mirror of
https://github.com/gorhill/uMatrix.git
synced 2024-05-20 20:23:37 +12:00
code review: mind inline styles too
This commit is contained in:
parent
328f9695d8
commit
08275aa527
|
@ -193,6 +193,7 @@ return {
|
|||
|
||||
clearBrowserCacheCycle: 0,
|
||||
cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
|
||||
cspNoInlineStyle: "style-src blob: *",
|
||||
cspNoWorker: undefined,
|
||||
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
|
||||
firstUpdateAfter: 11 * oneMinute,
|
||||
|
|
|
@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
|
|||
rootHostname = tabContext.rootHostname,
|
||||
requestHostname = µm.URI.hostnameFromURI(requestURL);
|
||||
|
||||
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
||||
// directive.
|
||||
// We block only inline-script tags, all the external javascript will be
|
||||
// blocked by our request handler.
|
||||
// Inline script tags.
|
||||
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
|
||||
csp.push(µm.cspNoInlineScript);
|
||||
}
|
||||
|
||||
// Inline style tags.
|
||||
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
|
||||
csp.push(µm.cspNoInlineStyle);
|
||||
}
|
||||
|
||||
// TODO: Firefox will eventually support `worker-src`:
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
||||
if ( µm.cspNoWorker === undefined ) {
|
||||
|
|
Loading…
Reference in a new issue