Bug 1496524 - Port bug 1495983: add CSP to some about: pages. r=jorgk
authoraceman <acelists@atlas.sk>
Tue, 23 Oct 2018 16:54:00 +0200
changeset 33649 e55a387029ad1b912ca02255f7a981043eb517fb
parent 33648 cffa7cb63305e24e8a6c72717e457d6fdcb9298d
child 33650 5036ddd23dc36c9d642e771f5d4ee010060b84e2
push id388
push userclokep@gmail.com
push dateMon, 28 Jan 2019 20:54:56 +0000
reviewersjorgk
bugs1496524, 1495983
Bug 1496524 - Port bug 1495983: add CSP to some about: pages. r=jorgk
mail/app/profile/all-thunderbird.js
mail/base/content/aboutRights.xhtml
mail/themes/shared/mail/aboutNetError.css
mailnews/base/content/newsError.js
mailnews/base/content/newsError.xhtml
mailnews/jar.mn
suite/themes/modern/global/netError.css
--- a/mail/app/profile/all-thunderbird.js
+++ b/mail/app/profile/all-thunderbird.js
@@ -370,18 +370,19 @@ pref("network.protocol-handler.expose.ht
 // suppress external-load warning for standard browser schemes
 pref("network.protocol-handler.warn-external.http", false);
 pref("network.protocol-handler.warn-external.https", false);
 pref("network.protocol-handler.warn-external.ftp", false);
 
 pref("network.hosts.smtp_server",           "mail");
 pref("network.hosts.pop_server",            "mail");
 
-// Temporary fix for bug 1496524.
-pref("csp.skip_about_page_has_csp_assert", true);
+// Temporarily add 'preferences' and 'newserror' to the list of about: pages that do not have a CSP specified.
+// The list should be kept in sync with the one in m-c/modules/libpref/init/all.js. See bug 1495983.
+pref("csp.about_uris_without_csp", "preferences,newserror,blank,printpreview,srcdoc,about,addons,cache-entry,config,crashes,debugging,devtools,downloads,home,memory,networking,newtab,performance,plugins,policies,profiles,restartrequired,searchreset,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,webrtc,welcomeback");
 
 pref("security.warn_entering_secure", false);
 pref("security.warn_entering_weak", false);
 pref("security.warn_leaving_secure", false);
 pref("security.warn_viewing_mixed", false);
 
 pref("general.config.obscure_value", 0); // for MCD .cfg files
 
--- a/mail/base/content/aboutRights.xhtml
+++ b/mail/base/content/aboutRights.xhtml
@@ -9,16 +9,17 @@
 ]>
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 
 <head>
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>
   <title>&rights.title;</title>
   <link rel="stylesheet" href="chrome://global/skin/about.css" type="text/css"/>
 </head>
 
 <body id="your-rights" dir="&rights.locale-direction;" class="aboutPageWideContainer">
 
 <h1>&rights.intro-header;</h1>
 
@@ -26,20 +27,20 @@
 
 <ul>
   <li>&rights.intro-point1a;<a href="https://www.mozilla.org/MPL/">&rights.intro-point1b;</a>&rights.intro-point1c;</li>
 #ifdef MOZ_OFFICIAL_BRANDING
 # Point 2 discusses Mozilla trademarks, and isn't needed when the build is unbranded.
 # Point 3 discusses privacy policy, unbranded builds get a placeholder (for the vendor to replace)
   <li>&rights.intro-point2a;<a href="https://www.mozilla.org/foundation/trademarks/policy.html">&rights.intro-point2b;</a>&rights.intro-point2c;</li>
   <li>&rights.intro-point3a;<a href="https://www.mozilla.org/legal/privacy/">&rights.intro-point3b;</a>&rights.intro-point3c;</li>
-  <li>&rights.intro-point4a;<a href="about:rights#webservices" onclick="showServices(event);">&rights.intro-point4b;</a>&rights.intro-point4c;</li>
+  <li>&rights.intro-point4a;<a href="about:rights#webservices" id="showWebServices">&rights.intro-point4b;</a>&rights.intro-point4c;</li>
 #else
   <li>&rights.intro-point3-unbranded;</li>
-  <li>&rights.intro-point4a-unbranded;<a href="about:rights#webservices" onclick="showServices(event);">&rights.intro-point4b-unbranded;</a>&rights.intro-point4c-unbranded;</li>
+  <li>&rights.intro-point4a-unbranded;<a href="about:rights#webservices" id="showWebServices">&rights.intro-point4b-unbranded;</a>&rights.intro-point4c-unbranded;</li>
 #endif
 </ul>
 
