Look into blocking inline scripts with script-src * instead of script-src 'none'

[gorhill]

I will just drop some thoughts here for the record, before I forget etc.

Currently HTTPSB blocks inline scripts using a CSP directive script-src 'none'. This actually blocks all scripts, inline and external.

I have been thinking about using script-src * instead, which would block only inline scripts.

From a user's point of view, the first directive means one has to allow the 1st-party scripts to be able to execute 3rd-party scripts. This is why currently HTTPSB reflects the existence of 3rd-party scripts through a synthetic 1st-party script request, i.e. a site can have zero 1st-party script, inline or external, and yet the script cell for the 1st-party hostname will show a count of 1.

If HTTPSB used the second directive, there would be no need for such a synthetic script request, and thus this would simplify code, and from a user's point of view the matrix would work more as expected -- i.e. it would be possible to whitelist an external script without having to also whitelist the 1st-party script cell in order for the whitelisted 3rd-party to be able to execute.

This is all nice etc., except that I have to ensure there are no caveats with regard to external scripts which may be in memory cache. Last time I checked, resources pulled from the browser's memory cache are not routed through the webRequest API, which means if a user allowed an external script then blocked it, it might still be executed. So if this is still the case, will keep thing as they are, otherwise, the second directive is interesting.