Bug 1452604 - Meta CSP applied to content privileged about:blocked r=Gijs,ckerschb
authorvinoth <cegvinoth@gmail.com>
Wed, 04 Jul 2018 09:12:52 +0000
changeset 814163 b26a5fa5e75f1038d26e57e54dfbd7bfe3a2880e
parent 814162 af93628a6d33be7d1c601d5546a674e82589814c
child 814164 2705852264244740fffc91f537d29768d2943508
push id115123
push userjdescottes@mozilla.com
push dateWed, 04 Jul 2018 17:42:29 +0000
reviewersGijs, ckerschb
bugs1452604
milestone63.0a1
Bug 1452604 - Meta CSP applied to content privileged about:blocked r=Gijs,ckerschb Differential Revision: https://phabricator.services.mozilla.com/D880
browser/base/content/blockedSite.js
browser/base/content/blockedSite.xhtml
browser/base/jar.mn
modules/libpref/init/all.js
copy from browser/base/content/blockedSite.xhtml
copy to browser/base/content/blockedSite.js
--- a/browser/base/content/blockedSite.xhtml
+++ b/browser/base/content/blockedSite.js
@@ -1,240 +1,155 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!DOCTYPE html [
-  <!ENTITY % htmlDTD PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
-  %htmlDTD;
-  <!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd">
-  %globalDTD;
-  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
-  %brandDTD;
-  <!ENTITY % blockedSiteDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd">
-  %blockedSiteDTD;
-]>
+// Error url MUST be formatted like this:
+//   about:blocked?e=error_code&u=url(&o=1)?
+//     (o=1 when user overrides are allowed)
 
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
-   - License, v. 2.0. If a copy of the MPL was not distributed with this
-   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
-  <head>
-    <link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
-    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
-
-    <script type="application/javascript"><![CDATA[
-      // Error url MUST be formatted like this:
-      //   about:blocked?e=error_code&u=url(&o=1)?
-      //     (o=1 when user overrides are allowed)
+// Note that this file uses document.documentURI to get
+// the URL (with the format from above). This is because
+// document.location.href gets the current URI off the docshell,
+// which is the URL displayed in the location bar, i.e.
+// the URI that the user attempted to load.
 
-      // Note that this file uses document.documentURI to get
-      // the URL (with the format from above). This is because
-      // document.location.href gets the current URI off the docshell,
-      // which is the URL displayed in the location bar, i.e.
-      // the URI that the user attempted to load.
-
-      function getErrorCode() {
-        var url = document.documentURI;
-        var error = url.search(/e\=/);
-        var duffUrl = url.search(/\&u\=/);
-        return decodeURIComponent(url.slice(error + 2, duffUrl));
-      }
+function getErrorCode() {
+  var url = document.documentURI;
+  var error = url.search(/e\=/);
+  var duffUrl = url.search(/\&u\=/);
+  return decodeURIComponent(url.slice(error + 2, duffUrl));
+}
 
-      function getURL() {
-        var url = document.documentURI;
-        var match = url.match(/&u=([^&]+)&/);
+function getURL() {
+  var url = document.documentURI;
+  var match = url.match(/&u=([^&]+)&/);
 
-        // match == null if not found; if so, return an empty string
-        // instead of what would turn out to be portions of the URI
-        if (!match)
-          return "";
+  // match == null if not found; if so, return an empty string
+  // instead of what would turn out to be portions of the URI
+  if (!match)
+    return "";
 
-        url = decodeURIComponent(match[1]);
-
-        // If this is a view-source page, then get then real URI of the page
-        if (url.startsWith("view-source:"))
-          url = url.slice(12);
-        return url;
-      }
+  url = decodeURIComponent(match[1]);
 
-      /**
-       * Check whether this warning page is overridable or not, in which case
-       * the "ignore the risk" suggestion in the error description
-       * should not be shown.
-       */
-      function getOverride() {
-        var url = document.documentURI;
-        var match = url.match(/&o=1&/);
-        return !!match;
-      }
+  // If this is a view-source page, then get then real URI of the page
+  if (url.startsWith("view-source:"))
+    url = url.slice(12);
+  return url;
+}
 
