patchright-core 1.55.1 → 1.55.3

package/lib/server/browserContext.js

@@ -127,9 +127,7 @@ class BrowserContext extends import_instrumentation.SdkObject {
       `);
     }
     if (this._options.serviceWorkers === "block")
-      await this.addInitScript(`navigator.serviceWorker.register = async () => { };`, `
-if (navigator.serviceWorker) navigator.serviceWorker.register = async () => { console.warn('Service Worker registration blocked by Playwright'); };
-`);
+      await this.addInitScript(void 0, `navigator.serviceWorker.register = async () => { };`);
     if (this._options.permissions)
       await this.grantPermissions(this._options.permissions);
   }

package/lib/server/chromium/chromiumSwitches.js

@@ -73,7 +73,6 @@ const chromiumSwitches = (assistantMode, channel) => [
   "--disable-search-engine-choice-screen",
   // Edge can potentially restart on Windows (msRelaunchNoCompatLayer) which looses its file descriptors (stdout/stderr) and CDP (3/4). Disable until fixed upstream.
   "--edge-skip-compat-layer-relaunch",
-  assistantMode ? "" : "--enable-automation",
   "--disable-blink-features=AutomationControlled"
 ].filter(Boolean);
 // Annotate the CommonJS export names for ESM import in node:

package/lib/server/chromium/crNetworkManager.js

@@ -533,45 +533,91 @@ class RouteImpl {
       if (!allInjections.includes(binding)) allInjections.push(binding);
     }
     if (isTextHtml && allInjections.length) {
-      let scriptNonce = import_crypto.default.randomBytes(22).toString("hex");
-      let useNonce = true;
+      let useNonce = false;
+      let scriptNonce = null;
+      if (response.isBase64) {
+        response.isBase64 = false;
+        response.body = Buffer.from(response.body, "base64").toString("utf-8");
+      }
+      const cspHeaderNames = ["content-security-policy", "content-security-policy-report-only"];
       for (let i = 0; i < response.headers.length; i++) {
-        if (response.headers[i].name.toLowerCase() === "content-security-policy" || response.headers[i].name.toLowerCase() === "content-security-policy-report-only") {
-          let cspValue = response.headers[i].value;
-          const nonceRegex = /script-src[^;]*'nonce-([\w-]+)'/;
-          const nonceMatch = cspValue.match(nonceRegex);
-          if (nonceMatch) {
-            scriptNonce = nonceMatch[1];
-          } else {
-            if (/script-src[^;]*'unsafe-inline'/.test(cspValue)) {
-              useNonce = false;
-            } else {
-              const scriptSrcRegex = /(script-src[^;]*)(;|$)/;
-              const newCspValue = cspValue.replace(scriptSrcRegex, `$1 'nonce-${scriptNonce}'$2`);
-              response.headers[i].value = newCspValue;
+        const headerName = response.headers[i].name.toLowerCase();
+        if (cspHeaderNames.includes(headerName)) {
+          const originalCsp = response.headers[i].value || "";
+          if (!useNonce) {
+            const nonceMatch = originalCsp.match(/script-src[^;]*'nonce-([^'"\s;]+)'/i);
+            if (nonceMatch && nonceMatch[1]) {
+              scriptNonce = nonceMatch[1];
+              useNonce = true;
             }
           }
-          break;
+          const fixedCsp = this._fixCSP(originalCsp, scriptNonce);
+          response.headers[i].value = fixedCsp;
         }
       }
+      if (typeof response.body === "string" && response.body.length) {
+        response.body = response.body.replace(
+          /<meta[^>]*http-equiv=(?:"|')?Content-Security-Policy(?:"|')?[^>]*>/gi,
+          (match) => {
+            const contentMatch = match.match(/content=(?:"|')([^"']*)(?:"|')/i);
+            if (contentMatch && contentMatch[1]) {
+              let originalCsp = contentMatch[1];
+              originalCsp = originalCsp.replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"').replace(/&#x27;/g, "'").replace(/&#x22;/g, '"').replace(/&nbsp;/g, " ").replace(/&#(d+);/g, (match2, dec) => String.fromCharCode(dec)).replace(/&#x([0-9a-fA-F]+);/g, (match2, hex) => String.fromCharCode(parseInt(hex, 16)));
