Merge pull request #2113.

Fix SoundCloud widget replacement CSP bypass.
EFForg · Jul 24, 2018 · ce4a8be · ce4a8be
2 parents 533eebc + 8bd5305
commit ce4a8be
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/data/socialwidgets.json b/src/data/socialwidgets.json
@@ -90,7 +90,7 @@
         "SoundCloud": {
           "domain": "soundcloud.com",
           "buttonSelectors": [
-            "iframe[src*='api.soundcloud.com']"
+            "iframe[src^='https://w.soundcloud.com/player']"
           ],
           "replacementButton": {
             "details": "",

diff --git a/src/js/contentscripts/socialwidgets.js b/src/js/contentscripts/socialwidgets.js
@@ -224,7 +224,8 @@ function replaceButtonWithHtmlCodeAndUnblockTracker(button, tracker, html) {
  * with executable scripts.
  */
 function replaceScriptsRecurse(node) {
-  if (node.getAttribute && node.getAttribute("type") == "text/javascript") {
+  if (node.nodeName && node.nodeName.toLowerCase() == 'script' &&
+      node.getAttribute && node.getAttribute("type") == "text/javascript") {
     var script = document.createElement("script");
     script.text = node.innerHTML;
     script.src = node.src;