diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/content/DocumentCSP.js | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js index ade9013..9991d4f 100644 --- a/src/content/DocumentCSP.js +++ b/src/content/DocumentCSP.js @@ -7,11 +7,20 @@ class DocumentCSP { } apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) { + let {document} = this; + if (!(document instanceof HTMLDocument)) { + // this is not HTML, hence we cannot inject a <meta> CSP + if (!capabilites.has("script")) { + // safety net for XML (especially SVG) documents + document.defaultView.addEventListener("beforescriptexecute", + e => e.preventDefault(), true); + } + return false; + } let csp = this.builder; let blocker = csp.buildFromCapabilities(capabilities, embedding); - if (!blocker) return; + if (!blocker) return true; - let document = this.document; let createHTMLElement = tagName => document.createElementNS("http://www.w3.org/1999/xhtml", tagName); @@ -19,18 +28,23 @@ class DocumentCSP { let meta = createHTMLElement("meta"); meta.setAttribute("http-equiv", header.name); meta.setAttribute("content", header.value); + let root = document.documentElement; let {head} = document; let parent = head || - document.documentElement.appendChild(createHTMLElement("head")); + (root instanceof HTMLElement + ? document.documentElement.appendChild(createHTMLElement("head")) + : root); try { - parent.insertBefore(meta, parent.firstChild); + parent.insertBefore(meta, parent.firstElementChild); debug(`Failsafe <meta> CSP inserted in %s: "%s"`, document.URL, header.value); meta.remove(); if (!head) parent.remove(); } catch (e) { error(e, "Error inserting CSP %s in %s", document.URL, header && header.value); + return false; } + return true; } } |