Disable script overloads for non scripts (#521)

jonathanKingston · dharb · web-flow · commit adfe2d618e34 · 2023-05-17T08:34:06.000+01:00
Co-authored-by: David Harbage &lt;dave@duckduckgo.com&gt;
diff --git a/src/features/runtime-checks.js b/src/features/runtime-checks.js
@@ -46,6 +46,25 @@ const defaultElementMethods = {
 }
 const supportedTrustedTypes = 'TrustedScriptURL' in window
 
+const jsMimeTypes = [
+    'text/javascript',
+    'text/ecmascript',
+    'application/javascript',
+    'application/ecmascript',
+    'application/x-javascript',
+    'application/x-ecmascript',
+    'text/javascript1.0',
+    'text/javascript1.1',
+    'text/javascript1.2',
+    'text/javascript1.3',
+    'text/javascript1.4',
+    'text/javascript1.5',
+    'text/jscript',
+    'text/livescript',
+    'text/x-ecmascript',
+    'text/x-javascript'
+]
+
 class DDGRuntimeChecks extends HTMLElement {
     #tagName
     #el
@@ -130,6 +149,12 @@ class DDGRuntimeChecks extends HTMLElement {
         // @ts-expect-error TrustedScript is not defined in the TS lib
         if (supportedTrustedTypes && el.textContent instanceof TrustedScript) return
 
+        // Short circuit if not a script type
+        const scriptType = el.type.toLowerCase()
+        if (!jsMimeTypes.includes(scriptType) &&
+            scriptType !== 'module' &&
+            scriptType !== '') return
+
         el.textContent = wrapScriptCodeOverload(el.textContent, scriptOverload)
     }
 
