| Age | Commit message (Collapse) | Author |
|---|
|
The base URL is now included in the settings. The unique value no longer uses
it directly, as it is included by virtue of the settings; however, the number
of full hours since the epoch (UTC) is now incorporated.
|
|
Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the unique value generated from the
policy value (which will follow them) succeeded by the URL.
CSP headers are now _always_ cleared on FF, regardless of whether the page
is whitelisted or not. This means whitelisting takes effect on page reload,
rather than only when caching occurs. However, it obviously presents security
issues; refinment will occur in a future commit.
|
|
Increase the power of URL-based smuggling by making it (effectively)
compulsory in all cases and adapting a <salt><unique value><JSON-encoded
settings> structure. While the details still need to be worked out, the
potential for future expansion is there.
|
|
|
|
|
|
|
|
|
|
|
|
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML
data: urls should be refined (eventually) to align with current practice for
pages in general.
Also, script-blocking is now filtered by nonce, making it possible (albeit
perhaps not desirable) to inject scripts before the DOM is complete.
|
|
|
|
adding a <meta> tag
|
|
|
|
|
|
|
|
|
|
|
