function fireNewTab(ret) {//var newTab = window.open ('about:blank', '_blank');
var newTab = unsafeWindow.open ('about:blank', '_blank');
var D = newTab.document;
var scriptNode = D.createElement ('script');
scriptNode.type = "text/javascript";
scriptNode.textContent = "document.write(unescape('"+ret+"'));";
var targ = D.getElementsByTagName ('head')[0];
targ.appendChild (scriptNode);
}
Variable ret is assebled data. New window opens but it's blank because i get this error:
Content Security Policy: The page's settings blocked the loading of a
resource at self ("script-src
'sha256-8Kp4YIWqA8yhCJaTWnmB7Wv7OjnXnX661ygwccVuDRw='
'sha256-RWjZjHViHqRaxuNn3Gqcy5tg2pM20UIGVdEcuv8LaCE='
https://www.airbnb.com https: 'unsafe-eval' 'unsafe-inline' http:").
I have second script that creates an iframe on Hostelworld booking info page without any problems and it's also https. Bat the same code generates an CSP error on Airbnb page:
function createIFrame(InHTML){
var docBody = document.getElementsByTagName ('body')[0];
var iframe = document.createElement('iframe');
iframe.frameBorder = 0;
iframe.style.width = "100%";
iframe.style.height = "1350px";
docBody.appendChild(iframe);
iframe.src = 'data:text/html;charset=utf-8,' + encodeURIComponent(InHTML);
}
Can anyone point me in the right dirrection how to bypass this restriction?
Here is https encription info from airbnb and hostelworld, maybe that has something to do with this problem:
Airbnb:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2
Hostelworld:
TLS_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2