Index: inject.preload.js |
=================================================================== |
--- a/inject.preload.js |
+++ b/inject.preload.js |
@@ -393,13 +393,18 @@ if (document instanceof HTMLDocument) |
let sandbox = window.frameElement && |
window.frameElement.getAttribute("sandbox"); |
if (typeof sandbox != "string" || /(^|\s)allow-scripts(\s|$)/i.test(sandbox)) |
{ |
let script = document.createElement("script"); |
script.type = "application/javascript"; |
script.async = false; |
- script.textContent = "(" + injected + ")('" + randomEventName + "');"; |
+ // Firefox 58 only bypasses site CSPs when assigning to 'src'. |
+ let url = URL.createObjectURL(new Blob([ |
+ "(" + injected + ")('" + randomEventName + "');" |
+ ])); |
+ script.src = url; |
document.documentElement.appendChild(script); |
document.documentElement.removeChild(script); |
+ URL.revokeObjectURL(url); |
} |
} |