Use proper embedding context when evluating inline-script

Related issue:
- https://github.com/uBlockOrigin/uBlock-issues/issues/422
This commit is contained in:
Raymond Hill 2019-02-15 07:37:43 -05:00
parent acda682153
commit 515b7cdcfc
No known key found for this signature in database
GPG key ID: 25E1490B761470C2

View file

@ -777,14 +777,21 @@ const injectCSP = function(fctxt, pageStore, responseHeaders) {
if ( loggerEnabled ) { if ( loggerEnabled ) {
fctxt.setRealm('network').setType('scripting').toLogger(); fctxt.setRealm('network').setType('scripting').toLogger();
} }
} else { }
fctxt.type = 'inline-script'; // https://github.com/uBlockOrigin/uBlock-issues/issues/422
const result = pageStore.filterRequest(fctxt); // We need to derive a special context for filtering `inline-script`,
// as the embedding document for this "resource" will always be the
// frame itself, not that of the parent of the frame.
else {
const fctxt2 = fctxt.duplicate();
fctxt2.type = 'inline-script';
fctxt2.setDocOriginFromURL(fctxt.url);
const result = pageStore.filterRequest(fctxt2);
if ( result === 1 ) { if ( result === 1 ) {
builtinDirectives.push("script-src 'unsafe-eval' * blob: data:"); builtinDirectives.push("script-src 'unsafe-eval' * blob: data:");
} }
if ( result !== 0 && loggerEnabled ) { if ( result !== 0 && loggerEnabled ) {
fctxt.setRealm('network').toLogger(); fctxt2.setRealm('network').toLogger();
} }
} }