Github: unfold commit history

Adds "unfold all changesets" buttons (hotkey: f) above/below Commit History pages at github, letting you browse the source changes without leaving the page. (Click a commit header again to re-fold it.) You can also fold or unfold individual commits by clicking on non-link parts of the commit. As a bonus, all named commits get their tag/branch names annotated in little bubbles on the right.

< Feedback on Github: unfold commit history

Review: Bad - script does not work

§
Posted: 2014-06-07

Doesn't work because of Content Security Policy

Your script sounds interesting, but it doesn't seems to work. I tried the script in both Greasemonkey & Scriptish without success.

In the error console I'm getting the following message twice:

Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked

The reason for this is probably the way you tried to inject your script into Github when running on https.
When building my scripts for Github I never had that problem, you mite want to check those out.

Hope you can fix this.

Firefox 30.0 RC1
Greasemonkey 1.15
Scriptish 0.1.11
Windows 7

§
Posted: 2014-06-07
Content Security Policy

Try about:config -> security.csp.experimentalEnabled true.
And here is hot discussion on this new Firefox "feature" at bugzilla.mozilla.org

§
Posted: 2014-06-07

sorry, the right pref is: security.csp.experimentalEnabled false .

§
Posted: 2014-06-07

sorry again, security.csp.enable false

§
Posted: 2014-06-08
Content Security Policy
Try about:config -> security.csp.experimentalEnabled true.
And here is hot discussion on this new Firefox "feature" at bugzilla.mozilla.org


Thank you for your input. I actually don't want a workaround, but a real solution. As said above I have multiple Github scripts that do work.

§
Posted: 2014-06-08
Edited: 2014-06-09

Github has what I think must be an unusually strict CSP:

default-src *; 
script-src assets-cdn.github.com www.google-analytics.com collector-cdn.github.com; 
object-src assets-cdn.github.com; 
style-src 'self' 'unsafe-inline' 'unsafe-eval' assets-cdn.github.com; 
font-src assets-cdn.github.com

The script-src does not allow execution of inline scripts (does not have "unsafe-inline"), so Firefox disables inline scripts in the page. As a result, the userscript that is the subject of this thread can inject the script but Firefox will not execute it.

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#Supported_policy_directives

The "solution" is to execute the code from the userscript. I was able to inject a button into the page with an event listener pointing back at the userscript, so at least a basic UI is possible. But I'm not sure about more complicated stuff.

Tested Script:

function yellowbod(){
  document.body.style.backgroundColor = "yellow";
}
var s=document.createElement("button"); 
s.addEventListener("click", yellowbod, false); 
s.appendChild(document.createTextNode("TEST")); 
document.body.appendChild(s);


Edit: Here's a page to test some of the possible script-src directives against bookmarklets and userscripts:

Post reply

Sign in to post a reply.