This modification works for me: https://greasyfork.org/en/scripts/443687-hn-favicons. It uses GM.addElement to bypass CSP restrictions.

Ha, I literally just re-wrote the original code essentially identically to this.

Unfortunately, it still doesn't help in Tamper Monkey in Safari.

Yeah, appears XHR/fetches are similarly blocked – was looking into data URIs. Good job HN for getting a decent CSP set up!

All I need in my life right now is trying to debug someone else's XHR problems. Lord, why didn't you send me this sooner.

It's possible that GreaseMonkey on Firefox has different policies than other extensions on Chrome

Greasemonkey injects scripts into the content context [1], which is (arguably) more secure than injecting them directly into the page. From there they run with similar permissions to the extension which installs them. They can't be blocked by the page's CSP settings, and requests they make aren't subject to the same-origin policy. On the other hand, they're isolated from the page, which provides an additional layer of protection from the page accidentally getting access to privileged APIs like GM.xmlHttpRequest, which is a historic issue with user script managers.

ViolentMonkey supports this API, but unfortunately doesn't use it by default. You can enable it with `// @inject-into content` in the header.

Firefox additionally has an API and context specifically for user scripts (the userScript API), but GreaseMonkey doesn't use this unfortunately. A pull request adding support for it to either GM or ViolentMonkey would be nice if someone knowledgeable were so inclined. This API provides some additional protection (scripts are subject to SOP unless the extension breaks them out, and scripts are in addition isolated from each other), so it's a "nice-to-have" but not totally necessary if your user scripts come from trustworthy sources (i.e. you write them yourself).

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...