今天想使用userscript尝试去掉zhihu专刊弹出的登录框,然后安装了stay 2和知乎增强,安装后无效。自issue中发现,可能是因为该网站的CSP设置导致script无法注入生效,研究一下准备使用surge的脚本功能将csp标签去掉。于是写了几行代码如下:
//disable CSP on zhihu website
let headers = $response.headers;
delete headers['content-security-policy'];
console.log(headers);
$done({headers});
运行后输出log如下:
19:56:54.944173 MITM over HTTP/2
19:56:55.488527 Sub-rule matched: DOMAIN-SUFFIX zhihu.com
19:56:55.488682 Rule matched: RULE-SET direct.txt
19:56:55.489167 Use the last successful address: 42.236.70.186
19:56:55.489636 Connecting with address: 42.236.70.186
19:56:55.500224 Connected to address 42.236.70.186 in 10ms
19:56:55.500427 TCP connection established
19:56:55.547457 TLS handshake completed, negotiated cipher: TLS_AES_256_GCM_SHA384, protocol TLSv1.3
19:56:55.547513 TLS ALPN: h2
19:56:55.547703 HTTP protocol negotiation completed: HTTP/2
19:56:55.548981 HTTP response script found: zhihu csp disable
19:56:55.899121 {"content-encoding":"br","set-cookie":"KLBRSID=[]; Path=/","x-idc-id":"2","server":"CLOUD ELB 1.0.0","strict-transport-security":"max-age=15552000; includeSubDomains","cache-control":"must-revalidate, proxy-revalidate, no-cache, no-store","pragma":"no-cache","referrer-policy":"no-referrer-when-downgrade","x-lb-timing":"0.130","x-cdn-provider":"tencent","surrogate-control":"no-store","vary":"Accept-Encoding","date":"Wed, 25 Jan 2023 11:56:55 GMT","x-xss-protection":"1; mode=block","expires":"0","x-secng-response":"0.12999987602234","x-udid":"[]=","x-frame-options":"SAMEORIGIN","x-backend-response":"0.124","content-type":"text/html; charset=utf-8","x-edge-timing":"0.150","x-nws-log-uuid":"[]","x-content-type-options":"nosniff","x-cache-lookup":"Cache Miss"}
19:56:55.900028 [Script Completed]
19:56:55.911485 Response is modified by script
19:56:55.912817 Disconnect with reason: Stream closed
这时能看到它的CSP已经没有了,但是script仍然没有效果,我怎么样才能知道是否成功去除了csp?
