Browse Source

code review: mind inline styles too

pull/2/head
Raymond Hill 7 years ago
parent
commit
08275aa527
No known key found for this signature in database GPG Key ID: 25E1490B761470C2
  1. 1
      src/js/background.js
  2. 10
      src/js/traffic.js

1
src/js/background.js

@ -193,6 +193,7 @@ return {
clearBrowserCacheCycle: 0, clearBrowserCacheCycle: 0,
cspNoInlineScript: "script-src 'unsafe-eval' blob: *", cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
cspNoInlineStyle: "style-src blob: *",
cspNoWorker: undefined, cspNoWorker: undefined,
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond, updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
firstUpdateAfter: 11 * oneMinute, firstUpdateAfter: 11 * oneMinute,

10
src/js/traffic.js

@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
rootHostname = tabContext.rootHostname, rootHostname = tabContext.rootHostname,
requestHostname = µm.URI.hostnameFromURI(requestURL); requestHostname = µm.URI.hostnameFromURI(requestURL);
// If javascript is not allowed, say so through a `Content-Security-Policy`
// directive.
// We block only inline-script tags, all the external javascript will be
// blocked by our request handler.
// Inline script tags.
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
csp.push(µm.cspNoInlineScript); csp.push(µm.cspNoInlineScript);
} }
// Inline style tags.
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
csp.push(µm.cspNoInlineStyle);
}
// TODO: Firefox will eventually support `worker-src`: // TODO: Firefox will eventually support `worker-src`:
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788 // https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
if ( µm.cspNoWorker === undefined ) { if ( µm.cspNoWorker === undefined ) {

Loading…
Cancel
Save