如何克服Ajax内容安全策略指令？

Question

I am injecting some JS code on various websites (using Selenium and Python) to send POST requests to my local web server. On some websites it works fine. But mostly, I don't get the requests. Figured it's because of the Content Security Policy.

For example, when I try to run the code using Console in Chrome on github.com, I get a following error:

Refused to connect to ' http://10.50.50.127:7777/ ' because it violates the following Content Security Policy directive: "connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com ...".

My code looks like this:

function sendData() {
            var request = new XMLHttpRequest();
            request.open('POST', 'http://10.50.50.127:7777', false);  
            request.send("test");
        }

I did some research on my own, and found a possible solution - to use a local proxy server and send data to a relative path like "/test". But it's pretty complicated to write a proxy server from scratch.

So, what can I do to overcome this Content Security Policy?

Answer 1

If you controlled over both of sides then you can use.

https://easyxdm.net/wp/

Regards

Answer 2

I figured it! Turns out you can just disable all of the security checks:

chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--disable-web-security')
chrome_options.add_argument('--allow-running-insecure-content')
browser = webdriver.Chrome(chrome_options=chrome_options)

Answer 3

If your using Chrome and you want to disable Content Security Policy you can also use a plugin called Disable Content-Security-Policy from Chrome Web Store. This is the plugin for Chrome to disable headers. I inject JS via Tampermonkey (Chrome) and this works fine.