 <div id="webservices-container">
   <a name="webservices"/>
   <h3>&rights.webservices-header;</h3>
 
 #ifdef MOZ_OFFICIAL_BRANDING
@@ -58,20 +59,11 @@
     <li>&rights.webservices-term5;</li>
     <li>&rights.webservices-term6;</li>
 #else
     <li>&rights.webservices-term1-unbranded;</li>
 #endif
   </ol>
 </div>
 
-<script type="application/javascript"><![CDATA[
-  var servicesDiv = document.getElementById("webservices-container");
-  servicesDiv.style.display = "none";
-
-  function showServices(event) {
-    servicesDiv.style.display = "";
-    event.preventDefault();
-  }
-]]></script>
-
+  <script type="application/javascript" src="chrome://global/content/aboutRights.js"/>
 </body>
 </html>
--- a/mail/themes/shared/mail/aboutNetError.css
+++ b/mail/themes/shared/mail/aboutNetError.css
@@ -105,16 +105,17 @@ button:disabled {
   padding-top: 10px;
 }
 
 #securityOverrideContent {
   background-color: InfoBackground;
   color: InfoText;
   padding: 10px;
   border: 1px solid #c1c1c1;
+  display: none;
 }
 
 /* Custom styling for 'blacklist' error class */
 :root.blacklist {
   color: white;
   background-color: #722;
 }
 
copy from mailnews/base/content/newsError.xhtml
copy to mailnews/base/content/newsError.js
--- a/mailnews/base/content/newsError.xhtml
+++ b/mailnews/base/content/newsError.js
@@ -1,43 +1,14 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
-   - License, v. 2.0. If a copy of the MPL was not distributed with this
-   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<!DOCTYPE html [
-  <!ENTITY % htmlDTD
-    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-    "DTD/xhtml1-strict.dtd">
-  %htmlDTD;
-  <!ENTITY % netErrorDTD
-    SYSTEM "chrome://messenger/locale/newsError.dtd">
-  %netErrorDTD;
-  <!ENTITY % globalDTD
-    SYSTEM "chrome://global/locale/global.dtd">
-  %globalDTD;
-]>
-
-<html xmlns="http://www.w3.org/1999/xhtml">
-  <head>
-    <title>&newsError.title;</title>
-    <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
-    <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
-         toolkit/components/places/src/nsFaviconService.h should be updated. -->
-    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning.svg"/>
-    <script type="application/javascript"><![CDATA[
       // Error url must be formatted like this:
       //   about:newserror?r=response&m=messageid&k=messagekey&f=folderuri
       // "r" is required; "m" and "f" are optional, but "k" always comes with "m".
 
       var folderUri;
 
-      function removeExpired() {
-        document.location.href = folderUri + "?list-ids";
-      }
 
       function initPage() {
         let uri = document.documentURI;
         let query = uri.slice(uri.indexOf("?")+1);
         let params = {};
         for (let piece of query.split("&")) {
           let [key, value] = piece.split("=");
           params[key] = decodeURIComponent(value);
@@ -53,36 +24,22 @@
         }
 
         if ("f" in params) {
           folderUri = params.f;
         } else {
           document.getElementById("errorTryAgain").hidden = true;
         }
       }
-    ]]></script>
-  </head>
+
+      function removeExpired() {
+        document.location.href = folderUri + "?list-ids";
+      }
 
-  <body dir="&locale.dir;">
-    <div id="errorPageContainer">
-      <div id="errorTitle">
-        <h1 id="errorTitleText">&articleNotFound.title;</h1>
-      </div>
-      <div id="errorLongContent">
-        <div id="errorShortDesc">
-          <p id="errorShortDescText"><b>&articleNotFound.desc;</b></p>
-        </div>
-        <div id="errorLongDesc">
-          <ul>
-            <li>&serverResponded.title; <span id="ngResp"/></li>
-            <li>&articleExpired.title;</li>
-            <li id="messageIdDesc">&trySearching.title; &lt;<span id="msgId"/>&gt; (<span id="msgKey"/>)</li>
-          </ul>
-        </div>
-      </div>
-      <!-- This button really means "remove all expired articles", but we use
-           the "errorTryAgain" id to piggyback on toolkit's CSS. -->
-      <button id="errorTryAgain"
-              onclick="removeExpired();">&removeExpiredArticles.title;</button>
-    </div>
-    <script type="application/javascript">initPage();</script>
-  </body>
-</html>
+      let errorTryAgain = document.getElementById("errorTryAgain");
+      errorTryAgain.addEventListener("click", function() {
+        removeExpired();
+      });
+
+      // This must be called in this way,
+      // see mozilla-central/docshell/resources/content/netError.js after which
+      // this is modelled.
+      initPage();
--- a/mailnews/base/content/newsError.xhtml
+++ b/mailnews/base/content/newsError.xhtml
@@ -13,57 +13,22 @@
   %netErrorDTD;
   <!ENTITY % globalDTD
     SYSTEM "chrome://global/locale/global.dtd">
   %globalDTD;
 ]>
 
