From 82118cb075732549289d3accb8cf3ea6d9f9d9fc Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 22 Apr 2015 19:32:54 -0600 Subject: [PATCH] Safari: inline-script blocking! --- platform/safari/vapi-background.js | 9 +++++---- platform/safari/vapi-client.js | 9 ++++++++- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/platform/safari/vapi-background.js b/platform/safari/vapi-background.js index 2c311d339..c63ebe8d6 100644 --- a/platform/safari/vapi-background.js +++ b/platform/safari/vapi-background.js @@ -700,10 +700,10 @@ // Until Safari has more specific events, those are instead handled // in the onBeforeRequestAdapter; clean them up so they're garbage-collected vAPI.net.onBeforeSendHeaders = null; - vAPI.net.onHeadersReceived = null; var onBeforeRequest = vAPI.net.onBeforeRequest, onBeforeRequestClient = onBeforeRequest.callback, + onHeadersReceivedClient = vAPI.net.onHeadersReceived.callback, blockableTypes = onBeforeRequest.types; var onBeforeRequestAdapter = function(e) { @@ -719,9 +719,10 @@ }); e.message.hostname = µb.URI.hostnameFromURI(e.message.url); e.message.tabId = vAPI.tabs.getTabId(e.target); - var blockVerdict = onBeforeRequestClient(e.message); - if(blockVerdict && blockVerdict.redirectUrl) { - e.target.url = blockVerdict.redirectUrl; + e.message.responseHeaders = []; + onBeforeRequestClient(e.message); + var blockVerdict = onHeadersReceivedClient(e.message); + if(blockVerdict && blockVerdict.responseHeaders) { e.message = false; } else { diff --git a/platform/safari/vapi-client.js b/platform/safari/vapi-client.js index 085e5ce03..c02270014 100644 --- a/platform/safari/vapi-client.js +++ b/platform/safari/vapi-client.js @@ -174,8 +174,9 @@ } // Inform that we've navigated + var shouldBlockScript = false; if(frameId === 0) { - safari.self.tab.canLoad(beforeLoadEvent, { + shouldBlockScript = !safari.self.tab.canLoad(beforeLoadEvent, { url: location.href, type: "main_frame" }); @@ -225,6 +226,12 @@ var firstMutation = function() { document.removeEventListener("DOMContentLoaded", firstMutation, true); firstMutation = false; + if(shouldBlockScript) { + var meta = document.createElement('meta'); + meta.setAttribute("http-equiv", "content-security-policy"); + meta.setAttribute("content", "script-src 'unsafe-eval' *"); + } + document.documentElement.insertBefore(meta, document.documentElement.firstChild); document.addEventListener(vAPI.sessionId, function(e) { if(shouldBlockDetailedRequest(e.detail)) { e.detail.url = false;