From ec2a46a571bd7b191cdf29b2f5eb63aab0067896 Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Thu, 1 Oct 2020 23:31:43 +0200
Subject: [PATCH] Enforce more restrictive CSP on media/object documents.

---
 src/bg/ReportingCSP.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js
index cf7f97b..c9d1b43 100644
--- a/src/bg/ReportingCSP.js
+++ b/src/bg/ReportingCSP.js
@@ -2,18 +2,23 @@
 
 function ReportingCSP(marker, reportURI = "") {
   const DOM_SUPPORTED = "SecurityPolicyViolationEvent" in window;
-  
+
   if (DOM_SUPPORTED) reportURI = "";
-  
+
   return Object.assign(
-    new CapsCSP(new NetCSP( 
+    new CapsCSP(new NetCSP(
       reportURI ? `report-uri ${reportURI}` : marker
     )),
     {
       reportURI,
       patchHeaders(responseHeaders, capabilities) {
         let header = null;
-        let blocker = capabilities && this.buildFromCapabilities(capabilities);
+        let blocker;
+        if (capabilities) {
+          let contentType = responseHeaders.filter(h => h.name.toLowerCase() === "content-type");
+          let blockHTTP = contentType.lentgh === 0 || contentType.some(h => !/^(?:text|application)\/\S*\b(?:x?ht|x)ml\b/i.test(h.name));
+          blocker = this.buildFromCapabilities(capabilities, blockHTTP);
+        }
         let extras = [];
         responseHeaders.forEach((h, index) => {
           if (this.isMine(h)) {