Bug 1453933 - Meta CSP applied to content privileged about:rights. r=Gijs, r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Thu, 19 Apr 2018 13:40:24 -0400
changeset 468112 ba3c6122001c3089c1f2429c9f31a34240ca1812
parent 468111 99ec19154f8ae42c178030c0581551c7c46d230c
child 468113 a825a8cf259a4fd149fdb41cdee8844e03cb6670
push id9165
push userasasaki@mozilla.com
push dateThu, 26 Apr 2018 21:04:54 +0000
treeherdermozilla-beta@064c3804de2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs, ckerschb
bugs1453933
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1453933 - Meta CSP applied to content privileged about:rights. r=Gijs, r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D940
modules/libpref/init/all.js
toolkit/content/aboutRights-unbranded.xhtml
toolkit/content/aboutRights.js
toolkit/content/aboutRights.xhtml
toolkit/content/jar.mn
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2452,17 +2452,17 @@ pref("security.directory",              
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 pref("security.csp.enable", true);
 pref("security.csp.experimentalEnabled", false);
 pref("security.csp.enableStrictDynamic", true);
 
 #if defined(DEBUG) && !defined(ANDROID)
-pref("csp.content_privileged_about_uris_without_csp", "blank,cache,certerror,checkerboard,credits,home,logo,neterror,newtab,printpreview,rights,srcdoc,studies");
+pref("csp.content_privileged_about_uris_without_csp", "blank,cache,certerror,checkerboard,credits,home,logo,neterror,newtab,printpreview,srcdoc,studies");
 #endif
 
 #ifdef NIGHTLY_BUILD
 pref("security.csp.enable_violation_events", true);
 #else
 pref("security.csp.enable_violation_events", false);
 #endif
 
--- a/toolkit/content/aboutRights-unbranded.xhtml
+++ b/toolkit/content/aboutRights-unbranded.xhtml
@@ -10,51 +10,44 @@
 
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 
 <head>
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
   <title>&rights.title;</title>
   <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
 </head>
 
 <body id="your-rights" dir="&rights.locale-direction;" class="aboutPageWideContainer">
 <div class="container">
   <h1>&rights.title;</h1>
 
   <p>&rights.intro;</p>
 
   <ul>
     <li>&rights.intro-point1a;<a href="http://www.mozilla.org/MPL/">&rights.intro-point1b;</a>&rights.intro-point1c;</li>
   <!-- Point 2 discusses Mozilla trademarks, and isn't needed when the build is unbranded.
     - Point 3 discusses privacy policy, unbranded builds get a placeholder (for the vendor to replace)
     - Point 4 discusses web service terms, unbranded builds gets a placeholder (for the vendor to replace) -->
     <li>&rights.intro-point3-unbranded;</li>
-    <li>&rights.intro-point4a-unbranded;<a href="about:rights#webservices" onclick="showServices();">&rights.intro-point4b-unbranded;</a>&rights.intro-point4c-unbranded;</li>
+    <li>&rights.intro-point4a-unbranded;<a href="about:rights#webservices" id="showWebServices">&rights.intro-point4b-unbranded;</a>&rights.intro-point4c-unbranded;</li>
   </ul>
 
   <div id="webservices-container">
     <a name="webservices"/>
     <h3>&rights2.webservices-header;</h3>
 
     <p>&rights.webservices-unbranded;</p>
 
     <ol>
   <!-- Terms only apply to official builds, unbranded builds get a placeholder. -->
       <li>&rights.webservices-term1-unbranded;</li>
     </ol>
   </div>
 </div>
 
-<script type="application/javascript"><![CDATA[
-  var servicesDiv = document.getElementById("webservices-container");
-  servicesDiv.style.display = "none";
-
-  function showServices() {
-    servicesDiv.style.display = "";
-  }
-]]></script>
-
 </body>
+<script type="application/javascript" src="chrome://global/content/aboutRights.js"/>
 </html>
new file mode 100644
--- /dev/null
+++ b/toolkit/content/aboutRights.js
@@ -0,0 +1,20 @@
+var servicesDiv = document.getElementById("webservices-container");
+servicesDiv.style.display = "none";
+
+function showServices() {
+  servicesDiv.style.display = "";
+}
+let showWebServices = document.getElementById("showWebServices");
+showWebServices.addEventListener("click",showServices);
+
+var disablingServicesDiv = document.getElementById("disabling-webservices-container");
+
+function showDisablingServices() {
+  disablingServicesDiv.style.display = "";
+}
+
+if (disablingServicesDiv != null) {
+  disablingServicesDiv.style.display = "none";
+  let showDisablingWebServices = document.getElementById("showDisablingWebServices");
+  showDisablingWebServices.addEventListener("click",showDisablingServices);
+}
--- a/toolkit/content/aboutRights.xhtml
+++ b/toolkit/content/aboutRights.xhtml
@@ -12,16 +12,17 @@
 
