fix #2360

src/js/traffic.js

@@ -443,17 +443,22 @@ var processCSP = function(pageStore, details) {
         blockInlineScript = µb.isBlockResult(inlineScriptResult);
     }
 
-    context.requestType = 'websocket';
     µb.staticNetFilteringEngine.matchStringExactType(context, requestURL, 'websocket');
     var websocketResult = µb.staticNetFilteringEngine.toResultString(loggerEnabled),
         blockWebsocket = µb.isBlockResult(websocketResult);
 
+    // https://github.com/gorhill/uBlock/issues/2360
+    µb.staticNetFilteringEngine.matchStringExactType(context, 'blob:', 'script');
+    var workerResult = µb.staticNetFilteringEngine.toResultString(loggerEnabled),
+        blockWorker = µb.isBlockResult(workerResult);
+
     var headersChanged;
-    if ( blockInlineScript || blockWebsocket ) {
+    if ( blockInlineScript || blockWebsocket || blockWorker ) {
         headersChanged = foilWithCSP(
             details.responseHeaders,
             blockInlineScript,
-            blockWebsocket
+            blockWebsocket,
+            blockWorker
         );
     }
 
@@ -480,6 +485,17 @@ var processCSP = function(pageStore, details) {
                 context.pageHostname
             );
         }
+        if ( workerResult !== '' ) {
+            µb.logger.writeOne(
+                tabId,
+                'net',
+                workerResult,
+                'worker',
+                requestURL,
+                context.rootHostname,
+                context.pageHostname
+            );
+        }
     }
 
     context.dispose();
@@ -524,26 +540,38 @@ var foilLargeMediaElement = function(pageStore, details) {
 
 /******************************************************************************/
 
-var foilWithCSP = function(headers, noInlineScript, noWebsocket) {
-    var i = headerIndexFromName('content-security-policy', headers),
+var foilWithCSP = function(headers, noInlineScript, noWebsocket, noWorker) {
+    var me = foilWithCSP,
+        i = headerIndexFromName('content-security-policy', headers),
         before = i === -1 ? '' : headers[i].value.trim(),
         after = before;
 
     if ( noInlineScript ) {
         after = foilWithCSPDirective(
             after,
-            /script-src[^;]*;?\s*/,
+            me.reScriptSrc,
             "script-src 'unsafe-eval' *",
-            /'unsafe-inline'\s*|'nonce-[^']+'\s*/g
+            me.reScriptSrcRemove
         );
     }
 
     if ( noWebsocket ) {
         after = foilWithCSPDirective(
             after,
-            /connect-src[^;]*;?\s*/,
+            me.reConnectSrc,
             'connect-src http:',
-            /wss?:[^\s]*\s*/g
+            me.reConnectSrcRemove
+        );
+    }
+
+    // https://www.w3.org/TR/CSP2/#directive-child-src
+    // https://www.w3.org/TR/CSP3/#directive-worker-src
+    if ( noWorker ) {
+        after = foilWithCSPDirective(
+            after,
+            me.reWorkerSrc,
+            'child-src http:',
+            me.reWorkerSrcRemove
         );
     }
 
@@ -556,9 +584,9 @@ var foilWithCSP = function(headers, noInlineScript, noWebsocket) {
         // https://w3c.github.io/webappsec-csp/#directive-frame-src
         after = foilWithCSPDirective(
             after,
-            /frame-src[^;]*;?\s*/,
+            me.reFrameSrc,
             'frame-src http:',
-            /data:[^\s]*\s*|blob:[^\s]*\s*/g
+            me.reFrameSrcRemove
         );
     }
 
@@ -573,6 +601,18 @@ var foilWithCSP = function(headers, noInlineScript, noWebsocket) {
     return changed;
 };
 
+(function() {
+    var fn = foilWithCSP;
+    fn.reScriptSrc = /script-src[^;]*;?\s*/;
+    fn.reScriptSrcRemove = /'unsafe-inline'\s*|'nonce-[^']+'\s*/g;
+    fn.reConnectSrc = /connect-src[^;]*;?\s*/;
+    fn.reConnectSrcRemove = /wss?:[^\s]*\s*/g;
+    fn.reWorkerSrc = /child-src[^;]*;?\s*/;
+    fn.reWorkerSrcRemove = /blob:[^\s]*\s*/g;
+    fn.reFrameSrc = /frame-src[^;]*;?\s*/;
+    fn.reFrameSrcRemove = /data:[^\s]*\s*|blob:[^\s]*\s*/g;
+})();
+
 /******************************************************************************/
 
 // Past issues to keep in mind: