Inline scripts are not "seen"

Bug reports and enhancement requests
Post Reply
skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Inline scripts are not "seen"

Post by skriptimaahinen » Mon Apr 30, 2018 7:22 am

NS: 10.1.8.1

As title states, inline scripts do not get the red marker for blocked script in the CUSTOM tab (or get counted in the badge).

Problem seems to be in RequestGuard.js:onViolationReport, which appears not to detect and handle properly the CSP violation inline scripts throw.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

skriptimaahinen
Senior Member
Posts: 213
Joined: Wed Jan 10, 2018 7:37 am

Re: Inline scripts are not "seen"

Post by skriptimaahinen » Tue Jul 31, 2018 5:21 am

Something like this should do it:

RequestGuard.js/onViolationReport:525

Code: Select all

} else if (report["violated-directive"] === "script-src" && /; script-src 'none'/.test(report["original-policy"])) {
  let r =  fakeRequestFromCSP(report, request);
  Content.reportTo(r, false, "script"); // NEW
  TabStatus.record(r, "noscriptFrame", true);
}
Of course since the detection is based on CSP report, once the script has been enabled and page reloaded, there won't be CSP report anymore and the "seen" marker disappears, which also might confuse those trying to get "maximum granularity".
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0

User avatar
Giorgio Maone
Site Admin
Posts: 8957
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Inline scripts are not "seen"

Post by Giorgio Maone » Thu Aug 02, 2018 6:04 am

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

Post Reply