Content security policy (CSP) options are ignored in user-defined filter lists

[eblosug]

CSP options can modify the header of HTTP(S) responses. For example, the filter rule

||example.com^$csp=script-src 'self' '*' 'unsafe-inline'

Adds the header

Content-Security-Policy: script-src 'self' '*' 'unsafe-inline'

to responses from example.com.

This works for the included EasyLists, but not for user-defined filter lists.

[eblosug]

Filter lists are divided into categories. Each request/response processor only works on a specific category.

User-defined lists fall into the ADS or TRACKER_BLOCKER category. For example, the TrackingBlockerProcessor asks the FilterManager for the filters in the TRACKER_BLOCKER category.

The filter result of a rule with a CSP option is SET_CSP_HEADER. But the TrackingBlockerProcessor does not do anything with this result.

The ContentSecurityPoliciesProcessor is responsible for adding the CSP header field but it works only on the CONTENT_SECURITY_POLICIES category. User-defined filter lists do not add any rules to this category.