Bug 1497204: Apply Meta CSP to about:profiles. r=Gijs
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Mon, 01 Jul 2019 19:47:16 +0000
changeset 543672 2db482852bec317c0a2d270f178821095f4e3163
parent 543671 4f8400c7d8e57315fa2afb1636344c0dd7ffd2fd
child 543673 b43fac4ccd1dfd19f30d5d8ac74d0c622a9f1521
push id2131
push userffxbld-merge
push dateMon, 26 Aug 2019 18:30:20 +0000
treeherdermozilla-release@b19ffb3ca153 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs
bugs1497204
milestone69.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1497204: Apply Meta CSP to about:profiles. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D36520
modules/libpref/init/all.js
toolkit/content/aboutProfiles.xhtml
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2507,17 +2507,17 @@ pref("font.blacklist.underline_offset", 
 
 pref("security.directory",              "");
 
 // security-sensitive dialogs should delay button enabling. In milliseconds.
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 #if defined(DEBUG) && !defined(ANDROID)
-pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,addons,cache-entry,config,debugging,devtools,downloads,home,newtab,plugins,profiles,preferences,restartrequired,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,welcomeback");
+pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,addons,cache-entry,config,debugging,devtools,downloads,home,newtab,plugins,preferences,restartrequired,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,welcomeback");
 // the following prefs are for testing purposes only.
 pref("csp.overrule_about_uris_without_csp_whitelist", false);
 pref("csp.skip_about_page_has_csp_assert", false);
 // assertion flag will be set to false after fixing Bug 1473549
 pref("security.allow_eval_with_system_principal", false);
 pref("security.uris_using_eval_with_system_principal", "autocomplete.xml,redux.js,react-redux.js,content-task.js,preferencesbindings.js,lodash.js,jszip.js,sinon-7.2.7.js,ajv-4.1.1.js,jsol.js");
 #endif
 
--- a/toolkit/content/aboutProfiles.xhtml
+++ b/toolkit/content/aboutProfiles.xhtml
@@ -3,16 +3,17 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <!DOCTYPE html>
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
     <title data-l10n-id="profiles-title"></title>
     <link rel="icon" type="image/png" id="favicon" href="chrome://branding/content/icon32.png" />
     <link rel="stylesheet" href="chrome://mozapps/skin/aboutProfiles.css" type="text/css" />
     <script src="chrome://global/content/aboutProfiles.js" />
     <link rel="localization" href="branding/brand.ftl" />
     <link rel="localization" href="toolkit/about/aboutProfiles.ftl" />
 </head>
   <body id="body" class="wide-container">