fix: revert firefox csp revise

WindRunnerMax · WindRunnerMax · commit 427f6ae1087a · 2024-12-08T11:56:40.000+08:00
diff --git a/packages/force-copy/package.json b/packages/force-copy/package.json
@@ -1,6 +1,6 @@
 {
   "name": "force-copy",
-  "version": "1.0.9",
+  "version": "1.0.10",
   "author": "Czy",
   "license": "MIT",
   "sideEffects": false,
@@ -10,8 +10,8 @@
     "dev:rollup": "cross-env NODE_ENV=development rollup -wc",
     "dev:gecko": "cross-env NODE_ENV=development PLATFORM=gecko rspack build --watch",
     "build:gecko": "rm -rf build-gecko && cross-env PLATFORM=gecko rspack build",
-    "build:zip": "mkdir -p .zip && cd build && zip -r ../.zip/chromium.zip .",
-    "build:zip:gecko": "mkdir -p .zip && cd build-gecko && zip -r ../.zip/gecko.zip .",
+    "build:zip": "mkdir -p .zip && rm -f .zip/chromium.zip && cd build && zip -r ../.zip/chromium.zip .",
+    "build:zip:gecko": "mkdir -p .zip && rm -f .zip/gecko.zip && cd build-gecko && zip -r ../.zip/gecko.zip .",
     "lint:ts": "../../node_modules/typescript/bin/tsc --noEmit"
   },
   "repository": {
diff --git a/packages/force-copy/src/content/runtime/script.ts b/packages/force-copy/src/content/runtime/script.ts
@@ -26,6 +26,11 @@ export const importInjectScript = () => {
       script.onload = () => {
         script.remove();
         // 如果仍然不存在 尝试在 Content Script 中执行
+        // 在 Content Script 中执行可以保证 DOM 事件类型的处理
+        !unsafeWindow[signal] && fn();
+      };
+      script.onerror = () => {
+        script.remove();
         !unsafeWindow[signal] && fn();
       };
     }
diff --git a/packages/force-copy/src/manifest/index.ts b/packages/force-copy/src/manifest/index.ts
@@ -56,14 +56,7 @@ if (process.env.PLATFORM === "gecko") {
   __MANIFEST__.background = {
     scripts: [__MANIFEST__.background.service_worker],
   };
-  __MANIFEST__.permissions = [
-    "activeTab",
-    "tabs",
-    "webRequest",
-    "webRequestBlocking",
-    "management",
-    ...__URL_MATCH__,
-  ];
+  __MANIFEST__.permissions = ["activeTab", "tabs", "webRequest", "management", ...__URL_MATCH__];
   __MANIFEST__.browser_specific_settings = {
     gecko: { strict_min_version: "91.1.0" },
     gecko_android: { strict_min_version: "91.1.0" },
diff --git a/packages/force-copy/src/utils/logger.ts b/packages/force-copy/src/utils/logger.ts
@@ -14,25 +14,25 @@ class Logger {
 
   info(...args: unknown[]) {
     if (this.level <= LOG_LEVEL.INFO) {
-      console.log("FC Log: ", ...args);
+      console.log("FC Log:", ...args);
     }
   }
 
   trace(...args: unknown[]) {
     if (this.level <= LOG_LEVEL.INFO) {
-      console.trace("FC Trace: ", ...args);
+      console.trace("FC Trace:", ...args);
     }
   }
 
   warning(...args: unknown[]) {
     if (this.level <= LOG_LEVEL.WARNING) {
-      console.warn("FC Warning: ", ...args);
+      console.warn("FC Warning:", ...args);
     }
   }
 
   error(...args: unknown[]) {
     if (this.level <= LOG_LEVEL.ERROR) {
-      console.error("FC Error: ", ...args);
+      console.error("FC Error:", ...args);
     }
   }
 }
diff --git a/packages/force-copy/src/worker/runtime/script.ts b/packages/force-copy/src/worker/runtime/script.ts
@@ -49,12 +49,14 @@ export const importWorkerScript = () => {
 
