Posts
Search Results
Site and Policy » Userscripts / Customization » Post 35
Marker 
Misanthrope
There, just updated all my scripts so that Chrome users won’t need to install the Disable Content-Security-Policy extension. Firefox users still need Laboratory by Mozilla though, unfortunately. Not anymore.
Site and Policy » Userscripts / Customization » Post 34
Marker
Misanthrope
@Ecstatis
I figured out what the problem was. The goddamn single quotes ’ got automatically replaced by smart quotes ’.
Just one of the reasons I hate them.
@Sollace
Try wrapping the custom CSP in “[== ]” like this
[bq][default-src ‘self’ https://derpicdn.net; font-src https://derpicdn.net; img-src data: https://camo.derpicdn.net https://derpicdn.net; script-src ‘unsafe-inline’ https://derpicdn.net; style-src ‘unsafe-inline’ https://derpicdn.net==][/bq]
I figured out what the problem was. The goddamn single quotes ’ got automatically replaced by smart quotes ’.
Just one of the reasons I hate them.
@Sollace
Try wrapping the custom CSP in “[== ]” like this
[bq][default-src ‘self’ https://derpicdn.net; font-src https://derpicdn.net; img-src data: https://camo.derpicdn.net https://derpicdn.net; script-src ‘unsafe-inline’ https://derpicdn.net; style-src ‘unsafe-inline’ https://derpicdn.net==][/bq]
Site and Policy » Userscripts / Customization » Post 33
Ecstatis
@Sollace
Thanks, it was clear enough for me. The problem is that it doesn’t work for me nontheless, though…
Any ideas?
Thanks, it was clear enough for me. The problem is that it doesn’t work for me nontheless, though…
Any ideas?
Site and Policy » Userscripts / Customization » Post 31
Ecstatis
Oh sorry, I forgot to mention that I use both Firefox (Portable, up to date) and Violentmonkey though. I noticed that hovering over the CSP field shows a tiptool still saying “default-src ‘none’” for me - is that usual?
Should have tagged @Sollace instead
Should have tagged @Sollace instead
Site and Policy » Userscripts / Customization » Post 29
Marker
Misanthrope
@Ecstatis
If you’re using Chrome, the original extension linked is a bit buggy, stopped working for everyone after a while. Try using this one instead, which disables CSP altogether so no configuration needed.
If you’re using Chrome, the original extension linked is a bit buggy, stopped working for everyone after a while. Try using this one instead, which disables CSP altogether so no configuration needed.
Site and Policy » Userscripts / Customization » Post 28
Ecstatis
I’m glad this issue has actually been addressed, but I’m having trouble getting the CSP to work, I’m still getting the same error printed to the console (inline (“default-src”)) whenever I add my own <style> tag. I noticed that the CSP in the screenshot is different from the one you posted, are you sure none of them might be wrong?
StSyaN I’m glad this issue has actually been addressed, but I’m having trouble getting the CSP to work, I’m still getting the same error printed to the console (inline (“default-src”)) whenever I add my own <style> tag. I noticed that the CSP in the screenshot is different from the one you posted, are you sure none of them might be wrong?
Site and Policy » Userscripts / Customization » Post 27
Background Pony #D9B6
@byte[]
It is a pipe dream (unless you serve whole site as pre-rendered PNG or something). And this is a good thing, for variety of reasons, starting from simple personalization and ending with accessibility (I’m still surprised by amount of mobile sites that use user-scalable=no in <meta>. They’re shooting themselves in the foot).
THANK YOU! This is a godsend. None of my public scripts use <style> tag, only inline ones (Once I needed non-inline styles, but I distributed them as optional userstyle instead). So this is a good news to me.
It is a pipe dream (unless you serve whole site as pre-rendered PNG or something). And this is a good thing, for variety of reasons, starting from simple personalization and ending with accessibility (I’m still surprised by amount of mobile sites that use user-scalable=no in <meta>. They’re shooting themselves in the foot).
StSyaN THANK YOU! This is a godsend. None of my public scripts use <style> tag, only inline ones (Once I needed non-inline styles, but I distributed them as optional userstyle instead). So this is a good news to me.
Site and Policy » Userscripts / Customization » Post 26
Sollace 
I am the night!
Lé done. I have updated the install instructions for my userscript. I’ll repost them here as well so other people can see it.
Installation Instructions:
Installation Instructions:
Before anything make sure you have installed Violentmonkey* for Firefox or Tampermonkey for Chrome, Opera, Safari or EdgeAdditional Note:
Because derpibooru has a draconian CSP headers, firefox users are also going to need Laboratory by MozillaInstall the addon and set it to use the following custom CSP for derpibooru:default-src ‘self’ https://derpicdn.net; font-src ‘self’ https://derpicdn.net; img-src ‘self’ data: https://camo.derpicdn.net https://derpicdn.net; script-src ‘self’ ‘unsafe-inline’ https://derpicdn.net; style-src ‘self’ ‘unsafe-inline’ self https://derpicdn.netOne final reminder:
- Once configured, firefox users can remove the addon buttons from their toolbars and proceed to ignore its existance
After that simply click the download link to be prompted to install the script.*Important Note: Do NOT use Greasemonkey. It’s dead, and the script may not work with it.
Site and Policy » Userscripts / Customization » Post 25
Sollace
It looks like I misremembered.
Security concerns for Stylish are well known, and documented
I’ve always known the firefox version of Tampermonkey to be untrustworthy, even back when I started. It ships with google analytics and I’m not even sure if it’s developed by the same people, so I avoid it to be safe.
