Issue 5953 - Bypass site CSP for script injection in Firefox

inject.preload.js

Index: inject.preload.js
===================================================================
--- a/inject.preload.js
+++ b/inject.preload.js
@@ -393,13 +393,17 @@ if (document instanceof HTMLDocument)
   let sandbox = window.frameElement &&
                 window.frameElement.getAttribute("sandbox");
 
   if (typeof sandbox != "string" || /(^|\s)allow-scripts(\s|$)/i.test(sandbox))
   {
     let script = document.createElement("script");
     script.type = "application/javascript";
     script.async = false;
-    script.textContent = "(" + injected + ")('" + randomEventName + "');";
+    let code = "(" + injected + ")('" + randomEventName + "');";
+    let blob = new Blob([code], { type: "text/javascript" });

[Manish Jethani, 2017/10/27 20:18:56]

As per the style guide [1] we don't add spaces immediately after opening or
before closing an object literal.

[1]: https://adblockplus.org/coding-style#javascript

Also the official MIME type for JavaScript as per RFC 4329 is
"application/javascript" (which we are using above).

But I think we should leave the MIME type out here, it's not required because
there's already a directive on the script tag that tells the browser how to
interpret the content.

+    let url = URL.createObjectURL(blob);
+    script.src = url;
     document.documentElement.appendChild(script);
     document.documentElement.removeChild(script);
+    URL.revokeObjectURL(url);
   }
 }