←back to thread

Et Tu, Grammarly?

(dbushell.com)
279 points dbushell | 4 comments | 29 Mar 25 10:27 UTC | HN request time: 0.66s | source
1. vhantz ◴[29 Mar 25 14:53 UTC] No.43516026[source]
Do you know how they managed to inject stylesheets into every page bypassing CSP?
replies(3): >>43516075 #>>43516320 #>>43516388 #
2. ◴[29 Mar 25 15:00 UTC] No.43516075[source]
3. daquisu ◴[29 Mar 25 15:33 UTC] No.43516320[source]
It is done by the extension without any fancy stuff. Extensions can load static js / css and bypass CSP with it, if it is declared in their manifest.json. Grammarly's manifest.json is here: https://gist.github.com/Daquisu/11eb1a7000b4141c4404edcc6e16...

For more advanced CSP bypass with extension, you can:

1. Inject JS code into any webpage with a CSP.

2. Create an event listener for your content script and reacting according to it.

3. Use your content script to communicate with the background script.

4. Use the background script to communicate with any website, including blocked websites by the CSP.

Basically, any website <-> extension content script <-> background script <-> any website.

4. ◴[29 Mar 25 15:43 UTC] No.43516388[source]