Bug 1496010: Apply Meta CSP to System Privileged about:about.
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Mon, 03 Jun 2019 06:04:25 +0000 (2019-06-03)
changeset 476569 45edf42e870a703b67104fd92f49614d50152bb5
parent 476568 62b73610a2f7d80d7eb5f402d59757868e4521a0
child 476570 abf29aea4d1edd7cc377f18d1b25149b020bcabf
child 476588 af8569c103d2ae0c6b3ee749c341cc0332e56d43
push id36101
push usercsabou@mozilla.com
push dateMon, 03 Jun 2019 10:13:37 +0000 (2019-06-03)
treeherdermozilla-central@45edf42e870a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1496010
milestone69.0a1
first release with
nightly linux32
45edf42e870a / 69.0a1 / 20190603101337 / files
nightly linux64
45edf42e870a / 69.0a1 / 20190603101337 / files
nightly mac
45edf42e870a / 69.0a1 / 20190603101337 / files
nightly win32
45edf42e870a / 69.0a1 / 20190603101337 / files
nightly win64
45edf42e870a / 69.0a1 / 20190603101337 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1496010: Apply Meta CSP to System Privileged about:about. Differential Revision: https://phabricator.services.mozilla.com/D33443
modules/libpref/init/all.js
testing/mochitest/tests/browser/dummy.html
toolkit/content/aboutAbout.xhtml
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2633,17 +2633,17 @@ pref("font.blacklist.underline_offset", 
 
 pref("security.directory",              "");
 
 // security-sensitive dialogs should delay button enabling. In milliseconds.
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 #if defined(DEBUG) && !defined(ANDROID)
-pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,about,addons,cache-entry,config,crashes,debugging,devtools,downloads,home,memory,networking,newtab,performance,plugins,policies,profiles,restartrequired,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,webrtc,welcomeback");
+pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,addons,cache-entry,config,crashes,debugging,devtools,downloads,home,memory,networking,newtab,performance,plugins,policies,profiles,restartrequired,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,webrtc,welcomeback");
 // the following prefs are for testing purposes only.
 pref("csp.overrule_about_uris_without_csp_whitelist", false);
 pref("csp.skip_about_page_has_csp_assert", false);
 // assertion flag will be set to false after fixing Bug 1473549
 pref("security.allow_eval_with_system_principal", false);
 pref("security.uris_using_eval_with_system_principal", "autocomplete.xml,redux.js,react-redux.js,content-task.js,preferencesbindings.js,lodash.js,jszip.js,sinon-7.2.7.js,jsol.js");
 #endif
 
--- a/testing/mochitest/tests/browser/dummy.html
+++ b/testing/mochitest/tests/browser/dummy.html
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html>
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'"></meta>
   <title>This is a dummy page</title>
   <meta charset="utf-8">
   <body>This is a dummy page</body>
 </html>
--- a/toolkit/content/aboutAbout.xhtml
+++ b/toolkit/content/aboutAbout.xhtml
@@ -2,16 +2,17 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
 
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
   <title data-l10n-id="about-about-title"></title>
   <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
   <link rel="localization" href="toolkit/about/aboutAbout.ftl"/>
   <script src="chrome://global/content/aboutAbout.js"></script>
 
 </head>
 
 <body>