Open Bug 1649375 Opened 4 years ago Updated 2 years ago

Implement Page.setBypassCSP


(Remote Protocol :: CDP, enhancement, P3)



(Not tracked)


(Reporter: whimboo, Unassigned)


(Blocks 2 open bugs)


(Whiteboard: [puppeteer-beta2-mvp])

CDP's Page.setBypassCSP allows to ignore CSP.

A few specifics of the method:

  • once CSP is disabled, it "sticks" even after the page navigations.
  • CSP disabling propagates to subframes as well

Olli, do you know of a way to bypass CSP Gecko internally when a specific flag has been set? Or don't we have such a flag yet? If it doesn't exist, would we have to create it onto the browsing context class? Maybe you could point us to where specific code to bypass CSP has to be added? Thanks a lot.

Flags: needinfo?(bugs)
Keywords: meta
Whiteboard: [method=Page.setBypassCSP] → [puppeteer-beta-reserve]

What is CDP?
In that website, what does "Page" refer to? Is it the same as Document or Window? Or does it perhaps refer to them both somehow?
Or is it BrowsingContext?

ckerschb might know better if we have some way to disable CSP already.

Flags: needinfo?(bugs) → needinfo?(ckerschb)

CDP is the Chrome DevTools Protocol that we are partially implementing to get support for Puppeteer. Page is a virtual domain, which acts like a collection of API endpoints related to the current web page. It's not related to document or window, but its code is run in the parent or framescript (JsWindowActorChild in the future).

(In reply to Olli Pettay [:smaug] from comment #2)

ckerschb might know better if we have some way to disable CSP already.

We do not have any flag that allows you disable the CSP at the moment. To be honest, that's also quite scary to me because e.g. we do apply a CSP to all of our system privileged about: pages as well.

When we decide to go down that route and add such a flag we need to carefully evaluate where we put it.

Flags: needinfo?(ckerschb)
Whiteboard: [puppeteer-beta-reserve] → [puppeteer-beta2-mvp]
Component: CDP: Page → CDP

Can't we use the patch from playwright? I am sure they have bypass csp patch?

Yes, that's in their code, but it would need investigation in how it could be supported in Firefox' site-isolation mode. Given that the WebDriver BiDi work has precedence right now we might see there as well the need for such an API, and then can get it implemented in a way that it standardized.

You need to log in before you can comment on or make changes to this bug.