10.1.9.2rc1 CSP with file, serviceworker, etc.

Bug reports and enhancement requests
Post Reply
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

10.1.9.2rc1 CSP with file, serviceworker, etc.

Post by skriptimaahinen »

onScriptDisabled.js wrote:file: documents are loaded synchronously and may not be affected by
CSP. We already intercept onbeforeexecutescript event, let's cope with
event and URL attributes.
There appears to be a workaround. One that you yourself introduced just a while back! That is, the "CSP meta tag" injected with content script.

However, there appears to currently be a slight problem with the approach, namely, if the head element is not available at the time the content script is loaded, the meta element will get placed in the documentElement. Unfortunately Firefox seems to disregard the meta element completely if placed there.

So what needs to be done is to ensure the meta goes to the head element. The most direct approach, and the only one I got to actually work, is to make the head element if it is not there already. Sure, we will end up with two heads, but as far as I know, Firefox is not too picky about that.

No need for onbeforeexecutescript, on-event hunting or mutationobservers.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.9.2rc1 CSP with file, serviceworker, etc.

Post by Giorgio Maone »

It works great, thanks, and you actually are not even required to keep a second HEAD around.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 10.1.9.2rc1 CSP with file, serviceworker, etc.

Post by Giorgio Maone »

Done in latest development build,
v 10.1.9.2rc2
=============================================================
+ [L10n] Transifex integration
x Work-around for DOM-injected CSP not being honored when
appended to the root element, rather than HEAD
+ Transparent support for FQDNs
+ Better UI support for file:// URLs
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply