CSP Unblock Remove CSP-related headers from top-frame and sub-frames during web development to improve JavaScript execution and Cross-Origin resource access
Support Development
PayPal ● 
Bitcoin Address: bc1qh7juzrxrawpr65elm4qs285m5rdhnhgsn7h2jf
 ● 
Lightning Address: bhjmq@getalby.com
Your Input Matters
Review
Advertisement
Screenshot
This extension is disabled by default. If during your website testing, you need to bypass Content-Security-Policy, temporarily enable the extension by pressing the toolbar button once. Once enabled, the extension installs a few network rules to remove all CSP-related headers from main-frame and sub-frame requests. This means that there is no limitation applied by CSP to the web pages anymore. You need to refresh the webpage to make sure the old CSP rules are not applicable anymore.

Features

FAQs

  1. What is the "CSP Unblock" add-on and how can I use it?

    This extension is meant to ease inline and remote JavaScript execution on web pages that forbid them by applying a Content-Security-Policy header. Also, by disabling CPS-related headers, the limitation on the cross-origin resource access is lifted. Make sure to enable the extension from the toolbar area, then refresh the page for the changes to take effect.

  2. What's new in this version?

    Please check the Logs section.

  3. What CPS-related headers are supported?

    At this moment, the extension supports four headers that control the CSP of the web pages:

    • Content-Security-Policy
    • Content-Security-Policy-Report-Only
    • X-Webkit-CSP
    • X-Content-Security-Policy

  4. What is the "Content Security Policy" header and why do websites use this header?

    Content Security Policy (CSP) is an additional layer of security that aims in the detection and mitigation of specific sorts of threats, such as Cross-Site Scripting (XSS) and data injection.

    CSP was created with complete backward compatibility in mind. Browsers that don't support it can still communicate with servers that do, and vice versa: browsers that don't support CSP disregard it and continue to operate normally, using the conventional same-origin policy for web content. Browsers apply the conventional same-origin policy if the site does not supply the CSP header.

  5. What is the "Content-Security-Policy-Report-Only" header?

    The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

  6. What is the "X-Webkit-CSP" header?

    This is a deprecated HTTP header and it is being replaced by the "Content Security Policy" header.

Matched Content

Preview

Reviews

Please keep reviews clean, avoid improper language, and do not post any personal information. Also, please consider sharing your valuable input on the official store.

What's new in this version

Version--
Published--/--/--		Change Logs:
    Last 10 commits on GitHub
    Hover over a node to see more details

    Need help?

    If you have questions about the extension, or ideas on how to improve it, please post them on the  support site. Don't forget to search through the bug reports first as most likely your question/bug report has already been reported or there is a workaround posted for it.

    Open IssuesIssuesForks

    Permissions are explained

    PermissionDescription
    storageto save which CPS-related headers are active
    declarativeNetRequestto install a net request rule to remove enabled headers
    contextMenusto add right-click context menu options to the action button

    Recent Blog Posts