I am unsuccessfully removing response headers with Chrome declarativeNetRequest API.
This is my ruleset:
[
{
"id": 1,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "content-security-policy",
"operation": "remove"
}
]
},
"condition": {
"urlFilter": "*",
"resourceTypes": ["main_frame", "sub_frame", "xmlhttprequest"]
}
}
]
And this is my manifest.json
{
"manifest_version": 3,
"name": "demo boilerplate",
"version": "0.0.1",
"description": "wololo!!!",
"permissions": ["scripting", "declarativeNetRequestWithHostAccess", "declarativeNetRequest", "tabs", "declarativeNetRequestFeedback"],
"declarative_net_request": {
"rule_resources": [
{
"id": "ruleset_1",
"enabled": true,
"path": "rules.json"
}
]
},
"host_permissions": ["<all_urls>" ],
"background": {
"service_worker": "background.js"
}
}
In service worker I use onRuleMatchedDebug to see if the rules are getting matched:
chrome.declarativeNetRequest.onRuleMatchedDebug.addListener(function (o) {
console.log('rule matched:', o);
});
They are! But in network tab of chrome dev tools I can clearly see the response headers present. What have I missed? Thank you.
UPDATE: Idea is to inject a custom script and not get blocked by Content-Security-Policy. I still get an error: Refused to execute inline script because it violates the following Content Security Policy directive when I try to remove content-security-policy header.
content.js script
function interceptData() {
var myScript = document.createElement('script');
myScript.type = 'text/javascript';
myScript.innerHTML = `console.log("from my injected script")`;
document.head.prepend(myScript);
}
function checkForDOM() {
if (document.body && document.head) {
interceptData();
} else {
requestIdleCallback(checkForDOM);
}
}
requestIdleCallback(checkForDOM);
I’ve encountered the same problem. Our extension needs to remove the CSP header on YouTube. The solution was to add resourceTypes: ['main_frame'] to the condition, otherwise the rule didn’t match.