-      /**
-       * Attempt to get the hostname via document.location.  Fail back
-       * to getURL so that we always return something meaningful.
-       */
-      function getHostString() {
-        try {
-          return document.location.hostname;
-        } catch (e) {
-          return getURL();
-        }
-      }
+/**
+ * Check whether this warning page is overridable or not, in which case
+ * the "ignore the risk" suggestion in the error description
+ * should not be shown.
+ */
+function getOverride() {
+  var url = document.documentURI;
+  var match = url.match(/&o=1&/);
+  return !!match;
+}
 
-      function onClickSeeDetails() {
-        let details = document.getElementById("errorDescriptionContainer");
-        if (details.hidden) {
-          details.removeAttribute("hidden");
-        } else {
-          details.setAttribute("hidden", "true");
-        }
-      }
+/**
+ * Attempt to get the hostname via document.location.  Fail back
+ * to getURL so that we always return something meaningful.
+ */
+function getHostString() {
+  try {
+    return document.location.hostname;
+  } catch (e) {
+    return getURL();
+  }
+}
 
-      function initPage() {
-        var error = "";
-        switch (getErrorCode()) {
-          case "malwareBlocked" :
-            error = "malware";
-            break;
-          case "deceptiveBlocked" :
-            error = "phishing";
-            break;
-          case "unwantedBlocked" :
-            error = "unwanted";
-            break;
-          case "harmfulBlocked" :
-            error = "harmful";
-            break;
-          default:
-            return;
-        }
-
-        var el;
-
-        if (error !== "malware") {
-          el = document.getElementById("errorTitleText_malware");
-          el.remove();
-          el = document.getElementById("errorShortDescText_malware");
-          el.remove();
-          el = document.getElementById("errorLongDesc_malware");
-          el.remove();
-        }
+function onClickSeeDetails() {
+  let details = document.getElementById("errorDescriptionContainer");
+  if (details.hidden) {
+    details.removeAttribute("hidden");
+  } else {
+    details.setAttribute("hidden", "true");
+  }
+}
 
-        if (error !== "phishing") {
-          el = document.getElementById("errorTitleText_phishing");
-          el.remove();
-          el = document.getElementById("errorShortDescText_phishing");
-          el.remove();
-          el = document.getElementById("errorLongDesc_phishing");
-          el.remove();
-        }
-
-        if (error !== "unwanted") {
-          el = document.getElementById("errorTitleText_unwanted");
-          el.remove();
-          el = document.getElementById("errorShortDescText_unwanted");
-          el.remove();
-          el = document.getElementById("errorLongDesc_unwanted");
-          el.remove();
-        }
-
-        if (error !== "harmful") {
-          el = document.getElementById("errorTitleText_harmful");
-          el.remove();
-          el = document.getElementById("errorShortDescText_harmful");
-          el.remove();
-          el = document.getElementById("errorLongDesc_harmful");
-          el.remove();
-        }
+function initPage() {
+  var error = "";
+  switch (getErrorCode()) {
+    case "malwareBlocked" :
+      error = "malware";
+      break;
+    case "deceptiveBlocked" :
+      error = "phishing";
+      break;
+    case "unwantedBlocked" :
+      error = "unwanted";
+      break;
+    case "harmfulBlocked" :
+      error = "harmful";
+      break;
+    default:
+      return;
+  }
 
-        // Decide which version of the string should be visible in the error description.
-        if (getOverride()) {
-          document.getElementById(error + "_error_desc_no_override").remove();
-        } else {
-          document.getElementById(error + "_error_desc_override").remove();
-        }
-
-        // Set sitename in error details.
-        let sitenameElem = document.getElementById(error + "_sitename");
-        sitenameElem.setAttribute("class", "sitename");
-        sitenameElem.textContent = getHostString();
-
-        document.title = document.getElementById("errorTitleText_" + error).textContent;
+  var el;
 
