1 files changed, 17 insertions, 4 deletions

diff --git a/content/main.js b/content/main.js
index 9acf749..3204a8a 100644
--- a/content/main.js
+++ b/content/main.js
@@ -2,15 +2,18 @@
  * Myext main content script run in all frames
  *
  * Copyright (C) 2021 Wojtek Kosior
+ * Copyright (C) 2021 jahoti
  * Redistribution terms are gathered in the `copyright' file.
  */
 
 /*
  * IMPORTS_START
+ * IMPORT CONNECTION_TYPE
  * IMPORT handle_page_actions
  * IMPORT url_item
  * IMPORT url_extract_target
  * IMPORT gen_unique
+ * IMPORT gen_nonce
  * IMPORT csp_rule
  * IMPORT is_privileged_url
  * IMPORT sanitize_attributes
@@ -113,7 +116,7 @@ function inject_csp(head)
 
     let meta = document.createElement("meta");
     meta.setAttribute("http-equiv", "Content-Security-Policy");
-    meta.setAttribute("content", csp_rule(unique));
+    meta.setAttribute("content", csp_rule(nonce));
 
     if (head.firstElementChild === null)
 	head.appendChild(meta);
@@ -123,13 +126,23 @@ function inject_csp(head)
 
 if (!is_privileged_url(document.URL)) {
     start_activity_info_server();
-    handle_page_actions(unique);
+    var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
 
     if (is_http()) {
-	/* rely on CSP injected through webRequest */
+	/* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */
+	const nonce_capturer = msg => {
+	    port.onMessage.removeListener(nonce_capturer);
+	    handle_page_actions(msg[1], port);
+	};
+	
+	port.onMessage.addListener(nonce_capturer);
+	
     } else if (is_whitelisted()) {
-	/* do not block scripts at all */
+	/* do not block scripts at all; as a result, there is no need for a green-lighted nonce */
+	handle_page_actions(null, port);
     } else {
+	nonce = gen_nonce();
+	handle_page_actions(nonce, port);
 	block_nodes_recursively(document.documentElement);
 
 	if (is_chrome) {