Raymond Hill
7 years ago
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2
2 changed files with
7 additions and
4 deletions
-
src/js/background.js
-
src/js/traffic.js
|
|
@ -193,6 +193,7 @@ return { |
|
|
|
|
|
|
|
clearBrowserCacheCycle: 0, |
|
|
|
cspNoInlineScript: "script-src 'unsafe-eval' blob: *", |
|
|
|
cspNoInlineStyle: "style-src blob: *", |
|
|
|
cspNoWorker: undefined, |
|
|
|
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond, |
|
|
|
firstUpdateAfter: 11 * oneMinute, |
|
|
|
|
|
@ -304,14 +304,16 @@ var onHeadersReceived = function(details) { |
|
|
|
rootHostname = tabContext.rootHostname, |
|
|
|
requestHostname = µm.URI.hostnameFromURI(requestURL); |
|
|
|
|
|
|
|
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
|
|
|
// directive.
|
|
|
|
// We block only inline-script tags, all the external javascript will be
|
|
|
|
// blocked by our request handler.
|
|
|
|
// Inline script tags.
|
|
|
|
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { |
|
|
|
csp.push(µm.cspNoInlineScript); |
|
|
|
} |
|
|
|
|
|
|
|
// Inline style tags.
|
|
|
|
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) { |
|
|
|
csp.push(µm.cspNoInlineStyle); |
|
|
|
} |
|
|
|
|
|
|
|
// TODO: Firefox will eventually support `worker-src`:
|
|
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
|
|
|
if ( µm.cspNoWorker === undefined ) { |
|
|
|