utilize CSP for blocking

1 files changed, 4 insertions, 6 deletions

diff --git a/TODOS.org b/TODOS.org
index c06616a..b2b1edf 100644
--- a/TODOS.org
+++ b/TODOS.org
@@ -23,18 +23,15 @@ TODO:
 - find some way not to require each chrome user to modify manifest.json
 - rename the extension to something good
 - port to gecko-based browsers -- CRUCIAL
-- make it possible to modify CSP to suit our custom scripts' needs
-  - find a way to additionally block all other scripts using CSP
-    as an additional safety measure
+- make sure page's own csp doesn't block our scripts
 - make blocking more torough -- CRUCIAL
-  - also block intrinsics -- CRUCIAL
   - mind the data: urls -- CRUCIAL
-- find out how and make it possible to whitelist non-https urls
+- find out how and make it possible to whitelist non-https urls and
+  whether we can inject csp to them
 - create a repository to host scripts
   - enable the extension to automatically fetch script substitutes from the repo
 - make it possible to inject scripts to arbitrary places in DOM
   - make script blocking code omit those scripts
-- facilitate waiting for script injection until DOM has loaded
 - check if prerendering has to be blocked -- CRUCIAL
 - block prefetch
 - rearrange files in extension, add some mechanism to build the extension
@@ -43,6 +40,7 @@ TODO:
 - perform never-ending refactoring of already-written code
 
 DONE:
+- find a way to additionally block all other scripts using CSP -- DONE 2021-05-13
 - only allow a single injection payload for page -- DONE 2021-05-13
 - rename "bundles" to "bags" to avoid confusion with Web Bundles -- DONE 2021-05-12
 - use non-predictable value in place of "myext-allow", utilizing hashes -- DONE 2021-05-12