Bug 1582073: Add https: to img-src directive for CSP of about:preferences. r=Gijs
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 25 Sep 2019 11:31:16 +0000
changeset 494920 01855d5dc2eb6efd4dd6d781ff53b15849b79962
parent 494919 1cd25a1bf819ea4de7face7ee1a801b9e0ed454f
child 494921 b4875ea160da606061e9767f0e121d61f60678c3
push id96296
push usercsabou@mozilla.com
push dateWed, 25 Sep 2019 11:53:49 +0000
treeherderautoland@01855d5dc2eb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs
bugs1582073
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1582073: Add https: to img-src directive for CSP of about:preferences. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D47064
browser/components/preferences/in-content/preferences.xul
--- a/browser/components/preferences/in-content/preferences.xul
+++ b/browser/components/preferences/in-content/preferences.xul
@@ -19,17 +19,17 @@
 <!DOCTYPE page>
 
 <!-- @CSP: The 'oncommand' handler for 'focusSearch1' can not easily be rewritten (see Bug 371900)
      hence we are allowing the inline handler in the script-src directive using the hash
      sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ==
      Additionally we should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
 <page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
       xmlns:html="http://www.w3.org/1999/xhtml"
-      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon:; style-src chrome: data: 'unsafe-inline'"
+      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'"
       role="document"
       data-l10n-id="pref-page"
       data-l10n-attrs="title">
 
   <linkset>
     <html:link rel="localization" href="branding/brand.ftl"/>
     <html:link rel="localization" href="browser/branding/brandings.ftl"/>
     <html:link rel="localization" href="browser/branding/sync-brand.ftl"/>