code review: mind inline styles too

src/js/background.js

@@ -193,6 +193,7 @@ return {
 
     clearBrowserCacheCycle: 0,
     cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
+    cspNoInlineStyle: "style-src blob: *",
     cspNoWorker: undefined,
     updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
     firstUpdateAfter: 11 * oneMinute,

src/js/traffic.js

@@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
         rootHostname = tabContext.rootHostname,
         requestHostname = µm.URI.hostnameFromURI(requestURL);
 
-    // If javascript is not allowed, say so through a `Content-Security-Policy`
-    // directive.
-    // We block only inline-script tags, all the external javascript will be
-    // blocked by our request handler.
+    // Inline script tags.
     if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
         csp.push(µm.cspNoInlineScript);
     }
 
+    // Inline style tags.
+    if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
+        csp.push(µm.cspNoInlineStyle);
+    }
+
     // TODO: Firefox will eventually support `worker-src`:
     // https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
     if ( µm.cspNoWorker === undefined ) {