bug-librejs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-librejs] LibreJS comments conflict with Content Security Policy


From: Tyler Swagar
Subject: [Bug-librejs] LibreJS comments conflict with Content Security Policy
Date: Sat, 5 Jan 2019 15:29:03 -0800

Hello.  I don't know if anyone else has brought this up.  My searching didn't 
bring up any duplicates, anyhow.  As a recent convert to GNU IceCat, I've 
noticed that when LibreJS recognizes a magnet link to a license on an inline 
script, it dynamically inserts a JavaScript comment to the top that says 
"LibreJS: script accepted".  The problem is if the site's Content Security 
Policy only whitelists one or more inline scripts to prevent XSS attacks, this 
causes the checksum to fail and the script to be blocked by the CSP, leaving a 
webmaster with the decision to make the site either secure or free.  Is it 
possible to move the "script accepted" message elsewhere?  Maybe a console.log 
if WebExtensions allow for that without inserting it into the site's code, or 
an HTML comment above the script tag perhaps.

Thank you

Attachment: pgpePvu50aaBu.pgp
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]