From dfe18111b9b65293bf6fe2e6a102959b3719ff61 Mon Sep 17 00:00:00 2001
From: gorhill <rhill@raymondhill.net>
Date: Mon, 11 Sep 2017 09:53:42 -0400
Subject: [PATCH] fix #1539

---
 src/js/pagestore.js |  6 ++++--
 src/js/traffic.js   | 33 ++++++++++++++++++++++++++-------
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/src/js/pagestore.js b/src/js/pagestore.js
index 3689748a0..ea3a42816 100644
--- a/src/js/pagestore.js
+++ b/src/js/pagestore.js
@@ -598,8 +598,10 @@ PageStore.prototype.filterRequest = function(context) {
         }
     }
 
-    if ( requestType === 'font' ) {
-        this.remoteFontCount += 1;
+    if ( requestType.endsWith('font') ) {
+        if ( requestType === 'font' ) {
+            this.remoteFontCount += 1;
+        }
         if ( µb.hnSwitches.evaluateZ('no-remote-fonts', context.rootHostname) !== false ) {
             if ( µb.logger.isEnabled() ) {
                 this.logData = µb.hnSwitches.toLogData();
diff --git a/src/js/traffic.js b/src/js/traffic.js
index 6467c0ea6..9519502d2 100644
--- a/src/js/traffic.js
+++ b/src/js/traffic.js
@@ -443,20 +443,17 @@ var injectCSP = function(pageStore, details) {
     if ( details.type !== 'main_frame' ) {
         context.pageHostname = context.pageDomain = context.requestHostname;
     }
+    context.requestURL = requestURL;
 
     // Start collecting policies >>>>>>>>
 
     // ======== built-in policies
 
+    var builtinDirectives = [];
+
     context.requestType = 'inline-script';
-    context.requestURL = requestURL;
     if ( pageStore.filterRequest(context) === 1 ) {
-        cspSubsets[0] = "script-src 'unsafe-eval' * blob: data:";
-        // https://bugs.chromium.org/p/chromium/issues/detail?id=669086
-        // TODO: remove when most users are beyond Chromium v56
-        if ( vAPI.chromiumVersion < 57 ) {
-            cspSubsets[0] += '; frame-src *';
-        }
+        builtinDirectives.push("script-src 'unsafe-eval' * blob: data:");
     }
     if ( loggerEnabled === true ) {
         logger.writeOne(
@@ -470,6 +467,28 @@ var injectCSP = function(pageStore, details) {
         );
     }
 
+    // https://github.com/gorhill/uBlock/issues/1539
+    // - Use a CSP to also forbid inline fonts if remote fonts are blocked.
+    context.requestType = 'inline-font';
+    if ( pageStore.filterRequest(context) === 1 ) {
+        builtinDirectives.push('font-src *');
+        if ( loggerEnabled === true ) {
+            logger.writeOne(
+                tabId,
+                'net',
+                pageStore.logData,
+                'inline-font',
+                requestURL,
+                context.rootHostname,
+                context.pageHostname
+            );
+        }
+    }
+
+    if ( builtinDirectives.length !== 0 ) {
+        cspSubsets[0] = builtinDirectives.join('; ');
+    }
+
     // ======== filter-based policies
 
     // Static filtering.