[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-librejs] LibreJS comments conflict with Content Security Policy
From: |
Tyler Swagar |
Subject: |
[Bug-librejs] LibreJS comments conflict with Content Security Policy |
Date: |
Sat, 5 Jan 2019 15:29:03 -0800 |
Hello. I don't know if anyone else has brought this up. My searching didn't
bring up any duplicates, anyhow. As a recent convert to GNU IceCat, I've
noticed that when LibreJS recognizes a magnet link to a license on an inline
script, it dynamically inserts a JavaScript comment to the top that says
"LibreJS: script accepted". The problem is if the site's Content Security
Policy only whitelists one or more inline scripts to prevent XSS attacks, this
causes the checksum to fail and the script to be blocked by the CSP, leaving a
webmaster with the decision to make the site either secure or free. Is it
possible to move the "script accepted" message elsewhere? Maybe a console.log
if WebExtensions allow for that without inserting it into the site's code, or
an HTML comment above the script tag perhaps.
Thank you
pgpePvu50aaBu.pgp
Description: OpenPGP digital signature
- [Bug-librejs] LibreJS comments conflict with Content Security Policy,
Tyler Swagar <=