br > </ div >
314- for those who wish to develop using the old manifest v2, previous versions of chromium can be downloaded from< br >
313+ for those who wish to develop using the old manifest v2, previous versions of chromium can be downloaded from
314+ < br >
315315 < a href ='https://www.chromium.org/getting-involved/download-chromium/#downloading-old-builds-of-chrome-chromium '>
316316 Downloading old builds of Chrome / Chromium
317317 < span class =link-domain >
318318 chromium.org
319319 </ span >
320320 </ a >
321321 < div class =br > </ div >
322- manifest V3 is supported generally in Chrome 88 ( January 19th, 2021 ) or later.< br >
322+ manifest V3 is supported generally in Chrome 88 ( January 19th, 2021 ) or later.
323+ < br >
323324 </ section >
324325
325326
326327 < section class =blog-text >
327328 < h3 class =blog-hdr >
328329 Firefox Manifest V2 Extension Remove CSP
330+ < div class =spc > </ div >
331+ < input value ='download firefox extension ' type =button >
329332 </ h3 >
330333
331334 < img src ='ext/firefox/cubes.png '>
@@ -339,6 +342,8 @@ <h3 class=blog-hdr>
339342 < section class =blog-text >
340343 < h3 class =bog-hdr >
341344 Google Chrome Manifest V3 Extension Remove CSP ( doesn't work )
345+ < div class =spc > </ div >
346+ < input value ='download chrome extension ' type =button >
342347 </ h3 >
343348
344349 < img src ='ext/chrome/cubes.png '>
@@ -352,6 +357,8 @@ <h3 class=bog-hdr>
352357 < section class =blog-text >
353358 < h3 >
354359 How to Tell if it Worked?
360+ < div class =spc > </ div >
361+ < input value ='download websocket server ' type =button >
355362 </ h3 >
356363 < p >
357364 Well the test in question was on a webpage protected with a content-security-policy, create a websocket
379386 < section class =blog-text >
380387 < h3 >
381388 bypassing content-security policy with a mitm proxy
389+ < div class =spc > </ div >
390+ < input value ='download mitm proxy ' type =button >
382391 </ h3 >
383392 < p >
384393 so, we can bypass the content-security-protocol header with a mitm proxy and remove the header before sending it to the
424433 < section class =blog-text >
425434 < h3 >
426435 Running Code in the Webpage
436+ < div class =spc > </ div >
437+ < input value ="download js extension " type =button >
427438 </ h3 >
428439 < p >
429440 The original question identified that they opened dev tools and then pasted in the websocket client code, to be able to run the code< br >
453464
454465 < script >
455466
467+
468+ var jszip ;
469+
456470
457471 var btn = { } ;
458472 btn . download = { } ;
@@ -478,8 +492,12 @@ <h3>
478492 ex [ 'ext-js-popup-html' ] . initdom ( ) ;
479493 ex [ 'ext-js-popup-js' ] . initdom ( ) ;
480494
481-
495+
496+ $ ( '[value="download firefox extension"]' ) . onclick = btn . download [ 'firefox-extension' ] ;
497+ $ ( '[value="download chrome extension"]' ) . onclick = btn . download [ 'chrome-extension' ] ;
498+ $ ( '[value="download mitm proxy"]' ) . onclick = btn . download [ 'mitm-proxy' ] ;
482499 $ ( '[value="download test-server"]' ) . onclick = btn . download [ 'test-server' ] ;
500+ $ ( '[value="download js extension"]' ) . onclick = btn . download [ 'js-extension' ] ;
483501
484502
485503
@@ -489,17 +507,41 @@ <h3>
489507 //:
490508
491509
510+ btn . download [ 'firefox-extension' ] = function ( ) {
511+
512+ download . zip ( 'firefox' , 'ext/firefox/manifest.json' , 'ext/firefox/extension.js' , 'ext/firefox/cubes.png' ) ;
513+
514+ } //firefox-extension
515+
516+
517+ btn . download [ 'chrome-extension' ] = function ( ) {
