1 files changed, 36 insertions, 7 deletions

diff --git a/common/policy.js b/common/policy.js
index e14d8cd..6bcb54b 100644
--- a/common/policy.js
+++ b/common/policy.js
@@ -49,16 +49,15 @@
  * CSP rule that either blocks all scripts or only allows scripts with specified
  * nonce attached.
  */
-function make_csp(nonce)
-{
-    const rule = nonce ? `nonce-${nonce}` : "none";
+function make_csp(nonce) {
+    const rule = nonce ? `'nonce-${nonce}'` : "'none'";
     const csp_list = [
-	["prefetch-src",    "none"],
-	["script-src-attr", "none"],
-	["script-src",      rule],
+	["prefetch-src",    "'none'"],
+	["script-src-attr", "'none'"],
+	["script-src",      rule, "'unsafe-eval'"],
 	["script-src-elem", rule]
     ];
-    return csp_list.map(([a, b]) => `${a} '${b}';`).join(" ");
+    return csp_list.map(words => `${words.join(" ")};`).join(" ");
 }
 
 function decide_policy(patterns_tree, url, default_allow, secret)
@@ -113,3 +112,33 @@ function decide_policy(patterns_tree, url, default_allow, secret)
 #EXPORT decide_policy
 
 #EXPORT  () => ({allow: false, csp: make_csp()})  AS fallback_policy
+
+#IF NEVER
+
+/*
+ * Note: the functions below were overeagerly written and are not used now but
+ * might prove useful to once we add more functionalities and are hence kept...
+ */
+
+function relaxed_csp_eval(csp) {
+    const new_csp_list = [];
+
+    for (const directive of csp.split(";")) {
+	const directive_words = directive.trim().split(" ");
+	if (directive_words[0] === "script-src")
+	    directive_words.push("'unsafe-eval'");
+
+	new_csp_list.push(directive_words);
+    }
+
+    new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" ");
+}
+
+function relax_policy_eval(policy) {
+    const new_policy = Object.assign({}, policy);
+
+    return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)});
+}
+#EXPORT relax_policy_eval
+
+#ENDIF