Disabling javascript with javascript by Content-Security-Policy injection
Edit: if there is another way to disable javascript from javascript - I'm all ears.
I am trying to disable javascript using javascript by "injection"
<meta http-equiv="Content-Security-Policy" content="script-src 'none' ">
Into the element. The IS element was added as instructed by Firefox dev → inspector, but is being ignored. Why and how can I get the browser to "notice" it?
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<!--
yes, this works, but I want to do this dynamically
<meta http-equiv="Content-Security-Policy" content="script-src 'none' ">
-->
</head>
<body>
Just some javascript for tests, I hoped this will stop working,
when I'll call the disableJavaScript() function below. But it
doesn't stop
<script>
var x = 0;
setInterval(function(){
console.log(x++);
}
,1000);
</script>
Inserting the meta element:
<script>
function disableJavaScript(){
var newMetaNode = document.createElement("meta");
newMetaNode.setAttribute('http-equiv','Content-Security-Policy');
newMetaNode.setAttribute('content',"script-src 'none'");
var headElem = document.getElementsByTagName('head')[0];
headElem.appendChild(newMetaNode);
}
//calling the function after 3 seconds:
setTimeout(function(){
disableJavaScript();
},3000)
</script>
</body>
</html>
source to share
The devtools browser in Firefox and Chrome already provides the option to disable JavaScript for each tab. So instead of trying to install Content-Security-Policy
this or some other workaround, you can look at the devtools sources for the devtools disable-JavaScript function and figure out what mechanism the devtools function uses to disable JavaScript.
I believe that extensions usually have access to whatever (privileged) mechanisms devtools might use, so I think you could write an extension that just does it the same way devtools does.
source to share