Prevent ANY redirection to data: URIs in documents.

author: hackademix 2020-03-18 22:51:07 +0100
committer: hackademix 2020-03-18 22:51:07 +0100
commit: 5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d (patch)
tree: d5c3242b8d7b11e365ec5f3fe033632f2a71a445 /src/lib/CSP.js
parent: 9b3a12f9a3a7a12420b759475b1983f6d387a195 (diff)
download: noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.gz
noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.xz
noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/CSP.js b/src/lib/CSP.js
index f5a2161..ad0afa2 100644
--- a/src/lib/CSP.js
+++ b/src/lib/CSP.js
@@ -22,7 +22,7 @@ class CSP {
 CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml";
 CSP.headerName = "content-security-policy";
 CSP.patchDataURI = (uri, blocker) => {
-  let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri);
+  let parts = /^data:(?:[^,;]*ml|unknown-content-type)(;[^,]*)?,/i.exec(uri);
   if (!(blocker && parts)) {
     // not an interesting data: URI, return as it is
     return uri;
@@ -33,6 +33,6 @@ CSP.patchDataURI = (uri, blocker) => {
   }
   // It's a HTML/XML page, let's prepend our CSP blocker to the document
   let patch = parts[0] + encodeURIComponent(
-    `<meta http-equiv="${CSP.headerName}" content="${blocker}">`);
+    `<meta http-equiv="${CSP.headerName}" content="${blocker}"/>`);
   return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length);
 }
author	hackademix	2020-03-18 22:51:07 +0100
committer	hackademix	2020-03-18 22:51:07 +0100
commit	5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d (patch)
tree	d5c3242b8d7b11e365ec5f3fe033632f2a71a445 /src/lib/CSP.js
parent	9b3a12f9a3a7a12420b759475b1983f6d387a195 (diff)
download	noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.gz noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.xz noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.zip