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 
 <head>
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
   <title>&rights.title;</title>
   <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
   <link rel="stylesheet" href="chrome://global/skin/aboutRights.css" type="text/css"/>
 </head>
 
 <body id="your-rights" dir="&rights.locale-direction;">
 <div class="container">
   <div class="rights-header">
@@ -35,25 +36,25 @@
   <ul>
     <li>&rights.intro-point1a;<a href="http://www.mozilla.org/MPL/">&rights.intro-point1b;</a>&rights.intro-point1c;</li>
   <!-- Point 2 discusses Mozilla trademarks, and isn't needed when the build is unbranded.
     - Point 3 discusses privacy policy, unbranded builds get a placeholder (for the vendor to replace)
     - Point 4 discusses web service terms, unbranded builds gets a placeholder (for the vendor to replace) -->
     <li>&rights.intro-point2-a;<a href="http://www.mozilla.org/foundation/trademarks/policy.html">&rights.intro-point2-b;</a>&rights.intro-point2-c;</li>
     <li>&rights.intro-point2.5;</li>
     <li>&rights2.intro-point3a;<a href="https://www.mozilla.org/legal/privacy/firefox.html">&rights2.intro-point3b;</a>&rights.intro-point3c;</li>
-    <li>&rights2.intro-point4a;<a href="about:rights#webservices" onclick="showServices();">&rights.intro-point4b;</a>&rights.intro-point4c;</li>
+    <li>&rights2.intro-point4a;<a href="about:rights#webservices" id="showWebServices">&rights.intro-point4b;</a>&rights.intro-point4c;</li>
     <li>&rights.intro-point5;</li>
   </ul>
 
   <div id="webservices-container">
     <a name="webservices"/>
     <h3>&rights2.webservices-header;</h3>
 
-    <p>&rights2.webservices-a;<a href="about:rights#disabling-webservices" onclick="showDisablingServices();">&rights2.webservices-b;</a>&rights3.webservices-c;</p>
+    <p>&rights2.webservices-a;<a href="about:rights#disabling-webservices" id="showDisablingWebServices">&rights2.webservices-b;</a>&rights3.webservices-c;</p>
 
     <div id="disabling-webservices-container" style="margin-left:40px;">
       <a name="disabling-webservices"/>
       <p><strong>&rights.safebrowsing-a;</strong>&rights.safebrowsing-b;</p>
       <ul>
         <li>&rights.safebrowsing-term1;</li>
         <li>&rights.safebrowsing-term2;</li>
         <li>&rights2.safebrowsing-term3;</li>
@@ -77,26 +78,11 @@
       <li><strong>&rights.webservices-term4;</strong></li>
       <li><strong>&rights.webservices-term5;</strong></li>
       <li>&rights.webservices-term6;</li>
       <li>&rights.webservices-term7;</li>
     </ol>
   </div>
 </div>
 
-<script type="application/javascript"><![CDATA[
-  var servicesDiv = document.getElementById("webservices-container");
-  servicesDiv.style.display = "none";
-
-  function showServices() {
-    servicesDiv.style.display = "";
-  }
-
-  var disablingServicesDiv = document.getElementById("disabling-webservices-container");
-  disablingServicesDiv.style.display = "none";
-
-  function showDisablingServices() {
-    disablingServicesDiv.style.display = "";
-  }
-]]></script>
-
 </body>
+<script type="application/javascript" src="chrome://global/content/aboutRights.js"/>
 </html>
--- a/toolkit/content/jar.mn
+++ b/toolkit/content/jar.mn
@@ -14,16 +14,17 @@ toolkit.jar:
    content/global/aboutRights.xhtml           (aboutRights-unbranded.xhtml)
 #endif
    content/global/aboutNetworking.js
    content/global/aboutNetworking.xhtml
 #ifndef ANDROID
    content/global/aboutProfiles.js
    content/global/aboutProfiles.xhtml
 #endif
+   content/global/aboutRights.js
    content/global/aboutServiceWorkers.js
    content/global/aboutServiceWorkers.xhtml
    content/global/aboutwebrtc/aboutWebrtc.css   (aboutwebrtc/aboutWebrtc.css)
    content/global/aboutwebrtc/aboutWebrtc.js    (aboutwebrtc/aboutWebrtc.js)
    content/global/aboutwebrtc/aboutWebrtc.html (aboutwebrtc/aboutWebrtc.html)
    content/global/aboutSupport.js
 *  content/global/aboutSupport.xhtml
    content/global/aboutTelemetry.js