CodeMirror/uMatrix
1
0
Fork 0
mirror of https://github.com/gorhill/uMatrix.git synced 2024-05-20 20:23:37 +12:00
Code Issues Releases Wiki Activity

code review: mind inline styles too

Browse source
This commit is contained in:
Raymond Hill 2018-01-16 10:44:06 -05:00
parent 328f9695d8
commit 08275aa527
No known key found for this signature in database
GPG key ID: 25E1490B761470C2
2 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/js/background.js
View file

@ -193,6 +193,7 @@ return {
clearBrowserCacheCycle: 0,
cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
cspNoInlineStyle: "style-src blob: *",
cspNoWorker: undefined,
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
firstUpdateAfter: 11 * oneMinute,

10
src/js/traffic.js
View file

@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
rootHostname = tabContext.rootHostname,
requestHostname = µm.URI.hostnameFromURI(requestURL);
// If javascript is not allowed, say so through a `Content-Security-Policy`
// directive.
// We block only inline-script tags, all the external javascript will be
// blocked by our request handler.
// Inline script tags.
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
csp.push(µm.cspNoInlineScript);
}
// Inline style tags.
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
csp.push(µm.cspNoInlineStyle);
}
// TODO: Firefox will eventually support `worker-src`:
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
if ( µm.cspNoWorker === undefined ) {