Tamperish not working with domains restricting styles injection via Content-Security-Policy

[oneeyedman]

I'm having trouble getting the Tamperish extension to work with ".online" domains. I've even created a custom CSS file to apply styles to all web pages, but the styles aren't applied to websites with the ".online" TLD.

I've tried the following troubleshooting steps:

• Enabled the extension: Tamperish is enabled in my Safari settings.
• Checked permissions: I've granted Tamperish the necessary permissions.
• Verified CSS: The CSS code is valid and works on other domains.

Additional context:

• Safari: v18.2
• Tamperish: v1.2
• MacOS: Sequoia 15.2

Could you please investigate this issue? And let me know if you need any further information. :) :)

[username0x0a]

I've just tested it with minesweeper.online and it works just as expected. 🤔 Do you have some example file & configuration that I could check? 👀

[oneeyedman]

Hmm... it seems like it might be something specific to this domain "laterracita.online", because I've tried the one you mentioned, and it works like a charm.

For the test, I've used a simple body {border: 10px solid green}, but if I try it with a similar extension from Firefox, it does accept it. Can you think of what might be happening?"

[username0x0a]

You are very correct 👍 it's caused by the security setup of the site set by the HTTP Header which defines the following:

Content-Security-Policy: ... style-src 'self' https://laterracita.online 'nonce-IeZFz4szs2sXZCyaW6ZDBg=='; ...

which effectively causes the <style> injected by Tamperish to be rejected due to neither being injected by a script from the laterracita.online domain nor marked with the nonce identifier provided – you can see both the injection and the error message in Web Inspector Console.

You probably won't be able to add any user script as well as script-src has the same restrictions. Hmm, scripts seem to work 🤔 so in the meantime you could inject the CSS manually using JavaScript. 💡

I guess Tamperish could read & respect this value, and use it during injection if a nonce identifier is provided, but I'll definitely have to dig into this mechanism (first time I see it 😄) & I hope the export of the value in <meta> tag is some sort of standard way of getting it when needed. 🤞

[username0x0a]

Okay 😄 if you also add a Script tamper like this:

window.addEventListener('load', function() {
	var nonce = document.head.querySelector('meta[name="style-nonce"]').content
	var style = document.head.querySelector('style[id^="_tamperish__adjustments"]')
	var parent = style.parentNode
	parent.removeChild(style)
	style.setAttribute('nonce', nonce)
	parent.appendChild(style)
})

you should be good for now. 👌 It'll tweak the <style> currently injected by the extension so that it's applied.

[oneeyedman]

WOOO! IT WORKSS!!!!! ❤️__❤️

Thanks!