Optimized CSP

lib/dataUrls.js

@@ -15,6 +15,27 @@
 	
 	const logging = require("./logging");
 	const settings = require("./settings");
+	let canMergeHeader = false;
+	browser.runtime.getBrowserInfo().then(function(info){
+		canMergeHeader = parseInt(info.version.replace(/\..+/, ""), 10) > 59;
+	});
+	function setHeader(headers, header){
+		if (canMergeHeader){
+			headers.push(header);
+		}
+		else {
+			const headerName = header.name.toLowerCase();
+			const presentHeader = headers.filter(function(h){
+				return h.name.toLowerCase() === headerName;
+			});
+			if (presentHeader.length){
+				presentHeader[0].value += ", " + header.value;
+			}
+			else {
+				headers.push(header);
+			}
+		}
+	}
 	
 	scope.init = function(){
 		const cspMatch = "blob: filesystem: *";
@@ -23,9 +44,10 @@
 				const headers = details.responseHeaders;
 				if (settings.blockDataURLs){
 					logging.verbose("Adding CSP header to", details);
-					headers.push({
+					setHeader(headers, {
 						name: "Content-Security-Policy",
-						value: `object-src ${cspMatch}; frame-src ${cspMatch}; worker-src ${cspMatch}`
+						value: `object-src ${cspMatch}; frame-src ${cspMatch}; worker-src ${cspMatch}; child-src ${cspMatch}` +
+							"report-to https://canvasblocker.invalid/; report-uri https://canvasblocker.invalid/"
 					});
 				}
 				return {

releaseNotes.txt

@@ -6,7 +6,7 @@ Version 0.5.2:
 		- 
 	
 	fixes:
-		- 
+		- optimized CSP
 	
 	known issues:
 		- if a data URL is blocked the page action button does not appear