+              if (!useNonce) {
+                const nonceMatch = originalCsp.match(/script-src[^;]*'nonce-([^'"\s;]+)'/i);
+                if (nonceMatch && nonceMatch[1]) {
+                  scriptNonce = nonceMatch[1];
+                  useNonce = true;
+                }
+              }
+              const fixedCsp = this._fixCSP(originalCsp, scriptNonce);
+              const encodedCsp = fixedCsp.replace(/'/g, "&#x27;").replace(/"/g, "&#x22;");
+              return match.replace(contentMatch[1], encodedCsp);
+            }
+            return match;
+          }
+        );
+      }
       let injectionHTML = "";
       allInjections.forEach((script) => {
         let scriptId = import_crypto.default.randomBytes(22).toString("hex");
         let scriptSource = script.source || script;
-        if (useNonce) {
-          injectionHTML += `<script class="${this._page.delegate.initScriptTag}" nonce="${scriptNonce}" id="${scriptId}" type="text/javascript">document.getElementById("${scriptId}")?.remove();${scriptSource}</script>`;
+        const nonceAttr = useNonce ? `nonce="${scriptNonce}"` : "";
+        injectionHTML += `<script class="${this._page.delegate.initScriptTag}" ${nonceAttr} id="${scriptId}" type="text/javascript">document.getElementById("${scriptId}")?.remove();${scriptSource}</script>`;
+      });
+      const lower = response.body.toLowerCase();
+      const headStartIndex = lower.indexOf("<head");
+      if (headStartIndex !== -1) {
+        const headEndTagIndex = lower.indexOf("</head>", headStartIndex);
+        if (headEndTagIndex !== -1) {
+          const headOpenEnd = response.body.indexOf(">", headStartIndex) + 1;
+          const headContent = response.body.slice(headOpenEnd, headEndTagIndex);
+          const headContentLower = headContent.toLowerCase();
+          const firstScriptIndex = headContentLower.indexOf("<script");
+          if (firstScriptIndex !== -1) {
+            const insertPosition = headOpenEnd + firstScriptIndex;
+            response.body = response.body.slice(0, insertPosition) + injectionHTML + response.body.slice(insertPosition);
+          } else {
+            response.body = response.body.slice(0, headEndTagIndex) + injectionHTML + response.body.slice(headEndTagIndex);
+          }
         } else {
-          injectionHTML += `<script class="${this._page.delegate.initScriptTag}" id="${scriptId}" type="text/javascript">document.getElementById("${scriptId}")?.remove();${scriptSource}</script>`;
+          const headStartTagEnd = response.body.indexOf(">", headStartIndex) + 1;
+          response.body = response.body.slice(0, headStartTagEnd) + injectionHTML + response.body.slice(headStartTagEnd);
         }
-      });
-      if (response.isBase64) {
-        response.isBase64 = false;
-        response.body = Buffer.from(response.body, "base64").toString("utf-8");
-      }
-      if (/^<!DOCTYPE[sS]*?>/i.test(response.body)) {
-        response.body = response.body.replace(/^<!DOCTYPE[sS]*?>/i, (match) => `${match}${injectionHTML}`);
       } else {
-        response.body = injectionHTML + response.body;
+        const doctypeIndex = lower.indexOf("<!doctype");
+        if (doctypeIndex === 0) {
+          const doctypeEnd = response.body.indexOf(">", doctypeIndex) + 1;
+          response.body = response.body.slice(0, doctypeEnd) + injectionHTML + response.body.slice(doctypeEnd);
+        } else {
+          const htmlIndex = lower.indexOf("<html");
+          if (htmlIndex !== -1) {
+            const htmlTagEnd = response.body.indexOf(">", htmlIndex) + 1;
+            response.body = response.body.slice(0, htmlTagEnd) + `<head>${injectionHTML}</head>` + response.body.slice(htmlTagEnd);
+          } else {
+            response.body = injectionHTML + response.body;
+          }
+        }
       }
     }
