fix(bridge): bypass Codex page CSP for injected scripts (#1315)#1364
Open
LeoLin990405 wants to merge 1 commit into
Open
fix(bridge): bypass Codex page CSP for injected scripts (#1315)#1364LeoLin990405 wants to merge 1 commit into
LeoLin990405 wants to merge 1 commit into
Conversation
Injected bridge and user scripts run in the Codex page context, so Codex's Content-Security-Policy connect-src blocks their requests to the local helper (http://127.0.0.1:57321) and to plugin endpoints. This surfaces as 'The action has been blocked' when installing from the plugin marketplace and as repeated connect-src violations in the console/logs. Send Page.setBypassCSP { enabled: true } right after Runtime.enable during bridge install, mirroring the existing allowUnsafeEvalBlockedByCSP relaxation already applied to Runtime.evaluate. Renumbers the fixed CDP command ids and updates the sequence assertions; adds a regression test asserting the bypass is sent at id 2 with enabled=true. Fixes BigPizzaV3#1315
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题 / Problem
插件市场点击安装报错 “The action has been blocked”,控制台是 CSP 拦截(issue #1315):
注入的 bridge 脚本和用户脚本都运行在 Codex 页面上下文里,受 Codex 自身的 CSP
connect-src约束。于是它们连本地 helper(http://127.0.0.1:57321)、连插件端点的请求会被浏览器拦掉——表现为插件市场安装失败,以及 #1300 / #1340 日志里反复出现的connect-srcviolation。Injected bridge/user scripts run in the Codex page context and are bound by Codex's own CSP
connect-src, which blocks their requests to the local helper and to plugin endpoints — surfacing as "The action has been blocked" on plugin marketplace install.改动 / Change
在 bridge 安装序列里、
Runtime.enable之后,发送一条Page.setBypassCSP { enabled: true },对注入代码关闭页面 CSP 强制。这与项目已有的allowUnsafeEvalBlockedByCSP(给Runtime.evaluate放宽 CSP)一脉相承,只是把放宽从 eval 扩展到网络连接。Send
Page.setBypassCSP { enabled: true }right afterRuntime.enableduring bridge install, consistent with the existingallowUnsafeEvalBlockedByCSPrelaxation. It only removes restrictions on CodexPlusPlus's own injected code; Codex's CSP-compliant scripts are unaffected.bridge.rs:插入该命令并顺延固定 CDP 命令 id(Runtime.enable=1 →Page.setBypassCSP=2 → removeBinding=3 → addBinding=4 → addScript=5 → evaluate=6)。tests/cdp_bridge.rs:同步更新既有序列断言(排水循环1..=5→1..=6,routes_binding 的 evaluate id 5→6),并新增回归测试install_bridge_bypasses_page_csp_after_enabling_runtime,断言 id 2 发的是Page.setBypassCSP且enabled=true。2 文件
+58/-12。测试 / Testing
已在本机
cargo test跑通:新回归测试覆盖
Page.setBypassCSP的发送;其余既有 bridge 序列测试在 id 顺延后全部通过。