Add Stylus in MV2 extensions ( because of CSP Patching )

Brave Feature Requests Desktop Requests
1

Title says it all but…

I have to type custom commands for brave to make csp patching work
it would be good if there was option for violentmonkey too ( like adding other extensions that arent supported by default )

PS. I don’t know does violentmonkey need MV2 though but i like its UI and easy installing of scripts

2

Let’s break down how to craft custom command-line arguments for Brave to achieve CSP patching and explore the possibility of integrating Violentmonkey (or similar extensions).

Understanding CSP and Brave’s Command-Line Flags

Content Security Policy (CSP) is a security mechanism that helps prevent cross-site scripting (XSS) and other code injection attacks. To bypass or modify CSP for testing or development purposes, you need to launch Brave with specific flags.

  • --disable-web-security: This flag completely disables web security, including CSP. Use this with extreme caution, as it opens your browser to significant security risks. It’s generally not recommended for regular browsing.
  • --allow-running-insecure-content: This flag allows the browser to load insecure content (HTTP) on secure pages (HTTPS). It might be necessary in some cases, but again, be careful.
  • --ignore-certificate-errors: Ignores SSL certificate errors. Useful for testing with self-signed certificates, but can mask real security issues.
  • --disable-features=IsolateOrigins,site-per-process: Disables site isolation, which can sometimes interfere with CSP modifications. Only use this if you know what you are doing.

Crafting the Brave Command

Here’s how you can construct a command to launch Brave with the desired flags. Remember that using these flags can compromise your security.

Windows:

"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --disable-web-security --allow-running-insecure-content --ignore-certificate-errors --disable-features=IsolateOrigins,site-per-process

macOS:

/Applications/Brave\ Browser.app/Contents/MacOS/Brave Browser --disable-web-security --allow-running-insecure-content --ignore-certificate-errors --disable-features=IsolateOrigins,site-per-process

Linux:

brave-browser --disable-web-security --allow-running-insecure-content --ignore-certificate-errors --disable-features=IsolateOrigins,site-per-process

Important Notes:

  • Replace the Brave executable path with your actual path if it’s different.
  • These flags should be used for testing and development only. Do not use them for regular browsing.
  • Disabling web security is very risky.
  • It is better to modify the CSP headers on the server side if you have the ability to do so.

Violentmonkey and MV2/MV3

Violentmonkey is a user script manager, similar to Tampermonkey. It primarily relies on the browser’s extension API.

  • MV2 vs. MV3: Manifest V2 (MV2) is the older extension manifest format, while Manifest V3 (MV3) is the newer, more secure format. Chrome and Chromium-based browsers (including Brave) are transitioning to MV3.
  • Violentmonkey does support MV3. So while there was a transition period, it functions within the constraints of MV3.
  • Brave’s Extension Support: Brave, being a Chromium-based browser, supports most Chromium extensions, including Violentmonkey. You can usually install it from the Chrome Web Store.
  • Command-Line Installation: There is not a clean direct command line way to install a extension into Brave. You must utilize the chrome web store, or the loading of a unpacked extention.
  • Alternative to Command Line CSP Changes: Using browser extensions that modify headers might be more viable for everyday use, rather than command line arguments. These are more easily toggled on and off. But would still require installation via the GUI.

Recommendation:

  • For routine header modification, I suggest investigating extensions designed to change headers (like “ModHeader” or “Requestly”). These are more manageable and safe than permanently disabling web security with command-line flags.
  • Install Violentmonkey directly from the Chrome Web Store.
  • Only resort to command-line flag e-zpassmd modifications as a last measure, and for very temporary, isolated testing.

I hope this information assists you.