Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen).

author: hackademix 2020-03-01 22:17:55 +0100
committer: hackademix 2020-03-01 22:17:55 +0100
commit: 8f2f845856dca93c87573fe63877b9201cf86570 (patch)
tree: 74f8dee06f7a5347b5a79c60744e2a0095b7eef8
parent: acddfd8e79ce1624435f5b5e6239f6d0ccc2d8f2 (diff)
download: noscript-8f2f845856dca93c87573fe63877b9201cf86570.tar.gz
noscript-8f2f845856dca93c87573fe63877b9201cf86570.tar.xz
noscript-8f2f845856dca93c87573fe63877b9201cf86570.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/common/CapsCSP.js b/src/common/CapsCSP.js
index 6621c95..cc1be72 100644
--- a/src/common/CapsCSP.js
+++ b/src/common/CapsCSP.js
@@ -2,7 +2,7 @@
 
 function CapsCSP(baseCSP = new CSP()) {
   return Object.assign(baseCSP, {
-    types: ["script", "object", "media"],
+    types: ["script", "object", "media", "font"],
     dataUriTypes: ["font", "media", "object"],
     buildFromCapabilities(capabilities, blockHttp = false) {
       let forbidData = new Set(this.dataUriTypes.filter(t => !capabilities.has(t)));
author	hackademix	2020-03-01 22:17:55 +0100
committer	hackademix	2020-03-01 22:17:55 +0100
commit	8f2f845856dca93c87573fe63877b9201cf86570 (patch)
tree	74f8dee06f7a5347b5a79c60744e2a0095b7eef8
parent	acddfd8e79ce1624435f5b5e6239f6d0ccc2d8f2 (diff)
download	noscript-8f2f845856dca93c87573fe63877b9201cf86570.tar.gz noscript-8f2f845856dca93c87573fe63877b9201cf86570.tar.xz noscript-8f2f845856dca93c87573fe63877b9201cf86570.zip