JustZix JavaScript rules now work even on Facebook, X and GitHub
The pages where userscript JS used to fall apart — Facebook, X, GitHub and many others with a strict Content-Security-Policy — had been a bottleneck for JustZix too. In version 3.2.0 we changed the code-execution engine so it gets through that barrier without tricks and without compromises on the rest of the web. Here is what it does and why.
What CSP was actually blocking
A Content-Security-Policy with a script-src directive that omits 'unsafe-eval' and 'unsafe-inline' tells the browser: "do not run code built from a string". That is the policy that blocks the classic new Function('...code...')() through which JustZix ran rule and action JS in the MAIN world up to v3.1.x. The page most painfully affected by that restriction was facebook.com — sitting in our backlog for months under the label "cannot be done".
Three paths, one decision
In v3.2.0 we introduced a layered strategy — the extension tries each path until one works:
chrome.userScripts.execute— the native user-scripts API from Manifest V3. It executes code as a string outside the page's CSP world, so it works everywhere, including the strictest policies. It requires theuserScriptspermission in the manifest (we have it) and a one-time "Allow user scripts" toggle in the browser's extension settings (you click it, you stay in control).new Function— the fast, classic path when the page's CSP allows'unsafe-eval'. Most ordinary sites do (Google, YouTube, Reddit, Wikipedia, online shops), so 99% of your rules keep going through this path with no configuration at all.<script src="blob:…">— a fallback that creates a local Blob URL and injects it as a classicscripttag. It works when the page's CSP allowsblob:inscript-src— which facebook.com does. It lets things run even when the user has not yet enabled "user scripts".
What it means in practice
JustZix JS rules, actions and the TEMP JS / JS Console windows now run on pages that used to throw EvalError:
- facebook.com — via the blob-script fallback, with no configuration at all;
- x.com / twitter.com, github.com, parts of banking sites — full coverage once "user scripts" is enabled;
- everywhere else — unchanged, the classic
new Functionas before.
If no path works (rare, requires the page to forbid both 'unsafe-eval' and blob:), the JS pane and JS Console windows show a clear "enable user scripts" message in 8 languages. One click in browser settings and the rest is automatic.
How to enable "user scripts"
- Chrome / Edge / Opera:
chrome://extensions→ turn on "Developer mode" (top right) → find JustZix → flip the "Allow user scripts" toggle. - Firefox:
about:addons→ JustZix → "Preferences" button → enable the user-scripts option.
The permission is remembered once and for all. We did not add our own consent screen — this is a deliberate choice in the browser settings, not a surprise prompt from us.
Why it matters versus the alternatives
Userscript extensions like Tampermonkey or Violentmonkey need the page to allow 'unsafe-eval', or they rely on their own sandbox with eval. JustZix has three paths, so where those throw a "CSP error" and wait for the page author's mercy, we quietly pick an alternative. This is the single largest architectural change since the project began — and the one that finally makes the Facebook, X and GitHub example packages in the catalog meaningful.
See also
- CSS and JavaScript injection — what else the rule engine can do
- Output Console hook on CSP-strict pages — the analogous story for logs
- JustZix vs. Tampermonkey — full comparison
Install JustZix — and write rules on facebook.com with no excuses.
Rate this post
No ratings yet — be the first.