code review: mind inline styles too

7 years ago · 08275aa527
parent 328f9695d8
commit 08275aa527
2 changed files with 7 additions and 4 deletions
--- a/src/js/background.js
+++ b/src/js/background.js
@ -193,6 +193,7 @@ return {

    clearBrowserCacheCycle: 0,
    cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
+    cspNoInlineStyle: "style-src blob: *",
    cspNoWorker: undefined,
    updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
    firstUpdateAfter: 11 * oneMinute,
--- a/src/js/traffic.js
+++ b/src/js/traffic.js
@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
        rootHostname = tabContext.rootHostname,
        requestHostname = µm.URI.hostnameFromURI(requestURL);

-    // If javascript is not allowed, say so through a `Content-Security-Policy`
-    // directive.
-    // We block only inline-script tags, all the external javascript will be
-    // blocked by our request handler.
+    // Inline script tags.
    if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
        csp.push(µm.cspNoInlineScript);
    }

+    // Inline style tags.
+    if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
+        csp.push(µm.cspNoInlineStyle);
+    }
+
    // TODO: Firefox will eventually support `worker-src`:
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
    if ( µm.cspNoWorker === undefined ) {