-        // Inform the test harness that we're done loading the page.
-        var event = new CustomEvent("AboutBlockedLoaded",
-          {
-            bubbles: true,
-            detail: {
-              url: this.getURL(),
-              err: error
-            }
-          });
-        document.dispatchEvent(event);
-      }
-    ]]></script>
-  </head>
+  if (error !== "malware") {
+    el = document.getElementById("errorTitleText_malware");
+    el.remove();
+    el = document.getElementById("errorShortDescText_malware");
+    el.remove();
+    el = document.getElementById("errorLongDesc_malware");
+    el.remove();
+  }
 
-  <body dir="&locale.dir;">
-    <div id="errorPageContainer" class="container">
+  if (error !== "phishing") {
+    el = document.getElementById("errorTitleText_phishing");
+    el.remove();
+    el = document.getElementById("errorShortDescText_phishing");
+    el.remove();
+    el = document.getElementById("errorLongDesc_phishing");
+    el.remove();
+  }
 
-      <!-- Error Title -->
-      <div id="errorTitle" class="title">
-        <h1 class="title-text" id="errorTitleText_phishing">&safeb.blocked.phishingPage.title3;</h1>
-        <h1 class="title-text" id="errorTitleText_malware">&safeb.blocked.malwarePage.title2;</h1>
-        <h1 class="title-text" id="errorTitleText_unwanted">&safeb.blocked.unwantedPage.title2;</h1>
-        <h1 class="title-text" id="errorTitleText_harmful">&safeb.blocked.harmfulPage.title;</h1>
-      </div>
-
-      <div id="errorLongContent">
+  if (error !== "unwanted") {
+    el = document.getElementById("errorTitleText_unwanted");
+    el.remove();
+    el = document.getElementById("errorShortDescText_unwanted");
+    el.remove();
+    el = document.getElementById("errorLongDesc_unwanted");
+    el.remove();
+  }
 
-        <!-- Short Description -->
-        <div id="errorShortDesc">
-          <p id="errorShortDescText_phishing">&safeb.blocked.phishingPage.shortDesc3;</p>
-          <p id="errorShortDescText_malware">&safeb.blocked.malwarePage.shortDesc2;</p>
-          <p id="errorShortDescText_unwanted">&safeb.blocked.unwantedPage.shortDesc2;</p>
-          <p id="errorShortDescText_harmful">&safeb.blocked.harmfulPage.shortDesc2;</p>
-        </div>
+  if (error !== "harmful") {
+    el = document.getElementById("errorTitleText_harmful");
+    el.remove();
+    el = document.getElementById("errorShortDescText_harmful");
+    el.remove();
+    el = document.getElementById("errorLongDesc_harmful");
+    el.remove();
+  }
 
-        <!-- Advisory -->
-        <div id="advisoryDesc">
-          <p id="advisoryDescText">&safeb.palm.advisory.desc2;</p>
-        </div>
+  // Decide which version of the string should be visible in the error description.
+  if (getOverride()) {
+    document.getElementById(error + "_error_desc_no_override").remove();
+  } else {
+    document.getElementById(error + "_error_desc_override").remove();
+  }
 
