CSP strikes again,
This morning I was trying to look at archive.org and the website wouldn't load and just show a blank white page (not my blank page theme which is dark… (read more)
CSP strikes again,
This morning I was trying to look at archive.org and the website wouldn't load and just show a blank white page (not my blank page theme which is dark)
I tried refreshing a few times, and it didn't work, then I opened developer tools and noticed every resource from website is blocked by CSP. I know probably this is a wrong configuration from archive.org developers causing the page to not load.
GET archive.org
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jul 2023 03:36:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
content-security-policy: base-uri 'self'; default-src *; img-src *; object-src 'none'; script-src https://archive.org/offshoot_assets/ https://*.archive.org/offshoot_assets/ https://offshoot.prod.archive.org/offshoot_assets/ https://archive.org/includes/ https://*.archive.org/includes/ https://offshoot.prod.archive.org/includes/ https://archive.org/components/ https://*.archive.org/components/ https://offshoot.prod.archive.org/components/ https://archive.org/jw/ https://*.archive.org/jw/ https://offshoot.prod.archive.org/jw/ https://av.prod.archive.org/js/ https://esm.archive.org/ https://polyfill.archive.org/v3/polyfill.min.js 'sha256-CoX53XgCdkM1zegYEEpMUeYIZnv663inNm8bQv2VRbM='; style-src 'unsafe-inline' https://archive.org/ https://*.archive.org/ https://offshoot.prod.archive.org/;
Strict-Transport-Security: max-age=15724800
Expires: Tue, 18 Jul 2023 03:51:25 GMT
Cache-Control: max-age=900
Referrer-Policy: no-referrer-when-downgrade
X-Content-Encoding-Over-Network: gzip
from start CSP bring nothing for me other than trouble. In fact I had so much trouble with it, that when a website doesn't load or loads incomplete, I immediately hit F12 to see if anything is blocked by CSP.
I know some very knowledgeable people will come and tell me you will die instantly or will turn to stone if you disable CSP, but I'm readly fed up with this thing that is controled by a header that can be changed with a proxy or even extension which then controls how browser will load a website. just the same way that some web developers use User-agent and HTTP-Referer as a security measure in their website.
I was able to disable CSP in firefox 98 and browse the website. but can't do it with firefox 100 and above (109 currently)
I tried removing the CSP header with extension, but I can remove any header I want but not CSP
Apparently someone in firefox team is obsessed with removing user modifiable features and making it harder and harder everyday to achieve the same functionality (e.g. renaming about:config settings, disabling or removing them) or in other words, pushing their will on their end users on how they should use their browser.
I'm a software developer, I can recompile firefox, and I want CSP and in fact any behavior that relies on a HTTP-header to be gone, but I'm really busy with my own work. and don't have time to read through entire code of the firefox.
I would like to ask if someone can direct me to the part of mozilla code that contains CSP so I can remove it and compile the thing again so I have a browser that doesn't block me from what I like to do.