NS: 10.1.8.1
As title states, inline scripts do not get the red marker for blocked script in the CUSTOM tab (or get counted in the badge).
Problem seems to be in RequestGuard.js:onViolationReport, which appears not to detect and handle properly the CSP violation inline scripts throw.
Inline scripts are not "seen"
-
skriptimaahinen
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Inline scripts are not "seen"
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
-
skriptimaahinen
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: Inline scripts are not "seen"
Something like this should do it:
RequestGuard.js/onViolationReport:525
Of course since the detection is based on CSP report, once the script has been enabled and page reloaded, there won't be CSP report anymore and the "seen" marker disappears, which also might confuse those trying to get "maximum granularity".
RequestGuard.js/onViolationReport:525
Code: Select all
} else if (report["violated-directive"] === "script-src" && /; script-src 'none'/.test(report["original-policy"])) {
let r = fakeRequestFromCSP(report, request);
Content.reportTo(r, false, "script"); // NEW
TabStatus.record(r, "noscriptFrame", true);
}Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Inline scripts are not "seen"
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0