-        <!-- Action buttons -->
-        <div id="buttons" class="button-container">
-          <!-- Commands handled in browser.js -->
-          <button id="goBackButton">&safeb.palm.accept.label2;</button>
-          <button id="seeDetailsButton" onclick="onClickSeeDetails();">&safeb.palm.seedetails.label;</button>
-        </div>
-      </div>
-      <div id="errorDescriptionContainer" hidden="true">
-        <div class="error-description" id="errorLongDesc_phishing">
-          <p id="phishing_error_desc_override">&safeb.blocked.phishingPage.errorDesc.override;</p>
-          <p id="phishing_error_desc_no_override">&safeb.blocked.phishingPage.errorDesc.noOverride;</p>
-          <p id="phishing_learn_more">&safeb.blocked.phishingPage.learnMore;</p>
-        </div>
-        <div class="error-description" id="errorLongDesc_malware">
-          <p id="malware_error_desc_override">&safeb.blocked.malwarePage.errorDesc.override;</p>
-          <p id="malware_error_desc_no_override">&safeb.blocked.malwarePage.errorDesc.noOverride;</p>
-          <p id="malware_learn_more">&safeb.blocked.malwarePage.learnMore;</p>
-        </div>
-        <div class="error-description" id="errorLongDesc_unwanted">
-          <p id="unwanted_error_desc_override">&safeb.blocked.unwantedPage.errorDesc.override;</p>
-          <p id="unwanted_error_desc_no_override">&safeb.blocked.unwantedPage.errorDesc.noOverride;</p>
-          <p id="unwanted_learn_more">&safeb.blocked.unwantedPage.learnMore;</p>
-        </div>
-        <div class="error-description" id="errorLongDesc_harmful">
-          <p id="harmful_error_desc_override">&safeb.blocked.harmfulPage.errorDesc.override;</p>
-          <p id="harmful_error_desc_no_override">&safeb.blocked.harmfulPage.errorDesc.noOverride;</p>
-          <p id="harmful_learn_more">&safeb.blocked.harmfulPage.learnMore;</p>
-        </div>
-      </div>
-    </div>
-    <!--
-    - Note: It is important to run the script this way, instead of using
-    - an onload handler. This is because error pages are loaded as
-    - LOAD_BACKGROUND, which means that onload handlers will not be executed.
-    -->
-    <script type="application/javascript">
-      initPage();
-    </script>
-  </body>
-</html>
+  // Set sitename in error details.
+  let sitenameElem = document.getElementById(error + "_sitename");
+  sitenameElem.setAttribute("class", "sitename");
+  sitenameElem.textContent = getHostString();
+
+  document.title = document.getElementById("errorTitleText_" + error).textContent;
+
+  // Inform the test harness that we're done loading the page.
+  var event = new CustomEvent("AboutBlockedLoaded",
+    {
+      bubbles: true,
+      detail: {
+        url: this.getURL(),
+        err: error
+      }
+    });
+  document.dispatchEvent(event);
+}
+
+let seeDetailsButton = document.getElementById("seeDetailsButton");
+seeDetailsButton.addEventListener("click", onClickSeeDetails);
+// Note: It is important to run the script this way, instead of using
+// an onload handler. This is because error pages are loaded as
+// LOAD_BACKGROUND, which means that onload handlers will not be executed.
+initPage();
--- a/browser/base/content/blockedSite.xhtml
+++ b/browser/base/content/blockedSite.xhtml
@@ -12,171 +12,20 @@
 ]>
 
