Closed j-r closed 1 year ago
Tested using web.de, which uses the same interface. What a nightmare :fearful:
Rewrote CSP handling another time, following your suggestions except for default-src. So far I haven't seen anyone using a restrictive default without relaxing it in a script-src later, and that would be handled correctly now.
1und1 now only has a large ugly web frontend for their mail service, that I sometimes need:-)
To run in Palemoon it requires the following rule
navigator.1und1.de std-customElements
Unfortunately Palefill's csp handling then breaks the page by adding a lvl 2 element (sha...) to the header containing only lvl 1 elements (notably 'unsafe-inline'). (The same problem would appear by adding nonce elements to the header)
Currently I just removed most of the csp handling of palefill, but a better solution is probably to add a bit more smarts, perhaps something like