mirror of
https://github.com/gorhill/uMatrix.git
synced 2024-06-03 10:54:55 +12:00
code review: mind inline styles too
This commit is contained in:
parent
328f9695d8
commit
08275aa527
|
@ -193,6 +193,7 @@ return {
|
||||||
|
|
||||||
clearBrowserCacheCycle: 0,
|
clearBrowserCacheCycle: 0,
|
||||||
cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
|
cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
|
||||||
|
cspNoInlineStyle: "style-src blob: *",
|
||||||
cspNoWorker: undefined,
|
cspNoWorker: undefined,
|
||||||
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
|
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
|
||||||
firstUpdateAfter: 11 * oneMinute,
|
firstUpdateAfter: 11 * oneMinute,
|
||||||
|
|
|
@ -304,14 +304,16 @@ var onHeadersReceived = function(details) {
|
||||||
rootHostname = tabContext.rootHostname,
|
rootHostname = tabContext.rootHostname,
|
||||||
requestHostname = µm.URI.hostnameFromURI(requestURL);
|
requestHostname = µm.URI.hostnameFromURI(requestURL);
|
||||||
|
|
||||||
// If javascript is not allowed, say so through a `Content-Security-Policy`
|
// Inline script tags.
|
||||||
// directive.
|
|
||||||
// We block only inline-script tags, all the external javascript will be
|
|
||||||
// blocked by our request handler.
|
|
||||||
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
|
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
|
||||||
csp.push(µm.cspNoInlineScript);
|
csp.push(µm.cspNoInlineScript);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Inline style tags.
|
||||||
|
if ( µm.mustAllow(rootHostname, requestHostname, 'css' ) !== true ) {
|
||||||
|
csp.push(µm.cspNoInlineStyle);
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: Firefox will eventually support `worker-src`:
|
// TODO: Firefox will eventually support `worker-src`:
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231788
|
||||||
if ( µm.cspNoWorker === undefined ) {
|
if ( µm.cspNoWorker === undefined ) {
|
||||||
|
|
Loading…
Reference in a new issue