dom/base/test/chrome.ini
author Kris Maglione <maglione.k@gmail.com>
Wed, 24 Jan 2018 14:56:48 -0800
changeset 454546 64737c752ac4af4766ad6f82720818521f3aca24
parent 444438 e73ab24a3204663b97f568820e043e466084a116
child 479207 4d4e6978b9f7ad385a1c8a2c176c052928916a78
permissions -rw-r--r--
Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs a=jcristau This is a short-term solution to our inability to apply CSP to chrome-privileged documents. Ideally, we should be preventing all inline script execution in chrome-privileged documents, since the reprecussions of XSS in chrome documents are much worse than in content documents. Unfortunately, that's not possible in the near term because a) we don't support CSP in system principal documents at all, and b) we rely heavily on inline JS in our static XUL. This stop-gap solution at least prevents some of the most common vectors of XSS attack, by automatically sanitizing any HTML fragment created for a chrome-privileged document. MozReview-Commit-ID: 5w17celRFr

[DEFAULT]
skip-if = os == 'android'
support-files =
  file_empty.html
  file_blocking_image.html
  file_bug945152.jar
  file_bug945152_worker.js
  file_bug1008126_worker.js
  file_inline_script.html
  file_inline_script.xhtml
  file_external_script.html
  file_external_script.xhtml
  file_script.js
  mozbrowser_api_utils.js
  !/image/test/mochitest/shaver.png

[test_anonymousContent_xul_window.xul]
[test_blockParsing.html]
[test_blocking_image.html]
[test_bug715041.xul]
[test_bug715041_removal.xul]
[test_bug945152.html]
[test_bug1008126.html]
[test_bug1016960.html]
[test_copypaste.xul]
subsuite = clipboard
[test_domrequesthelper.xul]
[test_fragment_sanitization.xul]
[test_messagemanager_principal.html]
[test_messagemanager_send_principal.html]
skip-if = buildapp == 'mulet'
[test_mozbrowser_apis_allowed.html]
[test_navigator_resolve_identity_xrays.xul]
support-files = file_navigator_resolve_identity_xrays.xul
[test_sandboxed_blob_uri.html]
[test_sendQueryContentAndSelectionSetEvent.html]
[test_urgent_start.html]