Unified Diff: inject.preload.js
Issue 29590611:
Issue 5953 - Bypass site CSP for script injection in Firefox (Closed)
Patch Set: Add comment
Created Nov. 6, 2017, 2:59 p.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« no previous file
|
no next file »
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: inject.preload.js |
| =================================================================== |
| --- a/inject.preload.js |
| +++ b/inject.preload.js |
| @@ -393,13 +393,18 @@ if (document instanceof HTMLDocument) |
| let sandbox = window.frameElement && |
| window.frameElement.getAttribute("sandbox"); |
| if (typeof sandbox != "string" || /(^|\s)allow-scripts(\s|$)/i.test(sandbox)) |
| { |
| let script = document.createElement("script"); |
| script.type = "application/javascript"; |
| script.async = false; |
| - script.textContent = "(" + injected + ")('" + randomEventName + "');"; |
| + // Firefox 58 only bypasses site CSPs when assigning to 'src'. |
| + let url = URL.createObjectURL(new Blob([ |
| + "(" + injected + ")('" + randomEventName + "');" |
| + ])); |
| + script.src = url; |
| document.documentElement.appendChild(script); |
| document.documentElement.removeChild(script); |
| + URL.revokeObjectURL(url); |
| } |
| } |
« no previous file with comments
|
« no previous file
|
no next file »
|
no next file with comments »
