1 files changed, 28 insertions, 4 deletions

diff --git a/content/main.js b/content/main.js
index c7f57bb..507a740 100644
--- a/content/main.js
+++ b/content/main.js
@@ -25,6 +25,8 @@
     let url = url_item(document.URL);
     let unique = gen_unique(url);
 
+    let nonce = unique.substring(1);
+
     var block = true;
     if (first_target !== undefined &&
 	first_target === unique) {
@@ -47,10 +49,20 @@
 	}
 	for (let mutation of mutations) {
 	    for (let node of mutation.addedNodes) {
-		if (node.tagName === "SCRIPT")
+		/*
+		 * Modifying <script> element doesn't always prevent its
+		 * execution in some Mozilla browsers. Additional blocking
+		 * through CSP meta tag injection is required.
+		 */
+		if (node.tagName === "SCRIPT") {
 		    block_script(node);
-		else
-		    sanitize_attributes(node);
+		    continue;
+		}
+
+		sanitize_attributes(node);
+
+		if (node.tagName === "HEAD")
+		    inject_csp(node);
 	    }
 	}
     }
@@ -68,6 +80,18 @@
 	node.setAttribute("type", "application/json");
     }
 
+    function inject_csp(node)
+    {
+	console.log('injecting CSP');
+	let meta = document.createElement("meta");
+	meta.setAttribute("http-equiv", "Content-Security-Policy");
+	meta.setAttribute("content", `\
+script-src 'nonce-${nonce}'; \
+script-src-elem 'nonce-${nonce}';\
+`);
+	node.appendChild(meta);
+    }
+
     function sanitize_attributes(node)
     {
 	if (node.attributes === undefined)
@@ -99,5 +123,5 @@
 	});
     }
 
-    handle_page_actions();
+    handle_page_actions(nonce);
 })();