Web page shows no script after whitelisting 3rd-party scripts

[gorhill]

As per http://www.wilderssecurity.com/showthread.php?p=2334993#post2334993.

My description of the problem:

Oh I see the problem... I add the "Content-Security-Policy: script-src 'none'" regardless of whether there is actual javascript. In fact, I can't know at this point whether there is actual javascript, I just know whether it is allowed or blocked, it's just the headers of the page. And the CSP directive can't obviously be added later when I have more information about the javascript environment, as it will be too late by then to prevent javascript from running.

I don't see how to solve this except for reporting/adding a javascript of count 1 as a proxy value for all the 3rd-party javascript sources which have to execute on the the 1st-party page.

Essentially, 3rd-party scripts won't execute if scripts are not allowed for the web page pulling these 3rd-party scripts. This is a good thing. Problem is by reporting an empty 1st-party script cell, the user is not being given a visual hint that scripts for the web page needs to be allowed for the 3rd-party scripts to execute. This also affects smart reload since it relies on the blocked count of a type/hostname to figure whether a reload is necessary.

[gorhill]

Got an idea: for each 3rd-party script, record a virtual 1st-party script request in the form of example.com{3rd-party_scripts}. This will create a count for script objects on the main page, and in the Statistics this will show up nicely without being misleading.

[gorhill]

Fixed with 4ab8531.