   // #IFDEF GECKO
   logger.info("Register Inject Scripts By Content Script Inline Code");
-  // 使用 cross.tabs.executeScript 得到的 window 是 content window
-  // 此时就必须要使用 inject script 的方式才能正常注入脚本
-  // 然而这种方式就会受到 content security policy 策略的限制
+  // 使用 cross.tabs.executeScript 得到的 Window 是 Content Window
+  // 此时就必须要使用 Inject Script 的方式才能正常注入脚本
+  // 然而这种方式就会受到 Content Security Policy 策略的限制
   // https://github.com/violentmonkey/violentmonkey/issues/1001
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
   // https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onHeadersReceived
-  chrome.webRequest.onHeadersReceived.addListener(
+  // https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onResponseStarted
+  chrome.webRequest.onResponseStarted.addListener(
     res => {
       if (!res.responseHeaders) return void 0;
       if (res.type !== "main_frame" && res.type !== "sub_frame") {
@@ -65,24 +67,14 @@ export const importWorkerScript = () => {
         // 仅处理 CSP 的问题
         if (responseHeaderName !== "content-security-policy") continue;
         const value = res.responseHeaders[i].value || "";
-        const types = value.split(";").map(it => it.trim());
-        const target: string[] = [];
-        // CSP 不支持多个 nonce, 但可以配置多个 hash
-        // 这里的 hash 会在编译时计算并替换资源
-        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
-        const hashed = "'sha256-${CSP-HASH}'";
-        for (const item of types) {
-          const [type, ...rest] = item.split(" ");
-          if (type === "script-src" || type === "default-src") {
-            target.push([type, hashed, ...rest].join(" "));
-            continue;
-          }
-          target.push(item);
-        }
-        // 覆盖原有的响应头, 扩展的 CSP 总是更倾向于更加严格的模式
-        // 实际测试中仅有完全抹除标头时, 才可以解决冲突的问题
-        res.responseHeaders[i].value = target.join(";");
-        // 存在 CSP 时尝试直接在 content script 中执行
+        // CSP 不支持多个 nonce, 但可以配置多个 sha-hash
+        // 这里的 hash 会在编译时计算并替换资源 'sha256-${CSP-HASH}'
+        // 但对 CSP 策略修改存在问题, 这里仅读取并尝试注入, 而不直接增加 hash
+        // 例如 'self' => ok / 'self'+'hash' => error 宽松到严格结构问题
+        // 此外即使覆盖原有的响应头, 扩展的 CSP 总是更倾向于更加严格的模式
+        // 在实际测试中, 仅有完全抹除标头时, 才可以实际解决多个扩展冲突的问题
+        // ...
+        // 存在 CSP 时尝试直接在 Content Script 中执行
         let code = [
           `if (window["${process.env.INJECT_FILE}"] && document instanceof XMLDocument === false) {`,
           `  window["${process.env.INJECT_FILE}"]();`,
@@ -102,7 +94,7 @@ export const importWorkerScript = () => {
           code = [
             CODE_PREFIX,
             `script.nonce = "${nonce[1]}";`,
-            `script.innerText = code`,
+            `script.innerText = code;`,
             CODE_SUFFIX,
           ].join("\n");
         }
@@ -125,13 +117,11 @@ export const importWorkerScript = () => {
         // @ts-expect-error filter params
         cross.tabs.onUpdated.addListener(onUpdate, { tabId: res.tabId });
       }
-      // 返回修改后的响应头配置
-      return {
-        responseHeaders: res.responseHeaders,
-      };
+      // onHeadersReceived 仅读取响应头而不修改
+      return void 0;
     },
     { urls: URL_MATCH, types: ["main_frame", "sub_frame"] },
-    ["blocking", "responseHeaders"]
+    ["responseHeaders"]
   );
   // #ENDIF
 };

Original file line number	Diff line number	Diff line change
`@@ -14,25 +14,25 @@ class Logger {`
`14`	`14`
`15`	`15`	`info(...args: unknown[]) {`
`16`	`16`	`if (this.level <= LOG_LEVEL.INFO) {`
`17`		`- console.log("FC Log: ", ...args);`
	`17`	`+ console.log("FC Log:", ...args);`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`trace(...args: unknown[]) {`
`22`	`22`	`if (this.level <= LOG_LEVEL.INFO) {`
`23`		`- console.trace("FC Trace: ", ...args);`
	`23`	`+ console.trace("FC Trace:", ...args);`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`warning(...args: unknown[]) {`
`28`	`28`	`if (this.level <= LOG_LEVEL.WARNING) {`
`29`		`- console.warn("FC Warning: ", ...args);`
	`29`	`+ console.warn("FC Warning:", ...args);`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`error(...args: unknown[]) {`
`34`	`34`	`if (this.level <= LOG_LEVEL.ERROR) {`
`35`		`- console.error("FC Error: ", ...args);`
	`35`	`+ console.error("FC Error:", ...args);`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`	`}`