518+
519+ download . zip ( 'chrome' , 'ext/chrome/manifest.json' , 'ext/chrome/extension.js' , 'ext/chrome/cubes.png' ) ;
520+
521+ } //chrome-extension
522+
523+
524+ btn . download [ 'mitm-proxy' ] = function ( ) {
525+
526+ download . file ( 'proxy/mitm-proxy.js' ) ;
527+
528+ } //mitm-proxy
529+
530+
492531 btn . download [ 'test-server' ] = function ( ) {
493532
494- download ( 'test-server' , 'server/test-server.js' ) ;
533+ download . file ( 'server/test-server.js' ) ;
495534
496535 } //test-server
497536
498-
537+
538+ btn . download [ 'js-extension' ] = function ( ) {
539+
540+ download . zip ( 'ext-js' , 'ext-js/manifest.json' , 'ext-js/extension.js' , 'ext-js/content-script.js' , 'ext-js/popup/popup.html' , 'ext-js/popup/popup.js' ) ;
541+
542+ } //js-extension
499543 //:
500-
501-
502- var jszip ;
544+
503545
504546 async function load_jszip ( ) {
505547
@@ -529,7 +571,29 @@ <h3>
529571 } //load_jszip
530572
531573
532- async function download ( root , ...files ) {
574+ function download ( blob , name ) {
575+
576+ name ||= blob . name ;
577+ var url = window . URL . createObjectURL ( blob ) ;
578+ var a = document . createElement ( 'a' ) ;
579+ a . download = blob . name ;
580+ a . href = url ;
581+ a . click ( ) ;
582+
583+ } //blob
584+
585+
586+ download . file = async function ( path ) {
587+
588+ var fn = path . split ( '/' ) . at ( - 1 ) ;
589+ var { blob, error} = await get ( path ) ;
590+ if ( error ) return ;
591+ download ( blob , fn ) ;
592+
593+ } //file
594+
595+
596+ download . zip = async function ( root , ...files ) {
533597
534598 if ( ! jszip ) {
535599 var { error} = await load_jszip ( ) ;
@@ -559,48 +623,49 @@ <h3>
559623 }
560624
561625 var blob = await zip . generateAsync ( { type :'blob' } ) ;
562- var url = window . URL . createObjectURL ( blob ) ;
563- var a = document . createElement ( 'a' ) ;
564- a . download = `${ root } ;
565- a . href = url ;
566- a . click ( ) ;
567-
626+ download ( blob , `${ root } ; ) ;
568627
569- async function get ( path ) {
628+ } //download
629+
630+
631+ async function get ( url ) {
632+
633+ var err ;
634+ try {
570635
571- //var url = `https://raw.githubusercontent.com/javascript-2020/${repo}/main/${path}`;
572- var url = path ;
636+ var res = await fetch ( url ) ;
573637
574- var err ;
575- try {
576-
577- var res = await fetch ( url ) ;
578-
579- } //try
580- catch ( err2 ) {
581-
582- err = err2 ;
583-
584- } //catcg
585- if ( err ) {
586- var error = err . toString ( ) ;
587- log . red ( error ) ;
588- return { error} ;
589- }
590- if ( ! res . ok ) {
591- var txt = await res . text ( ) ;
592- var error = res . status + ' ' + res . statusText ;
593- log . red ( error ) ;
594- return { error} ;
595- }
596-
597- var blob = await res . blob ( ) ;
598- return { blob} ;
638+ } //try
639+ catch ( err2 ) {
640+
641+ err = err2 ;
599642
600- } //get
643+ } //catcg
644+ if ( err ) {
645+ var error = err . toString ( ) ;
646+ log . red ( error ) ;
647+ return { error} ;
648+ }
649+ if ( ! res . ok ) {
650+ var txt = await res . text ( ) ;
651+ var error = res . status + ' ' + res . statusText ;
652+ log . red ( error ) ;
653+ return { error} ;
654+ }
601655
602- } //download
656+ var blob = await res . blob ( ) ;
657+ return { blob} ;
658+
659+ } //get
603660
661+
662+ get . raw = function ( repo , path ) {
663+
664+ var url = `https://raw.githubusercontent.com/javascript-2020/${ repo } ${ path } ;
665+ var result = get ( url ) ;
666+ return result ;
667+
668+ } //raw
604669
605670
606671 </ script >
0 commit comments