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
   <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
     <link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
     <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
-
-    <script type="application/javascript"><![CDATA[
-      // Error url MUST be formatted like this:
-      //   about:blocked?e=error_code&u=url(&o=1)?
-      //     (o=1 when user overrides are allowed)
-
-      // Note that this file uses document.documentURI to get
-      // the URL (with the format from above). This is because
-      // document.location.href gets the current URI off the docshell,
-      // which is the URL displayed in the location bar, i.e.
-      // the URI that the user attempted to load.
-
-      function getErrorCode() {
-        var url = document.documentURI;
-        var error = url.search(/e\=/);
-        var duffUrl = url.search(/\&u\=/);
-        return decodeURIComponent(url.slice(error + 2, duffUrl));
-      }
-
-      function getURL() {
-        var url = document.documentURI;
-        var match = url.match(/&u=([^&]+)&/);
-
-        // match == null if not found; if so, return an empty string
-        // instead of what would turn out to be portions of the URI
-        if (!match)
-          return "";
-
-        url = decodeURIComponent(match[1]);
-
-        // If this is a view-source page, then get then real URI of the page
-        if (url.startsWith("view-source:"))
-          url = url.slice(12);
-        return url;
-      }
-
-      /**
-       * Check whether this warning page is overridable or not, in which case
-       * the "ignore the risk" suggestion in the error description
-       * should not be shown.
-       */
-      function getOverride() {
-        var url = document.documentURI;
-        var match = url.match(/&o=1&/);
-        return !!match;
-      }
-
-      /**
-       * Attempt to get the hostname via document.location.  Fail back
-       * to getURL so that we always return something meaningful.
-       */
-      function getHostString() {
-        try {
-          return document.location.hostname;
-        } catch (e) {
-          return getURL();
-        }
-      }
-
-      function onClickSeeDetails() {
-        let details = document.getElementById("errorDescriptionContainer");
-        if (details.hidden) {
-          details.removeAttribute("hidden");
-        } else {
-          details.setAttribute("hidden", "true");
-        }
-      }
-
-      function initPage() {
-        var error = "";
-        switch (getErrorCode()) {
-          case "malwareBlocked" :
-            error = "malware";
-            break;
-          case "deceptiveBlocked" :
-            error = "phishing";
-            break;
-          case "unwantedBlocked" :
-            error = "unwanted";
-            break;
-          case "harmfulBlocked" :
-            error = "harmful";
-            break;
-          default:
-            return;
-        }
-
-        var el;
-
-        if (error !== "malware") {
-          el = document.getElementById("errorTitleText_malware");
-          el.remove();
-          el = document.getElementById("errorShortDescText_malware");
-          el.remove();
-          el = document.getElementById("errorLongDesc_malware");
-          el.remove();
-        }
-
-        if (error !== "phishing") {
-          el = document.getElementById("errorTitleText_phishing");
-          el.remove();
-          el = document.getElementById("errorShortDescText_phishing");
-          el.remove();
-          el = document.getElementById("errorLongDesc_phishing");
-          el.remove();
-        }
-
-        if (error !== "unwanted") {
-          el = document.getElementById("errorTitleText_unwanted");
-          el.remove();
-          el = document.getElementById("errorShortDescText_unwanted");
-          el.remove();
-          el = document.getElementById("errorLongDesc_unwanted");
-          el.remove();
-        }
-
-        if (error !== "harmful") {
-          el = document.getElementById("errorTitleText_harmful");
-          el.remove();
-          el = document.getElementById("errorShortDescText_harmful");
-          el.remove();
-          el = document.getElementById("errorLongDesc_harmful");
-          el.remove();
-        }
-
-        // Decide which version of the string should be visible in the error description.
-        if (getOverride()) {
-          document.getElementById(error + "_error_desc_no_override").remove();
-        } else {
-          document.getElementById(error + "_error_desc_override").remove();
-        }
-
-        // Set sitename in error details.
-        let sitenameElem = document.getElementById(error + "_sitename");
-        sitenameElem.setAttribute("class", "sitename");
-        sitenameElem.textContent = getHostString();
-
-        document.title = document.getElementById("errorTitleText_" + error).textContent;
-
-        // Inform the test harness that we're done loading the page.
-        var event = new CustomEvent("AboutBlockedLoaded",
-          {
-            bubbles: true,
-            detail: {
-              url: this.getURL(),
-              err: error
-            }
-          });
-        document.dispatchEvent(event);
-      }
-    ]]></script>
   </head>
-
   <body dir="&locale.dir;">
     <div id="errorPageContainer" class="container">
 
       <!-- Error Title -->
       <div id="errorTitle" class="title">
         <h1 class="title-text" id="errorTitleText_phishing">&safeb.blocked.phishingPage.title3;</h1>
         <h1 class="title-text" id="errorTitleText_malware">&safeb.blocked.malwarePage.title2;</h1>
         <h1 class="title-text" id="errorTitleText_unwanted">&safeb.blocked.unwantedPage.title2;</h1>
@@ -197,17 +46,17 @@
         <div id="advisoryDesc">
           <p id="advisoryDescText">&safeb.palm.advisory.desc2;</p>
         </div>
 
         <!-- Action buttons -->
         <div id="buttons" class="button-container">
           <!-- Commands handled in browser.js -->
           <button id="goBackButton">&safeb.palm.accept.label2;</button>
-          <button id="seeDetailsButton" onclick="onClickSeeDetails();">&safeb.palm.seedetails.label;</button>
+          <button id="seeDetailsButton">&safeb.palm.seedetails.label;</button>
         </div>
       </div>
       <div id="errorDescriptionContainer" hidden="true">
         <div class="error-description" id="errorLongDesc_phishing">
           <p id="phishing_error_desc_override">&safeb.blocked.phishingPage.errorDesc.override;</p>
           <p id="phishing_error_desc_no_override">&safeb.blocked.phishingPage.errorDesc.noOverride;</p>
           <p id="phishing_learn_more">&safeb.blocked.phishingPage.learnMore;</p>
         </div>
@@ -223,18 +72,11 @@
         </div>
         <div class="error-description" id="errorLongDesc_harmful">
           <p id="harmful_error_desc_override">&safeb.blocked.harmfulPage.errorDesc.override;</p>
           <p id="harmful_error_desc_no_override">&safeb.blocked.harmfulPage.errorDesc.noOverride;</p>
           <p id="harmful_learn_more">&safeb.blocked.harmfulPage.learnMore;</p>
         </div>
       </div>
     </div>
-    <!--
-    - Note: It is important to run the script this way, instead of using
-    - an onload handler. This is because error pages are loaded as
-    - LOAD_BACKGROUND, which means that onload handlers will not be executed.
-    -->
-    <script type="application/javascript">
-      initPage();
-    </script>
   </body>
+  <script type="application/javascript" src="chrome://browser/content/blockedSite.js"/>
 </html>
--- a/browser/base/jar.mn
+++ b/browser/base/jar.mn
@@ -107,15 +107,16 @@ browser.jar:
 #ifndef XP_MACOSX
 *       content/browser/webrtcIndicator.xul           (content/webrtcIndicator.xul)
         content/browser/webrtcIndicator.js            (content/webrtcIndicator.js)
 #endif
 # the following files are browser-specific overrides
 *       content/browser/license.html                  (/toolkit/content/license.html)
 % override chrome://global/content/license.html chrome://browser/content/license.html
         content/browser/blockedSite.xhtml               (content/blockedSite.xhtml)
+        content/browser/blockedSite.js                  (content/blockedSite.js)
 
 % override chrome://global/content/netError.xhtml chrome://browser/content/aboutNetError.xhtml
 
 # L10n resources and overrides.
 % override chrome://global/locale/appstrings.properties chrome://browser/locale/appstrings.properties
 % override chrome://global/locale/netError.dtd chrome://browser/locale/netError.dtd
 % override chrome://mozapps/locale/downloads/settingsChange.dtd chrome://browser/locale/downloads/settingsChange.dtd
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2507,17 +2507,17 @@ pref("security.dialog_enable_delay", 100
 pref("security.notification_enable_delay", 500);
 
 pref("security.csp.enable", true);
 pref("security.csp.experimentalEnabled", false);
 pref("security.csp.enableStrictDynamic", true);
 
 #if defined(DEBUG) && !defined(ANDROID)
 // about:welcome has been added until Bug 1448359 is fixed at which time home, newtab, and welcome will all be removed.
-pref("csp.content_privileged_about_uris_without_csp", "blank,blocked,home,newtab,printpreview,srcdoc,welcome");
+pref("csp.content_privileged_about_uris_without_csp", "blank,home,newtab,printpreview,srcdoc,welcome");
 #endif
 
 #ifdef NIGHTLY_BUILD
 pref("security.csp.enable_violation_events", true);
 #else
 pref("security.csp.enable_violation_events", false);
 #endif