summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorhackademix2019-11-07 15:12:25 +0100
committerhackademix2019-11-07 15:12:25 +0100
commit035b4f28275e671a61c3f922cce0d783a9079098 (patch)
treee2ed140d8fae6187009149ea17df17d0ab0c34f2 /src
parent07d7819666be0fa1cde4590fc04ed1500555dc25 (diff)
downloadnoscript-035b4f28275e671a61c3f922cce0d783a9079098.tar.gz
noscript-035b4f28275e671a61c3f922cce0d783a9079098.tar.xz
noscript-035b4f28275e671a61c3f922cce0d783a9079098.zip
Fixed CSP DOM injection breaking XML documents rendering.
Diffstat (limited to 'src')
-rw-r--r--src/content/DocumentCSP.js22
1 files changed, 18 insertions, 4 deletions
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
index ade9013..9991d4f 100644
--- a/src/content/DocumentCSP.js
+++ b/src/content/DocumentCSP.js
@@ -7,11 +7,20 @@ class DocumentCSP {
}
apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) {
+ let {document} = this;
+ if (!(document instanceof HTMLDocument)) {
+ // this is not HTML, hence we cannot inject a <meta> CSP
+ if (!capabilites.has("script")) {
+ // safety net for XML (especially SVG) documents
+ document.defaultView.addEventListener("beforescriptexecute",
+ e => e.preventDefault(), true);
+ }
+ return false;
+ }
let csp = this.builder;
let blocker = csp.buildFromCapabilities(capabilities, embedding);
- if (!blocker) return;
+ if (!blocker) return true;
- let document = this.document;
let createHTMLElement =
tagName => document.createElementNS("http://www.w3.org/1999/xhtml", tagName);
@@ -19,18 +28,23 @@ class DocumentCSP {
let meta = createHTMLElement("meta");
meta.setAttribute("http-equiv", header.name);
meta.setAttribute("content", header.value);
+ let root = document.documentElement;
let {head} = document;
let parent = head ||
- document.documentElement.appendChild(createHTMLElement("head"));
+ (root instanceof HTMLElement
+ ? document.documentElement.appendChild(createHTMLElement("head"))
+ : root);
try {
- parent.insertBefore(meta, parent.firstChild);
+ parent.insertBefore(meta, parent.firstElementChild);
debug(`Failsafe <meta> CSP inserted in %s: "%s"`, document.URL, header.value);
meta.remove();
if (!head) parent.remove();
} catch (e) {
error(e, "Error inserting CSP %s in %s", document.URL, header && header.value);
+ return false;
}
+ return true;
}
}