From 5a60d58d247fe90ea6ff30e6789c09d5c892d80b Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Tue, 17 Jul 2018 12:10:17 +0200
Subject: [PATCH] Prevent script injection from messing with
 content-disposition=attachment responses.

---
 src/bg/RequestUtil.js      | 26 +++++++++++++++-----------
 src/lib/ContentMetaData.js |  2 +-
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/bg/RequestUtil.js b/src/bg/RequestUtil.js
index 2cd15c2..234ca4a 100644
--- a/src/bg/RequestUtil.js
+++ b/src/bg/RequestUtil.js
@@ -57,6 +57,21 @@
       let {requestId, url, tabId, frameId, statusCode} = request;
 
       if (statusCode >= 300 && statusCode < 400) return;
+      if (frameId === 0) {
+        let key = tabKey(tabId, url);
+        debug("Checking whether %s is a reloading tab...", key);
+        if (reloadingTabs.get(key)) {
+          reloadingTabs.set(key, false); // doom it for removal in cleanup
+          return;
+        }
+      }
+      let content = this.getContentMetaData(request);
+      if (content.disposition) {
+        debug("Skipping execute on start of %s %o", url, content);
+        return;
+      }
+      debug("Injecting script on start in %s (%o)", url, content);
+
       let scripts = pendingRequests.get(requestId);
       let scriptKey = JSON.stringify(details);
       if (!scripts) {
@@ -67,17 +82,6 @@
         return;
       }
 
-      if (frameId === 0) {
-        let key = tabKey(tabId, url);
-        debug("Checking whether %s is a reloading tab...", key);
-        if (reloadingTabs.get(key)) {
-          reloadingTabs.set(key, false); // doom it for removal in cleanup
-          return;
-        }
-      }
-
-      let content = this.getContentMetaData(request);
-      debug(url, content.type, content.charset);
       if (xmlFeedOrImage.test(content.type) && !/\/svg\b/i.test(content.type)) return;
       if (typeof brokenOnLoad === "undefined") {
         brokenOnLoad = await (async () => parseInt((await browser.runtime.getBrowserInfo()).version) < 61)();
diff --git a/src/lib/ContentMetaData.js b/src/lib/ContentMetaData.js
index da335ad..002a212 100644
--- a/src/lib/ContentMetaData.js
+++ b/src/lib/ContentMetaData.js
@@ -4,7 +4,7 @@ class ContentMetaData {
     let {responseHeaders} = request;
     for (let h of responseHeaders) {
       if (/^\s*Content-(Type|Disposition)\s*$/i.test(h.name)) {
-        this[h.name.split("-")[1].trim().toLowerCase()] = h.value;
+        this[RegExp.$1.toLowerCase()] = h.value;
       }
     }
   }