From 7ee7889ae8f1473474254553ec3b3469fb0a935b Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 18 Jun 2021 11:45:01 +0200 Subject: when possible inject CSP as http(s) header using webRequest instead of adding a tag --- TODOS.org | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'TODOS.org') diff --git a/TODOS.org b/TODOS.org index 50a96a8..f53efbe 100644 --- a/TODOS.org +++ b/TODOS.org @@ -24,7 +24,7 @@ TODO: - test with more browser forks (Abrowser, Parabola IceWeasel, LibreWolf) - also see if browsers based on pre-quantum FF support enough of WebExtensions for easy porting -- make sure page's own csp doesn't block our scripts +- make sure page's own csp in doesn't block our scripts - make blocking more torough -- CRUCIAL - mind the data: urls -- CRUCIAL - find out how and make it possible to whitelist non-https urls and @@ -39,8 +39,13 @@ TODO: - all solutions to modularize js code SUCK; come up with own simple DSL to manage imports/exports - perform never-ending refactoring of already-written code -- when redirecting to target, make it possible to smartly recognize - and remove previous added target +- also implement support for whitelisting of non-https urls +- validate data entered in settings +- stop always using the same script nonce on given https(s) site (this + improvement seems to be unachievable in case of other protocols) +- besides blocking scripts through csp, also block connections that needlessly + fetch those scripts +- make extension's all html files proper XHTML DONE: - make it possible to use wildcard urls in settings -- DONE 2021-05-14 -- cgit v1.2.3