Support 1und1 web mail frontend

[j-r]

1und1 now only has a large ugly web frontend for their mail service, that I sometimes need:-)

To run in Palemoon it requires the following rule

navigator.1und1.de std-customElements

Unfortunately Palefill's csp handling then breaks the page by adding a lvl 2 element (sha...) to the header containing only lvl 1 elements (notably 'unsafe-inline'). (The same problem would appear by adding nonce elements to the header)

Currently I just removed most of the csp handling of palefill, but a better solution is probably to add a bit more smarts, perhaps something like

• only add sha... elements if there already is one or no 'unsafe-inline' (otherwise nothing needs to be added)
• only add nonce if there already is one (otherwise the host is enough)
• if there is no script-src, but a default-src, include default-src in newly created script-src (not a problem in this case, but could be in theory)

[martok]

Tested using web.de, which uses the same interface. What a nightmare :fearful:

Rewrote CSP handling another time, following your suggestions except for default-src. So far I haven't seen anyone using a restrictive default without relaxing it in a script-src later, and that would be handled correctly now.