From f95f7b809d994f4b581ea71885addbfa177b49fb Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 4 Sep 2018 22:43:00 +0200 Subject: Ensure we remove the HEAD element parent of our META CSP policy only if we created it. --- src/content/DocumentCSP.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js index 7fd666c..63f5d1e 100644 --- a/src/content/DocumentCSP.js +++ b/src/content/DocumentCSP.js @@ -19,7 +19,8 @@ class DocumentCSP { let meta = createHTMLElement("meta"); meta.setAttribute("http-equiv", header.name); meta.setAttribute("content", header.value); - let parent = document.head || + let {head} = document; + let parent = head || document.documentElement.appendChild(createHTMLElement("head")); try { @@ -27,7 +28,7 @@ class DocumentCSP { debug(`Failsafe CSP inserted in the DOM: "%s"`, header.value); if (capabilities.has("script")) { meta.remove(); - if (!parent.firstChild) parent.remove(); + if (!head) parent.remove(); } } catch (e) { error(e, "Error inserting CSP %s in the DOM", header && header.value); -- cgit v1.2.3