How to inject JS scripts on GitHub? (bypass CSP)

[micalevisk]

when I tried to inject a dumb JS script to https://github.com I got this error:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

triggered by this line:

Code-Injector/script/main/inject.js

Line 34 in 3ef819a

document.head.append(el);

is there a way to bypass this?

The Content-Security-Policy response header is:

default-src 'none';
base-uri 'self';
block-all-mixed-content;
connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com;
font-src github.githubassets.com;
form-action 'self' github.com gist.github.com;
frame-ancestors 'none';
frame-src render.githubusercontent.com;
img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self';
media-src 'none';
script-src github.githubassets.com;
style-src 'unsafe-inline' github.githubassets.com;
worker-src github.com/socket-worker.js gist.github.com/socket-worker.js

---

btw I do not want to use Tampermonkey/Greasemonkey

[Filius-Patris]

Same happens on MS Teams (https://teams.microsoft.com)

[RobKohr]

Seems to happen on twitter too

[KrischnaGabriel]

it's been three years from the opening of this issue and still no fix. 😑️
btw it also happens on spotify