'Inline scripts in new window from Javascript using window.open()

This has been asked before, and all the answer I could find are outdated, and do not work. This is a user side script injected (via Tampermonkey) into an existing web page, that creates an 'options' dialog, which requires JS to process selections made on that dialog, the 'dialog' being a new window. I have stripped it down to essentials.

Call to create the new window:

    function createConfigDiv() {
        let x = window.open();
        x.document.write(optionsHtml);
        x.document.close();
    }

optionsHtml is a global, created in a function so I can use code collapse, it is:

const optionsHtml = loadSimpleOptionsPage();
function loadSimpleOptionsPage() {
        let CSP = `<meta http-equiv=Content-Security-Policy content="script-src 'self' 'unsafe-inline';">`;
        let html =
            `<html>` +
                `<head>`+ CSP + `</head>` +
                `<script language="JavaScript" type="text/javascript">var i=0;</script>` +
            `</html>`;

        return html;
    }

It's structured that way so I can comment out the <script> block. Commenting it out means it all works as expected (a new tab, but no functionality) regardless of if I have any actual JS code in the block.

Rendered HTML:

rendered HTML

Error:

error

In a nutshell, "​Refused to execute inline script because it violates the following Content Security Policy directive: "script-src '..."

I assume the CSP it is displaying is from the page where my script, that opens the windows, is running from - that I have no control over. It is running at torn.com

The real code is a handler for an input element (checkbox). I can't really move it to an external file, this is being generated on the fly with no where to host it. I had tried writing into an iframe, resulting in the same error.

It seems that wherever the CSP referenced is coming from, it over-rides my meta tag. If I intentionally put a syntax error in my meta tag, I do get an error. As mentioned in the Chrome testing of header vs meta tag CSP directives, seems the last directive seen can only strengthen, not reduce (or replace), the security policy.

So I see a few options, none of which I could find/implement - open a new window with no CSP until I add it in a meta tag, another method besides using window.open() to do what I want, ??? Any suggestions appreciated!

javascripthtmlsecuritypolicy


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions