From 035b4f28275e671a61c3f922cce0d783a9079098 Mon Sep 17 00:00:00 2001
From: hackademix
Date: Thu, 7 Nov 2019 15:12:25 +0100
Subject: Fixed CSP DOM injection breaking XML documents rendering.
---
src/content/DocumentCSP.js | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
index ade9013..9991d4f 100644
--- a/src/content/DocumentCSP.js
+++ b/src/content/DocumentCSP.js
@@ -7,11 +7,20 @@ class DocumentCSP {
}
apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) {
+ let {document} = this;
+ if (!(document instanceof HTMLDocument)) {
+ // this is not HTML, hence we cannot inject a CSP
+ if (!capabilites.has("script")) {
+ // safety net for XML (especially SVG) documents
+ document.defaultView.addEventListener("beforescriptexecute",
+ e => e.preventDefault(), true);
+ }
+ return false;
+ }
let csp = this.builder;
let blocker = csp.buildFromCapabilities(capabilities, embedding);
- if (!blocker) return;
+ if (!blocker) return true;
- let document = this.document;
let createHTMLElement =
tagName => document.createElementNS("http://www.w3.org/1999/xhtml", tagName);
@@ -19,18 +28,23 @@ class DocumentCSP {
let meta = createHTMLElement("meta");
meta.setAttribute("http-equiv", header.name);
meta.setAttribute("content", header.value);
+ let root = document.documentElement;
let {head} = document;
let parent = head ||
- document.documentElement.appendChild(createHTMLElement("head"));
+ (root instanceof HTMLElement
+ ? document.documentElement.appendChild(createHTMLElement("head"))
+ : root);
try {
- parent.insertBefore(meta, parent.firstChild);
+ parent.insertBefore(meta, parent.firstElementChild);
debug(`Failsafe CSP inserted in %s: "%s"`, document.URL, header.value);
meta.remove();
if (!head) parent.remove();
} catch (e) {
error(e, "Error inserting CSP %s in %s", document.URL, header && header.value);
+ return false;
}
+ return true;
}
}
--
cgit v1.2.3