Disable CSP (headers AND meta tag) in Chromium based browsers
Note: This article is about Chromium based browsers.
Remember the days when computers were configured to present the filesystem to the network by default in read/write mode? Those were the days. Today, though, everything is configured for security and browsers are no exceptions. One thing that annoyed me yesterday was CSP (Content Security Policy) which disallowed me to fetch from a web site information from another web site which was happy to provide it. The culprit was a meta tag that looks like this:<meta http-equiv="Content-Security-Policy" content="...">
The content was configuring default-src, connect-src, style-src, frame-src, worker-src, img-src, script-src, font-src! Everything. But I wasn't looking for a hack to disable CSP (well I was, but that's another story), I just wanted to test that, given a friendly CSP, I could connect to a specific web site and get the data that I wanted and do something with it. Surely in the developer tools of the browser I would find something that would allow me to temporarily disable CSP. No such luck!
Then I looked on the Internet to see what people were saying. All were complaining about "Refused to connect to [url] because it violates the following Content Security Policy directive..." and how it annoyed them, but there was no real solution. Here is what I found:
- browser extensions to remove the CSP header
- I assume this works, but it wasn't my case
- browser extensions to remove content from the page from the Developer Tools
- I tried one, but when it changed the content now the browser was crashing with an ugly Aw, snap! page with a Status_Access_Violation status
- I tried ticking the web site's settings for Insecure content
- How naïve to think that it would allow loading of insecure content
- I tried browser command line flags and experimental flags
- nothing worked
I was contemplating hacking the browser somehow when I stumbled upon this gem: Override files and HTTP response headers locally.
It is almost exactly what I was looking for, only it doesn't replace content with regular expressions but saves the entire content of a URL on the local drive and serves it from there, modified in whatever way you want. So if you want to alter a server rendered page you're out of luck.
How did I use it to remove the CSP? I went to sources, I configured the local overrides and I then edited the page (in the Sources panel) and simply deleted the annoying meta tag. Now it worked.
Hope it helps!
Comments
Be the first to post a comment