Bug 1582073: Add https: to img-src directive for CSP of about:preferences. r=Gijs
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 25 Sep 2019 11:31:16 +0000
changeset 494904 01855d5dc2eb6efd4dd6d781ff53b15849b79962
parent 494903 1cd25a1bf819ea4de7face7ee1a801b9e0ed454f
child 494905 b4875ea160da606061e9767f0e121d61f60678c3
push id36617
push userccoroiu@mozilla.com
push dateWed, 25 Sep 2019 16:30:53 +0000
treeherdermozilla-central@451e084cba66 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs
bugs1582073
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1582073: Add https: to img-src directive for CSP of about:preferences. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D47064
browser/components/preferences/in-content/preferences.xul
--- a/browser/components/preferences/in-content/preferences.xul
+++ b/browser/components/preferences/in-content/preferences.xul
@@ -19,17 +19,17 @@
 <!DOCTYPE page>
 
 <!-- @CSP: The 'oncommand' handler for 'focusSearch1' can not easily be rewritten (see Bug 371900)
      hence we are allowing the inline handler in the script-src directive using the hash
      sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ==
      Additionally we should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
 <page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
       xmlns:html="http://www.w3.org/1999/xhtml"
-      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon:; style-src chrome: data: 'unsafe-inline'"
+      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'"
       role="document"
       data-l10n-id="pref-page"
       data-l10n-attrs="title">
 
   <linkset>
     <html:link rel="localization" href="branding/brand.ftl"/>
     <html:link rel="localization" href="browser/branding/brandings.ftl"/>
     <html:link rel="localization" href="browser/branding/sync-brand.ftl"/>