|
|
@ -299,24 +299,44 @@ var onHeadersReceived = function(details) {
|
|
|
|
var tabContext = µm.tabContextManager.lookup(tabId);
|
|
|
|
var tabContext = µm.tabContextManager.lookup(tabId);
|
|
|
|
if ( tabContext === null ) { return; }
|
|
|
|
if ( tabContext === null ) { return; }
|
|
|
|
|
|
|
|
|
|
|
|
if ( µm.mustAllow(tabContext.rootHostname, µm.URI.hostnameFromURI(requestURL), 'script') ) {
|
|
|
|
var csp = [];
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
if (
|
|
|
|
|
|
|
|
µm.mustAllow(
|
|
|
|
|
|
|
|
tabContext.rootHostname,
|
|
|
|
|
|
|
|
µm.URI.hostnameFromURI(requestURL),
|
|
|
|
|
|
|
|
'script'
|
|
|
|
|
|
|
|
) !== true
|
|
|
|
|
|
|
|
) {
|
|
|
|
|
|
|
|
csp.push("script-src 'unsafe-eval' blob: *");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( µm.cspNoWorkerSrc === undefined ) {
|
|
|
|
|
|
|
|
µm.cspNoWorkerSrc = vAPI.webextFlavor.startsWith('Mozilla-') ?
|
|
|
|
|
|
|
|
"child-src 'none'; frame-src data: blob: *" :
|
|
|
|
|
|
|
|
"worker-src 'none'" ;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( µm.tMatrix.evaluateSwitchZ('no-workers', tabContext.rootHostname) ) {
|
|
|
|
|
|
|
|
csp.push(µm.cspNoWorkerSrc);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( csp.length === 0 ) { return; }
|
|
|
|
|
|
|
|
|
|
|
|
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
|
|
|
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
|
|
|
// directive.
|
|
|
|
// directive.
|
|
|
|
// We block only inline-script tags, all the external javascript will be
|
|
|
|
// We block only inline-script tags, all the external javascript will be
|
|
|
|
// blocked by our request handler.
|
|
|
|
// blocked by our request handler.
|
|
|
|
|
|
|
|
|
|
|
|
var csp = "script-src 'unsafe-eval' blob: *",
|
|
|
|
var cspDirectives = csp.join(','),
|
|
|
|
headers = details.responseHeaders,
|
|
|
|
headers = details.responseHeaders,
|
|
|
|
i = headerIndexFromName('content-security-policy', headers);
|
|
|
|
i = headerIndexFromName('content-security-policy', headers);
|
|
|
|
// A CSP header is already present: just add our own directive as a
|
|
|
|
// A CSP header is already present: just add our own directive as a
|
|
|
|
// separate disposition (i.e. use comma).
|
|
|
|
// separate disposition (i.e. use comma).
|
|
|
|
if ( i !== -1 ) {
|
|
|
|
if ( i !== -1 ) {
|
|
|
|
headers[i].value += ', ' + csp;
|
|
|
|
headers[i].value += ', ' + cspDirectives;
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
headers.push({ name: 'Content-Security-Policy', value: csp });
|
|
|
|
headers.push({ name: 'Content-Security-Policy', value: cspDirectives });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if ( requestType === 'doc' ) {
|
|
|
|
if ( requestType === 'doc' ) {
|
|
|
|