Edit: And I don’t know about the state of Greasemonkey. iirc it stopped working for a bit and I switched away from it. Heard it got sold or something, which is exactly what caused the downfall of Stylish.
@Mildgyth
Chrome/Webkit versions should be fine. It’s really only the firefox addon you have to avoid.
I am the night!
StSyaN It looks like I misremembered.
Security concerns for Stylish are well known, and documented
I’ve always known the firefox version of Tampermonkey to be untrustworthy, even back when I started. It ships with google analytics and I’m not even sure if it’s developed by the same people, so I avoid it to be safe.
Edit: And I don’t know about the state of Greasemonkey. iirc it stopped working for a bit and I switched away from it. Heard it got sold or something, which is exactly what caused the downfall of Stylish.
@Mildgyth
Chrome/Webkit versions should be fine. It’s really only the firefox addon you have to avoid.
Site and Policy » Userscripts / Customization » Post 20
stsyn 
Moderator
@Sollace
I imaging possibility of using ::after to create a window, which completely blocks Derpibooru and says “pay X to Y to unlock this site”. Tracking that way probably will be impossible because of untouched part of CSP.
@Background Pony #0890
As byte[] says, using elem.style.prop = x instead of elem.style = “prop:x” bypasses issue.
@Sollace
Last time I tried Violentmonkey, it didn’t work with Derpibooru at all. Maybe stuff changed, though.
I imaging possibility of using ::after to create a window, which completely blocks Derpibooru and says “pay X to Y to unlock this site”. Tracking that way probably will be impossible because of untouched part of CSP.
@Background Pony #0890
As byte[] says, using elem.style.prop = x instead of elem.style = “prop:x” bypasses issue.
@Sollace
Last time I tried Violentmonkey, it didn’t work with Derpibooru at all. Maybe stuff changed, though.
Site and Policy » Userscripts / Customization » Post 17
byte[] 
Philomena Contributor
@Background Pony #0890
This is a site with user-submitted content. As a developer, I would much prefer to keep that content as tightly constrained as is literally possible. It is not for a “sake of vague security”, it is defense in depth.
This is a site with user-submitted content. As a developer, I would much prefer to keep that content as tightly constrained as is literally possible. It is not for a “sake of vague security”, it is defense in depth.
Site and Policy » Userscripts / Customization » Post 16
Sollace
I am the night!
@Background Pony #0890
I’ll look at finding a solution for my scripts. Stylish userstyles at least are not affected by the CSP change.
You may habe to live with installing two addons, though.
I’ll look at finding a solution for my scripts. Stylish userstyles at least are not affected by the CSP change.
You may habe to live with installing two addons, though.
Site and Policy » Userscripts / Customization » Post 15
Sollace
I am the night!
@ArmadilloEater
Please do not direct users to install tampermonkey. It’s not safe to use.
Firefox users should switch to Violentmonkey and uninstall Tampermonkey immediately.
Likewise do not use Stylish, switch to Stylus .
Both of the addons are known to collect browsing data without the user’s consent.
Please do not direct users to install tampermonkey. It’s not safe to use.
Firefox users should switch to Violentmonkey and uninstall Tampermonkey immediately.
Likewise do not use Stylish, switch to Stylus .
Both of the addons are known to collect browsing data without the user’s consent.
Site and Policy » Userscripts / Customization » Post 13
Background Pony #D9B6
Since Derpibooru enforced CSP to disallow usage of <style> tags
Not only <style> tags, even inline styles are blocked.
It’s real pity. This is going to result in loss of userscipts userbase. Only stubborn people will install two extensions for just one userscript. All for sake of vague security.
It’s real pity. This is going to result in loss of userscipts userbase. Only stubborn people will install two extensions for just one userscript. All for sake of vague security.
Site and Policy » Userscripts / Customization » Post 12
Marker
Misanthrope
I’m currently looking into if the GM_addStyle API could be used to get around the policy. Doesn’t look very promising, unfortunately. Other than Greasemonkey’s lack of support for it, I couldn’t get it to work on Firefox’s Tampermonkey (or Violentmonkey) either.
Showing results 51 - 75 of 87 total
Default search
If you do not specify a field to search over, the search engine will search for posts with a body that is similar to the query's word stems. For example, posts containing the words winged humanization, wings, and spread wings would all be found by a search for wing, but sewing would not be.
Allowed fields
| Field Selector | Type | Description | Example |
|---|---|---|---|
author | Literal | Matches the author of this post. Anonymous authors will never match this term. | author:Joey |
body | Full Text | Matches the body of this post. This is the default field. | body:test |
created_at | Date/Time Range | Matches the creation time of this post. | created_at:2015 |
id | Numeric Range | Matches the numeric surrogate key for this post. | id:1000000 |
my | Meta | my:posts matches posts you have posted if you are signed in. | my:posts |
subject | Full Text | Matches the title of the topic. | subject:time wasting thread |
topic_id | Literal | Matches the numeric surrogate key for the topic this post belongs to. | topic_id:7000 |
topic_position | Numeric Range | Matches the offset from the beginning of the topic of this post. Positions begin at 0. | topic_position:0 |
updated_at | Date/Time Range | Matches the creation or last edit time of this post. | updated_at.gte:2 weeks ago |
user_id | Literal | Matches posts with the specified user_id. Anonymous users will never match this term. | user_id:211190 |
forum | Literal | Matches the short name for the forum this post belongs to. | forum:meta |