|
@ -304,14 +304,16 @@ var onHeadersReceived = function(details) { |
|
|
rootHostname = tabContext.rootHostname, |
|
|
rootHostname = tabContext.rootHostname, |
|
|
requestHostname = µm.URI.hostnameFromURI(requestURL); |
|
|
requestHostname = µm.URI.hostnameFromURI(requestURL); |
|
|
|
|
|
|
|
|
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
|
|
|
|
|
// directive.
|
|
|
|
|
|
// We block only inline-script tags, all the external javascript will be
|
|
|
|
|
|
// blocked by our request handler.
|
|
|
|
|
|
|
|
|
// Inline script tags.
|
|
|
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { |
|
|
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { |
|
|
csp.push(µm.cspNoInlineScript); |
|
|
csp.push(µm.cspNoInlineScript); |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// Inline style tags.
|
|
|
|
|
|
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) { |
|
|
|
|
|
csp.push(µm.cspNoInlineStyle); |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
// TODO: Firefox will eventually support `worker-src`:
|
|
|
// TODO: Firefox will eventually support `worker-src`:
|
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
|
|
if ( µm.cspNoWorker === undefined ) { |
|
|
if ( µm.cspNoWorker === undefined ) { |
|
|