Page 1 of 1
ResponseFilterBrowser - Add new Sourse
Posted: Thu Jun 23, 2022 9:16 am
by dilfich
Hi!
In the demo version, I changed the "ReplaceBufferText" procedure to add data.
Code: Select all
TempAnsiString := TempAnsiString + NEW_TEXT;
data_out_written:= UIntPtr(length(TempAnsiString));
Everything seems to be fine, everything is added. But not exactly what I wanted.
I planned to add a script to the page in a similar way, for example, "
<script>alert("Hello, World!");</script>", it appears in the source code of the page, but not works.
As I understand it, this is done too late than necessary, maybe I'm doing something wrong or how to make it work?
Re: ResponseFilterBrowser - Add new Sourse
Posted: Thu Jun 23, 2022 12:12 pm
by dilfich
I connected the console, it turned out that the execution was blocked.
Console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'report-sample' 'nonce-tgJzjxB1R9mUc2FipTKlAw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
It doesn't help, what else can I do?
Code: Select all
GlobalCEFApp.AllowInsecureLocalhost := True;
GlobalCEFApp.DisableWebSecurity := True;
GlobalCEFApp.AllowRunningInsecureContent:= True;
GlobalCEFApp.AllowFileAccessFromFiles:= True;
GlobalCEFApp.AllowUniversalAccessFromFileUrls:= True;
GlobalCEFApp.DisableSiteIsolationTrials:= True;
Re: ResponseFilterBrowser - Add new Sourse
Posted: Thu Jun 23, 2022 1:03 pm
by salvadordf
This is a pure JavaScript issue and I'm not a JavaScript expert but search :
Refused to execute inline script because it violates the following Content Security Policy directive
You'll see several questions at stackoverflow.com with the same problem and some solutions.
Re: ResponseFilterBrowser - Add new Sourse
Posted: Thu Jun 23, 2022 1:39 pm
by dilfich
I look of course, but it's not clear, it can be changed in the browser or only on the server..
Re: ResponseFilterBrowser - Add new Sourse
Posted: Fri Jun 24, 2022 7:58 am
by dilfich
In general, I figured it out, maybe someone is interested.
You need to add a hash to the script and then it will work.
<script nonce="11rC4LWWjVUcbnNoWyaJWg">alert("Hello, World!");</script>
We take the hash itself in the headers of the server response of the desired page. (I'm testing on google)
Chromium1ResourceResponse
content-security-policy: script-src 'report-sample' 'nonce-11rC4LWWjVUcbnNoWyaJWg' 'unsafe-inli....
Re: ResponseFilterBrowser - Add new Sourse
Posted: Mon Jun 27, 2022 6:15 pm
by dilfich
As it turned out, the headers are not particularly needed and they hash can be found in the source code of the page.
Another question arose, I did the same thing in the "CopyScript" procedure and it still works without problems.
How to add your entry to a page or a document correctly? After all, it goes in parts and the biggest problem is if there is a script that loads the frame. Where is the ending to add your entry to the end, how to understand?
Loading the frame is essentially on the same page, how to filter it out, I don't understand.
that is, I filter by the link, which in turn loads additional data. a frame within a frame. %
Re: ResponseFilterBrowser - Add new Sourse
Posted: Mon Jun 27, 2022 7:09 pm
by salvadordf
The image replacement does something similar but inserting new text is a lot more complicated because you have to be careful with the text encoding.
Read the code comments in TResponseFilterBrowserFrm.ReplaceLogo
It should be possible to insert new text but I have never tried it.