[UNTESTED- will test] Add filtering for http-equiv CSP headers

1 files changed, 19 insertions, 8 deletions

diff --git a/content/main.js b/content/main.js
index 9ed557c..5edb8a6 100644
--- a/content/main.js
+++ b/content/main.js
@@ -19,6 +19,7 @@
  * IMPORT is_chrome
  * IMPORT is_mozilla
  * IMPORT start_activity_info_server
+ * IMPORT sanitize_csp_header
  * IMPORTS_END
  */
 
@@ -65,6 +66,17 @@ function block_node(node)
 	block_script(node);
 	return;
     }
+    
+    else if (node.tagName === 'META' &&
+	node.getAttribute('http-equiv') === 'content-security-policy') {
+	
+	node.content = sanitize_csp_header(
+	    {value: node.content},
+	    `'nonce-${nonce}'`,
+	    !policy.allow
+	).value;
+	return;
+    }
 
     sanitize_attributes(node);
 
@@ -114,14 +126,13 @@ if (!is_privileged_url(document.URL)) {
     if (!policy.allow) {
 	block_nodes_recursively(document.documentElement);
 
-	if (is_chrome) {
-	    var observer = new MutationObserver(handle_mutation);
-	    observer.observe(document.documentElement, {
-		attributes: true,
-		childList: true,
-		subtree: true
-	    });
-	}
+	/* Now needed on Mozilla as well to sanitize CSP header */
+	var observer = new MutationObserver(handle_mutation);
+	observer.observe(document.documentElement, {
+	    attributes: true,
+	    childList: true,
+	    subtree: true
+	});
 
 	if (is_mozilla)
 	    addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);