I am trying to remove some inline scripts from a webpage and I’m not sure if there is an easier way than I am doing it or not. Currently I am stopping the page from loading and calling a XMLHttpRequest on the same page and stripping the script out and rendering the page again.
You can modify the pages CSP with the webRequest API. I’m to sure if that is easier, but it doesn’t mess up quite as much stuff as your current approach will (I’m pretty sure you are preventing the page from receiving e.g. the “load” event).
If you want to disallow all inline scripts, then yes, this is also the easiest approach.
Just be aware that there is quite a number of different possible situations:
no CSP or CSP without default-srcand script-src ==> add one that allows script-src all protocols (and 'unsafe-eval')
CSP with script-src ==> remove 'unsafe-inline' if present
CSP without script-src ==> if 'unsafe-inline' present in default-src, copy that (without 'unsafe-inline') to script-src
Also, a response can contain multiple CSP headers and CSPs with differnt names (X-Content-Security-Policy, X-Webkit-CSP) I don’t know if firefox normally uses either of these (if the standard Content-Security-Policy is missing).
And then there is <meta http-equiv="Content-Security-Policy" ....