From 08275aa527835fd3fbf68dcc0aabf293d9d31ef6 Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Tue, 16 Jan 2018 10:44:06 -0500 Subject: [PATCH] code review: mind inline styles too --- src/js/background.js | 1 + src/js/traffic.js | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/js/background.js b/src/js/background.js index 300091e..f8d4667 100644 --- a/src/js/background.js +++ b/src/js/background.js @@ -193,6 +193,7 @@ return { clearBrowserCacheCycle: 0, cspNoInlineScript: "script-src 'unsafe-eval' blob: *", + cspNoInlineStyle: "style-src blob: *", cspNoWorker: undefined, updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond, firstUpdateAfter: 11 * oneMinute, diff --git a/src/js/traffic.js b/src/js/traffic.js index 9bfd373..23b027a 100644 --- a/src/js/traffic.js +++ b/src/js/traffic.js @@ -304,14 +304,16 @@ var onHeadersReceived = function(details) { rootHostname = tabContext.rootHostname, requestHostname = µm.URI.hostnameFromURI(requestURL); - // If javascript is not allowed, say so through a `Content-Security-Policy` - // directive. - // We block only inline-script tags, all the external javascript will be - // blocked by our request handler. + // Inline script tags. if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { csp.push(µm.cspNoInlineScript); } + // Inline style tags. + if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) { + csp.push(µm.cspNoInlineStyle); + } + // TODO: Firefox will eventually support `worker-src`: // https://bugzilla.mozilla.org/show_bug.cgi?id=1231788 if ( µm.cspNoWorker === undefined ) {