From 035b4f28275e671a61c3f922cce0d783a9079098 Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 7 Nov 2019 15:12:25 +0100 Subject: Fixed CSP DOM injection breaking XML documents rendering. --- src/content/DocumentCSP.js | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js index ade9013..9991d4f 100644 --- a/src/content/DocumentCSP.js +++ b/src/content/DocumentCSP.js @@ -7,11 +7,20 @@ class DocumentCSP { } apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) { + let {document} = this; + if (!(document instanceof HTMLDocument)) { + // this is not HTML, hence we cannot inject a CSP + if (!capabilites.has("script")) { + // safety net for XML (especially SVG) documents + document.defaultView.addEventListener("beforescriptexecute", + e => e.preventDefault(), true); + } + return false; + } let csp = this.builder; let blocker = csp.buildFromCapabilities(capabilities, embedding); - if (!blocker) return; + if (!blocker) return true; - let document = this.document; let createHTMLElement = tagName => document.createElementNS("http://www.w3.org/1999/xhtml", tagName); @@ -19,18 +28,23 @@ class DocumentCSP { let meta = createHTMLElement("meta"); meta.setAttribute("http-equiv", header.name); meta.setAttribute("content", header.value); + let root = document.documentElement; let {head} = document; let parent = head || - document.documentElement.appendChild(createHTMLElement("head")); + (root instanceof HTMLElement + ? document.documentElement.appendChild(createHTMLElement("head")) + : root); try { - parent.insertBefore(meta, parent.firstChild); + parent.insertBefore(meta, parent.firstElementChild); debug(`Failsafe CSP inserted in %s: "%s"`, document.URL, header.value); meta.remove(); if (!head) parent.remove(); } catch (e) { error(e, "Error inserting CSP %s in %s", document.URL, header && header.value); + return false; } + return true; } } -- cgit v1.2.3