Page 1 of 1

Inline scripts are not "seen"

Posted: Mon Apr 30, 2018 7:22 am
by skriptimaahinen
NS: 10.1.8.1

As title states, inline scripts do not get the red marker for blocked script in the CUSTOM tab (or get counted in the badge).

Problem seems to be in RequestGuard.js:onViolationReport, which appears not to detect and handle properly the CSP violation inline scripts throw.

Re: Inline scripts are not "seen"

Posted: Tue Jul 31, 2018 5:21 am
by skriptimaahinen
Something like this should do it:

RequestGuard.js/onViolationReport:525

Code: Select all

} else if (report["violated-directive"] === "script-src" && /; script-src 'none'/.test(report["original-policy"])) {
  let r =  fakeRequestFromCSP(report, request);
  Content.reportTo(r, false, "script"); // NEW
  TabStatus.record(r, "noscriptFrame", true);
}
Of course since the detection is based on CSP report, once the script has been enabled and page reloaded, there won't be CSP report anymore and the "seen" marker disappears, which also might confuse those trying to get "maximum granularity".

Re: Inline scripts are not "seen"

Posted: Thu Aug 02, 2018 6:04 am
by Giorgio Maone