From 5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d Mon Sep 17 00:00:00 2001
From: hackademix
Date: Wed, 18 Mar 2020 22:51:07 +0100
Subject: Prevent ANY redirection to data: URIs in documents.

---
 src/bg/ReportingCSP.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/bg/ReportingCSP.js')

diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js
index 2da1bbc..e7ffe0a 100644
--- a/src/bg/ReportingCSP.js
+++ b/src/bg/ReportingCSP.js
@@ -35,11 +35,11 @@ function ReportingCSP(reportURI, reportGroup) {
               h.name === REPORT_TO.name && h.value === REPORT_TO.value) {
             needsReportTo = false;
           } else if (blocker && /^(Location|Refresh)$/i.test(h.name)) {
+            // neutralize any HTTP redirection to data: URLs, like Chromium
             let  url = /^R/i.test(h.name)
               ? h.value.replace(/^[^,;]*[,;]url[^\w=]*=\s*/i, "") : h.value;
-            let patched = CSP.patchDataURI(url, blocker);
-            if (patched !== url) {
-              h.value = h.value.slice(0, -url.length) + patched;
+            if (/^data:/i.test(url)) {
+              h.value = h.value.slice(0, -url.length) + "data:";
             }
           }
         }
-- 
cgit v1.2.3