Fixed CSP DOM injection breaking XML documents rendering.

1 files changed, 18 insertions, 4 deletions

diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
index ade9013..9991d4f 100644
--- a/src/content/DocumentCSP.js
+++ b/src/content/DocumentCSP.js
@@ -7,11 +7,20 @@ class DocumentCSP {
   }
 
   apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) {
+    let {document} = this;
+    if (!(document instanceof HTMLDocument)) {
+      // this is not HTML, hence we cannot inject a <meta> CSP
+      if (!capabilites.has("script")) {
+        // safety net for XML (especially SVG) documents
+        document.defaultView.addEventListener("beforescriptexecute",
+          e => e.preventDefault(), true);
+      }
+      return false;
+    }
     let csp = this.builder;
     let blocker = csp.buildFromCapabilities(capabilities, embedding);
-    if (!blocker) return;
+    if (!blocker) return true;
 
-    let document = this.document;
     let createHTMLElement =
       tagName => document.createElementNS("http://www.w3.org/1999/xhtml", tagName);
 
@@ -19,18 +28,23 @@ class DocumentCSP {
     let meta = createHTMLElement("meta");
     meta.setAttribute("http-equiv", header.name);
     meta.setAttribute("content", header.value);
+    let root = document.documentElement;
     let {head} = document;
     let parent = head ||
-      document.documentElement.appendChild(createHTMLElement("head"));
+      (root instanceof HTMLElement
+        ? document.documentElement.appendChild(createHTMLElement("head"))
+        : root);
 
     try {
-      parent.insertBefore(meta, parent.firstChild);
+      parent.insertBefore(meta, parent.firstElementChild);
       debug(`Failsafe <meta> CSP inserted in %s: "%s"`, document.URL, header.value);
       meta.remove();
       if (!head) parent.remove();
     } catch (e) {
       error(e, "Error inserting CSP %s in %s", document.URL, header && header.value);
+      return false;
     }
+    return true;
   }
 
 }