     this._fulfilled = true;
@@ -597,6 +643,79 @@ class RouteImpl {
       });
     });
   }
+  _fixCSP(csp, scriptNonce) {
+    if (!csp || typeof csp !== "string") return csp;
+    const directives = csp.split(";").map((d) => d.trim()).filter((d) => d && d.length > 0);
+    const fixedDirectives = [];
+    let hasScriptSrc = false;
+    for (let directive of directives) {
+      if (!directive.trim()) continue;
+      const parts = directive.trim().split(/s+/);
+      if (parts.length === 0) continue;
+      const directiveName = parts[0].toLowerCase();
+      const directiveValues = parts.slice(1);
+      switch (directiveName) {
+        case "script-src":
+          hasScriptSrc = true;
+          let values = [...directiveValues];
+          if (scriptNonce && !values.some((v) => v.includes(`nonce-${scriptNonce}`))) {
+            values.push(`'nonce-${scriptNonce}'`);
+          }
+          if (!values.includes("'unsafe-eval'")) {
+            values.push("'unsafe-eval'");
+          }
+          fixedDirectives.push(`script-src ${values.join(" ")}`);
+          break;
+        case "style-src":
+          let styleValues = [...directiveValues];
+          if (!styleValues.includes("'unsafe-inline'")) {
+            styleValues.push("'unsafe-inline'");
+          }
+          fixedDirectives.push(`style-src ${styleValues.join(" ")}`);
+          break;
+        case "img-src":
+          let imgValues = [...directiveValues];
+          if (!imgValues.includes("data:") && !imgValues.includes("*")) {
+            imgValues.push("data:");
+          }
+          fixedDirectives.push(`img-src ${imgValues.join(" ")}`);
+          break;
+        case "font-src":
+          let fontValues = [...directiveValues];
+          if (!fontValues.includes("data:") && !fontValues.includes("*")) {
+            fontValues.push("data:");
+          }
+          fixedDirectives.push(`font-src ${fontValues.join(" ")}`);
+          break;
+        case "connect-src":
+          let connectValues = [...directiveValues];
+          const hasWs = connectValues.some((v) => v.includes("ws:") || v.includes("wss:") || v === "*");
+          if (!hasWs) {
+            connectValues.push("ws:", "wss:");
+          }
+          fixedDirectives.push(`connect-src ${connectValues.join(" ")}`);
+          break;
+        case "frame-ancestors":
+          let frameAncestorValues = [...directiveValues];
+          if (frameAncestorValues.includes("'none'")) {
+            frameAncestorValues = ["'self'"];
+          }
+          fixedDirectives.push(`frame-ancestors ${frameAncestorValues.join(" ")}`);
+          break;
+        default:
+          fixedDirectives.push(directive);
+          break;
+      }
+    }
+    if (!hasScriptSrc) {
+      if (scriptNonce) {
+        fixedDirectives.push(`script-src 'self' 'unsafe-eval' 'nonce-${scriptNonce}'`);
+      } else {
+        fixedDirectives.push(`script-src 'self' 'unsafe-eval'`);
+      }
+    }
+    return fixedDirectives.join("; ");
+  }
   async _networkRequestIntercepted(event) {
     if (event.resourceType !== "Document") {
       return;

package/lib/server/chromium/crServiceWorker.js

@@ -64,6 +64,16 @@ class CRServiceWorker extends import_page.Worker {
     session.on("Inspector.targetReloadedAfterCrash", () => {
       session._sendMayFail("Runtime.runIfWaitingForDebugger", {});
     });
+    session._sendMayFail("Runtime.evaluate", {
+      expression: "globalThis",
+      serializationOptions: { serialization: "idOnly" }
+    }).then((globalThis) => {
+      if (globalThis && globalThis.result) {
+        var globalThisObjId = globalThis.result.objectId;
+        var executionContextId = parseInt(globalThisObjId.split(".")[1], 10);
+        this.createExecutionContext(new import_crExecutionContext.CRExecutionContext(session, { id: executionContextId }));
+      }
+    });
   }
   didClose() {
     this._networkManager?.removeSession(this._session);