From a86e802afc1f5623f61981fdd45e0d54d583688e Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Thu, 5 Dec 2024 09:04:31 -0500
Subject: [PATCH] Add advanced setting `noScriptingCSP`

Related discussion:
https://github.com/uBlockOrigin/uBlock-issues/issues/2642#issuecomment-2520096503

Specify which CSP directive to inject when no-scripting switch is
toggled on. If this hidden setting is changed, uBO will not try
to spoof `noscript` elements.

For internal use at the moment, not to be documented.
---
 src/js/background.js | 2 +-
 src/js/messaging.js  | 5 ++++-
 src/js/traffic.js    | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/js/background.js b/src/js/background.js
index fa7e3f2e7..01fd3b5d6 100644
--- a/src/js/background.js
+++ b/src/js/background.js
@@ -73,6 +73,7 @@ const hiddenSettingsDefault = {
     loggerPopupType: 'popup',
     manualUpdateAssetFetchPeriod: 500,
     modifyWebextFlavor: 'unset',
+    noScriptingCSP: 'script-src http: https:',
     popupFontSize: 'unset',
     popupPanelDisabledSections: 0,
     popupPanelHeightMode: 0,
@@ -254,7 +255,6 @@ const µBlock = {  // jshint ignore:line
     scriptlets: {},
 
     cspNoInlineScript: "script-src 'unsafe-eval' * blob: data:",
-    cspNoScripting: 'script-src http: https:',
     cspNoInlineFont: 'font-src *',
 
     liveBlockingProfiles: [],
diff --git a/src/js/messaging.js b/src/js/messaging.js
index d35a1347e..16d527c60 100644
--- a/src/js/messaging.js
+++ b/src/js/messaging.js
@@ -804,6 +804,9 @@ const onMessage = function(request, sender, callback) {
 
     case 'shouldRenderNoscriptTags': {
         if ( pageStore === null ) { break; }
+        if ( µb.hiddenSettings.noScriptingCSP !== µb.hiddenSettingsDefault.noScriptingCSP ) {
+            break;
+        }
         const fctxt = µb.filteringContext.fromTabId(sender.tabId);
         if ( pageStore.filterScripting(fctxt, undefined) ) {
             vAPI.tabs.executeScript(sender.tabId, {
@@ -2009,7 +2012,7 @@ const logCSPViolations = function(pageStore, request) {
         fctxt.type = 'script';
         fctxt.filter = undefined;
         if ( pageStore.filterScripting(fctxt, true) === 1 ) {
-            cspData.set(µb.cspNoScripting, fctxt.filter);
+            cspData.set(µb.hiddenSettings.noScriptingCSP, fctxt.filter);
         }
     
         fctxt.type = 'inline-font';
diff --git a/src/js/traffic.js b/src/js/traffic.js
index 894554a80..df3b09714 100644
--- a/src/js/traffic.js
+++ b/src/js/traffic.js
@@ -969,7 +969,7 @@ const injectCSP = function(fctxt, pageStore, responseHeaders) {
     const builtinDirectives = [];
 
     if ( pageStore.filterScripting(fctxt, true) === 1 ) {
-        builtinDirectives.push(µb.cspNoScripting);
+        builtinDirectives.push(µb.hiddenSettings.noScriptingCSP);
         if ( logger.enabled ) {
             fctxt.setRealm('network').setType('scripting').toLogger();
         }