From d8332adc4e26464636a5230dd81c18ffdd748281 Mon Sep 17 00:00:00 2001
From: hackademix
Date: Fri, 13 Mar 2020 22:31:08 +0100
Subject: Force CSP inheritance for redirections to data: URIs on Gecko pre-69.

---
 src/lib/CSP.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/lib/CSP.js')

diff --git a/src/lib/CSP.js b/src/lib/CSP.js
index 666f4a1..f5a2161 100644
--- a/src/lib/CSP.js
+++ b/src/lib/CSP.js
@@ -21,3 +21,18 @@ class CSP {
 
 CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml";
 CSP.headerName = "content-security-policy";
+CSP.patchDataURI = (uri, blocker) => {
+  let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri);
+  if (!(blocker && parts)) {
+    // not an interesting data: URI, return as it is
+    return uri;
+  }
+  if (parts[1]) {
+    // extra encoding info, let's bailout (better safe than sorry)
+    return "data:";
+  }
+  // It's a HTML/XML page, let's prepend our CSP blocker to the document
+  let patch = parts[0] + encodeURIComponent(
+    `<meta http-equiv="${CSP.headerName}" content="${blocker}">`);
+  return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length);
+}
-- 
cgit v1.2.3