It could be a Chrome Extension. Maybe an ad blocker or something?
Do you have any chrome extensions? They can inject stylesheets.
Thanks to all the commenters! Yes, confirmed. It’s coming from a plugin. In this case, it was Axiom.
Leaving this here for future redditors that are trying to figure this out!
@Denny
I don’t believe this stops local browser plugins. CSP is for XSS attacks. It may possibly stop it from pulling in external code or making certain calls, but it won’t prevent this type of injection.
Vick said:
@Cale
Yes, CSPs will block local chrome extensions.
I’ll start by saying I haven’t looked into it, but I don’t believe that’s true. They might very well stop an extension from loading external resources or injecting resources into the page, but if a CSP could stop an extension from loading its own JavaScript or CSS then sites would use this to prevent ad blockers.
How does uBlock Origin as an extension get around that? And other ad blockers let password managers (which insert HTML into the page)? Seems like if it is a thing, it’s circumvented by plenty of plugins (or Google just never considered setting a CSP on YouTube…).
@Tavis
It depends on how it’s done. Used to be extensions had to modify the DOM to inject their stuff, many still do, but there’s newer alternative APIs that do bypass CSP like tabs.insertCSS() - Mozilla | MDN. Most of uBlock Origin’s work is done via resource filtering also which is another API, not DOM injection.
@Tavis
My understanding is those use the browser provided APIs for extensions to do those things, and NOT actually manipulating the DOM themselves.
No, it does not disable extensions.
But yes it does stop them from evaluating code on the page.
Vick said:
@Cale
Yes, CSPs will block local chrome extensions.
While technically true, an extension could just as easily remove the CSP response header from all network requests… It’s a roadblock that can be mitigated if the bad guys are resourceful enough.
Haru said:
Thanks to all the commenters! Yes, confirmed. It’s coming from a plugin. In this case, it was Axiom.
Leaving this here for future redditors that are trying to figure this out!
While you can use CSP rules to prevent extensions from injecting CSS, I try not to interfere with user preferences (there’s a chance someone might have an extension to increase font size or contrast, enable dark mode, etc. for accessibility reasons). Better to just do your testing in incognito mode as that disables your extensions by default.
Haru said:
Thanks to all the commenters! Yes, confirmed. It’s coming from a plugin. In this case, it was Axiom.
Leaving this here for future redditors that are trying to figure this out!
How did you track it down? Just start disabling plugins/extensions one-by-one? I’m not sure I’ve ever noticed an “injected stylesheet” in devtools.
Any plugins/extensions?
I believe this would also show if you used the CSS JS API to add rules without actually adding a CSS file, but I could be wrong.
It usually comes from browser extensions, dev tools experiments, or JavaScript-based CSS injection. Try disabling extensions or checking for scripts modifying styles dynamically.