Block data URLs instead of their requests

Fixes #211

_locales/de/messages.json

@@ -725,12 +725,12 @@
 		"description": ""
 	},
 	
-	"blockRequestsFromDataURL_title": {
-		"message": "Anfragen von Data-URL Seiten blockieren",
+	"blockDataURLs_title": {
+		"message": "Data-URL Seiten blockieren",
 		"description": ""
 	},
-	"blockRequestsFromDataURL_description": {
-		"message": "Data-URL Seiten können nicht gegen Fingerprinting geschützt werden (siehe https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Indem Anfragen von Data-URL Seiten blockiert werden kann verhindert werden, dass der echte Fingerabdruck zu irgendeinem Server gelangt.",
+	"blockDataURLs_description": {
+		"message": "Data-URL Seiten können nicht gegen Fingerprinting geschützt werden (siehe https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Indem Data-URL Seiten blockiert werden kann verhindert werden, dass der echte Fingerabdruck zu irgendeinem Server gelangt.",
 		"description": ""
 	},
 	

_locales/en/messages.json

@@ -725,12 +725,12 @@
 		"description": ""
 	},
 	
-	"blockRequestsFromDataURL_title": {
-		"message": "Block requests from data URL pages",
+	"blockDataURLs_title": {
+		"message": "Block data URL pages",
 		"description": ""
 	},
-	"blockRequestsFromDataURL_description": {
-		"message": "Data URL pages cannot be protected against fingerprinting (see https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Blocking requests from them prevents the real fingerprint to reach any server.",
+	"blockDataURLs_description": {
+		"message": "Data URL pages cannot be protected against fingerprinting (see https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Blocking them prevents the real fingerprint to reach any server.",
 		"description": ""
 	},
 	

lib/dataUrls.js

@@ -16,34 +16,25 @@
 	const logging = require("./logging");
 	const settings = require("./settings");
 	
-
-	const dataUrlFrames = new Set();
 	scope.init = function(){
-		browser.webRequest.onBeforeRequest.addListener(
+		browser.webRequest.onHeadersReceived.addListener(
 			function(details){
-				if (
-					details.url.startsWith("data:text")
-				){
-					dataUrlFrames.add(details.frameId);
-					logging.message("Detected data URL", details);
-				}
-				else if (
-					settings.blockRequestsFromDataURL &&
-					dataUrlFrames.has(details.frameId)
-				){
-					logging.warning("Blocking request from data-URL frame.", details);
-					if (
-						settings.get("showNotifications")
-					){
-						browser.pageAction.show(details.tabId);
-					}
-					return {cancel: true};
+				const headers = details.responseHeaders;
+				if (settings.blockDataURLs){
+					logging.verbose("Adding CSP header to", details);
+					headers.push({
+						name: "Content-Security-Policy",
+						value: "object-src *; child-src *"
+					});
 				}
+				return {
+					responseHeaders: headers
+				};
 			},
 			{
 				urls: ["<all_urls>"]
 			},
-			["blocking"]
+			["blocking", "responseHeaders"]
 		);
 	};
 

lib/settingDefinitions.js

@@ -206,7 +206,7 @@
 			}
 		},
 		{
-			name: "blockRequestsFromDataURL",
+			name: "blockDataURLs",
 			defaultValue: true
 		},
 		{

options/settingsDisplay.js

@@ -381,7 +381,7 @@
 		},
 		"misc",
 		{
-			"name": "blockRequestsFromDataURL",
+			"name": "blockDataURLs",
 			"displayDependencies": {
 				"displayAdvancedSettings": [true]
 			}

releaseNotes.txt

@@ -1,15 +1,16 @@
 Version 0.5.1:
 	changes:
-		- 
+		- instead of blocking requests from data URLs they are blocked themselfes
 	
 	new features:
 		- new setting: session white list that is cleared on addon load (= browser start)
 	
 	fixes:
 		- Changes made in the page action were not saved in all Firefox versions
+		- Blocking requests data URLs blocked too much
 	
 	known issues:
-		- if a data URL request is blocked the page action button appears but shows no content
+		- if a data URL is blocked the page action button does not appear
 
 Version 0.5.0.1b:
 	known issues: