Skip to content

fix(bridge): bypass Codex page CSP for injected scripts (#1315)#1364

Open
LeoLin990405 wants to merge 1 commit into
BigPizzaV3:mainfrom
LeoLin990405:fix/bypass-page-csp-for-injected-bridge
Open

fix(bridge): bypass Codex page CSP for injected scripts (#1315)#1364
LeoLin990405 wants to merge 1 commit into
BigPizzaV3:mainfrom
LeoLin990405:fix/bypass-page-csp-for-injected-bridge

Conversation

@LeoLin990405

Copy link
Copy Markdown

问题 / Problem

插件市场点击安装报错 “The action has been blocked”,控制台是 CSP 拦截(issue #1315):

Connecting to 'http://127.0.0.1:57321/diagnostics/log' violates the following
Content Security Policy directive: "connect-src 'self' https://ab.chatgpt.com ...".
The action has been blocked.

注入的 bridge 脚本和用户脚本都运行在 Codex 页面上下文里,受 Codex 自身的 CSP connect-src 约束。于是它们连本地 helper(http://127.0.0.1:57321)、连插件端点的请求会被浏览器拦掉——表现为插件市场安装失败,以及 #1300 / #1340 日志里反复出现的 connect-src violation。

Injected bridge/user scripts run in the Codex page context and are bound by Codex's own CSP connect-src, which blocks their requests to the local helper and to plugin endpoints — surfacing as "The action has been blocked" on plugin marketplace install.

改动 / Change

在 bridge 安装序列里、Runtime.enable 之后,发送一条 Page.setBypassCSP { enabled: true },对注入代码关闭页面 CSP 强制。这与项目已有allowUnsafeEvalBlockedByCSP(给 Runtime.evaluate 放宽 CSP)一脉相承,只是把放宽从 eval 扩展到网络连接。

Send Page.setBypassCSP { enabled: true } right after Runtime.enable during bridge install, consistent with the existing allowUnsafeEvalBlockedByCSP relaxation. It only removes restrictions on CodexPlusPlus's own injected code; Codex's CSP-compliant scripts are unaffected.

  • bridge.rs:插入该命令并顺延固定 CDP 命令 id(Runtime.enable=1 → Page.setBypassCSP=2 → removeBinding=3 → addBinding=4 → addScript=5 → evaluate=6)。
  • tests/cdp_bridge.rs:同步更新既有序列断言(排水循环 1..=51..=6,routes_binding 的 evaluate id 5→6),并新增回归测试 install_bridge_bypasses_page_csp_after_enabling_runtime,断言 id 2 发的是 Page.setBypassCSPenabled=true

2 文件 +58/-12

测试 / Testing

已在本机 cargo test 跑通:

cargo test -p codex-plus-core --test cdp_bridge   → 68 passed; 0 failed
cargo test -p codex-plus-core                      → all suites pass; 0 failed

新回归测试覆盖 Page.setBypassCSP 的发送;其余既有 bridge 序列测试在 id 顺延后全部通过。

Injected bridge and user scripts run in the Codex page context, so Codex's
Content-Security-Policy connect-src blocks their requests to the local helper
(http://127.0.0.1:57321) and to plugin endpoints. This surfaces as
'The action has been blocked' when installing from the plugin marketplace and
as repeated connect-src violations in the console/logs.

Send Page.setBypassCSP { enabled: true } right after Runtime.enable during
bridge install, mirroring the existing allowUnsafeEvalBlockedByCSP relaxation
already applied to Runtime.evaluate. Renumbers the fixed CDP command ids and
updates the sequence assertions; adds a regression test asserting the bypass
is sent at id 2 with enabled=true.

Fixes BigPizzaV3#1315
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant