From 93f963bc6cb36f40e7e2df48817f8c6d7216e13f Mon Sep 17 00:00:00 2001
From: gorhill <rhill@raymondhill.net>
Date: Thu, 31 Mar 2016 08:57:54 -0400
Subject: [PATCH] this fixes #538

---
 src/js/traffic.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/js/traffic.js b/src/js/traffic.js
index 35dcfca..4ceb58b 100644
--- a/src/js/traffic.js
+++ b/src/js/traffic.js
@@ -392,10 +392,16 @@ var onHeadersReceived = function(details) {
     //   Since we are modifying an existing CSP header, we need to strip out
     //   'report-uri' if it is present, to prevent spurious reporting of CSP
     //   violation, and thus the leakage of information to the remote site.
+
+    // https://github.com/gorhill/uMatrix/issues/538
+    // We will replace in-place the script-src directive with our own.
     headers.push({
         'name': 'Content-Security-Policy',
-        'value': cspStripReporturi(csp.replace(reScriptsrc, '') +
-                 scriptsrc.replace(reUnsafeinline, ''))
+        'value': cspStripReporturi(
+                    csp.slice(0, matches.index) +
+                    scriptsrc.replace(reUnsafeinline, '') +
+                    csp.slice(matches.index + scriptsrc.length)
+                )
     });
     return { responseHeaders: headers };
 };