Bug 1442840, r=ckerschb,a=jcristau
☠☠ backed out by 357a7ece1bc2 ☠ ☠
authorGijs Kruitbosch <gijskruitbosch@gmail.com>
Thu, 08 Mar 2018 20:46:13 +0000
changeset 462827 72465600d1f27690cbf3a73bacba075d88cf97ef
parent 462826 f1238ac69cfd801abc49b7b0db7ef9a6ee48ecdd
child 462828 090520707f4da8ebdca18bd71ade9306851b1677
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, jcristau
bugs1442840
milestone60.0
Bug 1442840, r=ckerschb,a=jcristau
devtools/client/jsonview/converter-child.js
--- a/devtools/client/jsonview/converter-child.js
+++ b/devtools/client/jsonview/converter-child.js
@@ -77,32 +77,37 @@ Converter.prototype = {
   },
 
   onStartRequest: function (request, context) {
     // Set the content type to HTML in order to parse the doctype, styles
     // and scripts. The JSON will be manually inserted as text.
     request.QueryInterface(Ci.nsIChannel);
     request.contentType = "text/html";
 
+    // Enforce strict CSP:
+    try {
+      request.QueryInterface(Ci.nsIHttpChannel);
+      request.setResponseHeader("Content-Security-Policy",
+        "default-src 'none' ; script-src resource:; ", false);
+    } catch (ex) {
+      // If this is not an HTTP channel we can't and won't do anything.
+    }
+
     // Don't honor the charset parameter and use UTF-8 (see bug 741776).
     request.contentCharset = "UTF-8";
     this.decoder = new TextDecoder("UTF-8");
 
     // Changing the content type breaks saving functionality. Fix it.
     fixSave(request);
 
     // Because content might still have a reference to this window,
     // force setting it to a null principal to avoid it being same-
     // origin with (other) content.
     request.loadInfo.resetPrincipalToInheritToNullPrincipal();
 
-    // Because the JSON might be served with a CSP, we instrument
-    // the loadinfo so the Document can discard such a CSP.
-    request.loadInfo.allowDocumentToBeAgnosticToCSP = true;
-
     // Start the request.
     this.listener.onStartRequest(request, context);
 
     // Initialize stuff.
     let win = NetworkHelper.getWindowForRequest(request);
     this.data = exportData(win, request);
     insertJsonData(win, this.data.json);
     win.addEventListener("contentMessage", onContentMessage, false, true);