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>
     <title>&newsError.title;</title>
     <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
     <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
          toolkit/components/places/src/nsFaviconService.h should be updated. -->
     <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning.svg"/>
-    <script type="application/javascript"><![CDATA[
-      // Error url must be formatted like this:
-      //   about:newserror?r=response&m=messageid&k=messagekey&f=folderuri
-      // "r" is required; "m" and "f" are optional, but "k" always comes with "m".
-
-      var folderUri;
-
-      function removeExpired() {
-        document.location.href = folderUri + "?list-ids";
-      }
-
-      function initPage() {
-        let uri = document.documentURI;
-        let query = uri.slice(uri.indexOf("?")+1);
-        let params = {};
-        for (let piece of query.split("&")) {
-          let [key, value] = piece.split("=");
-          params[key] = decodeURIComponent(value);
-        }
-
-        document.getElementById("ngResp").textContent = params.r;
-
-        if ("m" in params) {
-          document.getElementById("msgId").textContent = params.m;
-          document.getElementById("msgKey").textContent = params.k;
-        } else {
-          document.getElementById("messageIdDesc").hidden = true;
-        }
-
-        if ("f" in params) {
-          folderUri = params.f;
-        } else {
-          document.getElementById("errorTryAgain").hidden = true;
-        }
-      }
-    ]]></script>
   </head>
 
   <body dir="&locale.dir;">
     <div id="errorPageContainer">
       <div id="errorTitle">
         <h1 id="errorTitleText">&articleNotFound.title;</h1>
       </div>
       <div id="errorLongContent">
@@ -75,14 +40,13 @@
             <li>&serverResponded.title; <span id="ngResp"/></li>
             <li>&articleExpired.title;</li>
             <li id="messageIdDesc">&trySearching.title; &lt;<span id="msgId"/>&gt; (<span id="msgKey"/>)</li>
           </ul>
         </div>
       </div>
       <!-- This button really means "remove all expired articles", but we use
            the "errorTryAgain" id to piggyback on toolkit's CSS. -->
-      <button id="errorTryAgain"
-              onclick="removeExpired();">&removeExpiredArticles.title;</button>
+      <button id="errorTryAgain">&removeExpiredArticles.title;</button>
     </div>
-    <script type="application/javascript">initPage();</script>
+    <script type="application/javascript" src="chrome://messenger/content/newsError.js"/>
   </body>
 </html>
--- a/mailnews/jar.mn
+++ b/mailnews/jar.mn
@@ -123,13 +123,14 @@ messenger.jar:
     content/messenger/downloadheaders.js                                       (news/content/downloadheaders.js)
     content/messenger/downloadheaders.xul                                      (news/content/downloadheaders.xul)
     content/messenger/markByDate.js                                            (base/content/markByDate.js)
     content/messenger/markByDate.xul                                           (base/content/markByDate.xul)
     content/messenger/dateFormat.js                                            (base/content/dateFormat.js)
     content/messenger/shutdownWindow.xul                                       (base/content/shutdownWindow.xul)
     content/messenger/shutdownWindow.js                                        (base/content/shutdownWindow.js)
     content/messenger/newsError.xhtml                                          (base/content/newsError.xhtml)
+    content/messenger/newsError.js                                             (base/content/newsError.js)
 #ifndef XP_MACOSX
     content/messenger/newmailalert.css                                         (base/content/newmailalert.css)
     content/messenger/newmailalert.js                                          (base/content/newmailalert.js)
     content/messenger/newmailalert.xul                                         (base/content/newmailalert.xul)
 #endif
--- a/suite/themes/modern/global/netError.css
+++ b/suite/themes/modern/global/netError.css
@@ -117,16 +117,17 @@ ul {
   padding-top: 10px;
 }
 
 #securityOverrideContent {
   background-color: #FFFFE7;
   color: #000000;
   padding: 10px;
   border-radius: 10px;
+  display: none;
 }
 
 /* Custom styling for 'blacklist' error class */
 :root.blacklist #errorPageContainer {
   background-image: url("chrome://global/skin/icons/blacklist_large.png");
   background-color: #772222;
   color: #FFFFFF;
 }