Should BiDi expose a command / configuration to bypass CSP

[juliandescottes]

At the moment Chrome seems to bypass CSPs by default (see #1024 ).

But I can see in CDP there is a dedicated command: https://chromedevtools.github.io/devtools-protocol/tot/Page/#method-setBypassCSP
It seems exposed in puppeteer https://pptr.dev/api/puppeteer.page.setbypasscsp and in playwright https://playwright.dev/docs/api/class-testoptions#test-options-bypass-csp

Are those options similar to the topic discussed in #1024 ? (ie allowing to use "eval", "new Function" etc...) via script evaluation, even if the content page is using strict CSPs.

cc @OrKoN @yury-s

[juliandescottes]

@yury-s

Trying to understand the role of bypassCSP in playwright.

I think Playwright expects that by default eval and new Function work on any page, regardless of the CSP. It's enforced for instance in https://github.com/microsoft/playwright/blob/2db5effacd2efe5accf728189b5466f175c426db/tests/page/page-evaluate.spec.ts#L597 , which uses new Function but doesn't seem to set bypassCSP: true at any point.

Also the default behavior for Playwright's page.evaluate seems to rely on eval: https://github.com/microsoft/playwright/blob/2db5effacd2efe5accf728189b5466f175c426db/packages/injected/src/utilityScript.ts#L71 which means that at the moment, any call to playwright's page.evaluate will fail on a page with CSPs unless we bypass CSPs by default for eval (which is #1024).

With that in mind it seems that playwright's bypassCSP option only applies to some specific APIs, such as addScriptTag?

[whimboo]

@yury-s would you mind taking a look at the question from Julian? We would appreciate. Thanks!

[juliandescottes]

FYI there was some additional feedback from Yury at microsoft/playwright#37277 (comment), although I still would like clarifications on the added value of the command, so that we can discuss it with the group.