ResponseFilterBrowser - Add new Sourse

[dilfich]

Hi!
In the demo version, I changed the "ReplaceBufferText" procedure to add data.

Code: Select all

TempAnsiString := TempAnsiString + NEW_TEXT;
data_out_written:= UIntPtr(length(TempAnsiString));

Everything seems to be fine, everything is added. But not exactly what I wanted.
I planned to add a script to the page in a similar way, for example, "<script>alert("Hello, World!");</script>", it appears in the source code of the page, but not works.

As I understand it, this is done too late than necessary, maybe I'm doing something wrong or how to make it work?

[dilfich]

I connected the console, it turned out that the execution was blocked.

Console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'report-sample' 'nonce-tgJzjxB1R9mUc2FipTKlAw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

It doesn't help, what else can I do?

Code: Select all

  GlobalCEFApp.AllowInsecureLocalhost := True;
  GlobalCEFApp.DisableWebSecurity         := True;
  GlobalCEFApp.AllowRunningInsecureContent:= True;
  GlobalCEFApp.AllowFileAccessFromFiles:= True;
  GlobalCEFApp.AllowUniversalAccessFromFileUrls:= True;
  GlobalCEFApp.DisableSiteIsolationTrials:= True;

[salvadordf]

This is a pure JavaScript issue and I'm not a JavaScript expert but search :

Refused to execute inline script because it violates the following Content Security Policy directive

You'll see several questions at stackoverflow.com with the same problem and some solutions.

[dilfich]

I look of course, but it's not clear, it can be changed in the browser or only on the server..

[dilfich]

In general, I figured it out, maybe someone is interested.

You need to add a hash to the script and then it will work.
<script nonce="11rC4LWWjVUcbnNoWyaJWg">alert("Hello, World!");</script>

We take the hash itself in the headers of the server response of the desired page. (I'm testing on google)
Chromium1ResourceResponse
content-security-policy: script-src 'report-sample' 'nonce-11rC4LWWjVUcbnNoWyaJWg' 'unsafe-inli....

[dilfich]

As it turned out, the headers are not particularly needed and they hash can be found in the source code of the page.
Another question arose, I did the same thing in the "CopyScript" procedure and it still works without problems.

How to add your entry to a page or a document correctly? After all, it goes in parts and the biggest problem is if there is a script that loads the frame. Where is the ending to add your entry to the end, how to understand?

Loading the frame is essentially on the same page, how to filter it out, I don't understand.
that is, I filter by the link, which in turn loads additional data. a frame within a frame. %

[salvadordf]

The image replacement does something similar but inserting new text is a lot more complicated because you have to be careful with the text encoding.

Read the code comments in TResponseFilterBrowserFrm.ReplaceLogo

It should be possible to insert new text but I have never tried it.