Closed Bug 1000945 Opened 11 years ago Closed 11 years ago

CSP in CPP: Remove unused strings from csp.properties

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

bug_1000945_remove_string_from_csp_properties.patch
7.17 KB, patch
geekboy
: review+
Details | Diff | Splinter Review
Once the new CSP implementation is landed, we should remove unused strings from http://mxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties
Depends on: 994782
Actually, we can't remove the strings until the old implementation is removed. The blocking relationship here is right. Adding the CSP metabug for tracking.
Blocks: CSP
Removing all strings that are currently unused in CSP. Sid, you are familiar with the old implementation of CSP. If you think we shouldn't delete all of those unused strings, but are rather should udpate the new CSP implementation to use some of those strings, let me know.
Attachment #8472798 - Flags: review?(sstamm)
Comment on attachment 8472798 [details] [diff] [review] bug_1000945_remove_string_from_csp_properties.patch Review of attachment 8472798 [details] [diff] [review]: ----------------------------------------------------------------- Also see /dom/locales/en-US/chrome/security/security.properties to remove the unused strings there. Please re-flag me for another round. ::: dom/locales/en-US/chrome/security/csp.properties @@ -33,5 @@ > # %1$S is the option that could not be understood > ignoringUnknownOption = Ignoring unknown option %1$S > -# LOCALIZATION NOTE (reportURInotHttpsOrHttp2): > -# %1$S is the ETLD of the report URI that is not HTTP or HTTPS > -reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI. Hm. We used to post warnings to the error console when the report URI was not safe: http://mxr.mozilla.org/mozilla-release/source/content/base/src/CSPUtils.jsm#416 Do we want to keep the string around and add this back in? @@ -60,5 @@ > -# inline style refers to CSS code that is embedded into the HTML document. > -inlineStyleBlocked = An attempt to apply inline style sheets has been blocked > -# LOCALIZATION NOTE (scriptFromStringBlocked): > -# eval is a name and should not be localized. > -scriptFromStringBlocked = An attempt to call JavaScript from a string (by calling a function like eval) has been blocked I think inlineScriptBlocked, inlineStyleBlocked and scriptFromStringBlocked are still relevant. Problem is we never use them. We probably should use them here-ish: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPContext.cpp#858 Maybe keep the strings and file a follow-up bug?
Attachment #8472798 - Flags: review?(sstamm)
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Depends on: 1070732
Depends on: 1070733
I filed two bugs, one for reporting non http/https reports and one for bringing back 'inlineStyleBlocked' and such; see dependency tree.
Attachment #8472798 - Attachment is obsolete: true
Attachment #8493162 - Flags: review?(sstamm)
Comment on attachment 8493162 [details] [diff] [review] bug_1000945_remove_string_from_csp_properties.patch Review of attachment 8493162 [details] [diff] [review]: ----------------------------------------------------------------- looks good.
Attachment #8493162 - Flags: review?(sstamm) → review+
https://hg.mozilla.org/mozilla-central/rev/870358e0d0e4
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: