summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorhackademix2020-03-13 22:31:08 +0100
committerhackademix2020-03-13 22:37:22 +0100
commitd8332adc4e26464636a5230dd81c18ffdd748281 (patch)
tree47bd7c5ea7e5c1a71f3e297a385106778011664a /src/lib
parentc44ab6f8aa86bf8353a8eb52c99c987fc8b4a4f9 (diff)
downloadnoscript-d8332adc4e26464636a5230dd81c18ffdd748281.tar.gz
noscript-d8332adc4e26464636a5230dd81c18ffdd748281.tar.xz
noscript-d8332adc4e26464636a5230dd81c18ffdd748281.zip
Force CSP inheritance for redirections to data: URIs on Gecko pre-69.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/CSP.js15
1 files changed, 15 insertions, 0 deletions
diff --git a/src/lib/CSP.js b/src/lib/CSP.js
index 666f4a1..f5a2161 100644
--- a/src/lib/CSP.js
+++ b/src/lib/CSP.js
@@ -21,3 +21,18 @@ class CSP {
CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml";
CSP.headerName = "content-security-policy";
+CSP.patchDataURI = (uri, blocker) => {
+ let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri);
+ if (!(blocker && parts)) {
+ // not an interesting data: URI, return as it is
+ return uri;
+ }
+ if (parts[1]) {
+ // extra encoding info, let's bailout (better safe than sorry)
+ return "data:";
+ }
+ // It's a HTML/XML page, let's prepend our CSP blocker to the document
+ let patch = parts[0] + encodeURIComponent(
+ `<meta http-equiv="${CSP.headerName}" content="${blocker}">`);
+ return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length);
+}