CSP in CPP: Remove unused strings from csp.properties

RESOLVED FIXED in mozilla35

Status

()

defect
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

(Blocks 1 bug)

unspecified
mozilla35
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

Once the new CSP implementation is landed, we should remove unused strings from

http://mxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties
Depends on: 994782
Actually, we can't remove the strings until the old implementation is removed.  The blocking relationship here is right.  Adding the CSP metabug for tracking.
Blocks: CSP
Removing all strings that are currently unused in CSP. Sid, you are familiar with the old implementation of CSP. If you think we shouldn't delete all of those unused strings, but are rather should udpate the new CSP implementation to use some of those strings, let me know.
Attachment #8472798 - Flags: review?(sstamm)
Comment on attachment 8472798 [details] [diff] [review]
bug_1000945_remove_string_from_csp_properties.patch

Review of attachment 8472798 [details] [diff] [review]:
-----------------------------------------------------------------

Also see /dom/locales/en-US/chrome/security/security.properties to remove the unused strings there.

Please re-flag me for another round.

::: dom/locales/en-US/chrome/security/csp.properties
@@ -33,5 @@
>  # %1$S is the option that could not be understood
>  ignoringUnknownOption = Ignoring unknown option %1$S
> -# LOCALIZATION NOTE (reportURInotHttpsOrHttp2):
> -# %1$S is the ETLD of the report URI that is not HTTP or HTTPS
> -reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI.

Hm.  We used to post warnings to the error console when the report URI was not safe:
http://mxr.mozilla.org/mozilla-release/source/content/base/src/CSPUtils.jsm#416

Do we want to keep the string around and add this back in?

@@ -60,5 @@
> -# inline style refers to CSS code that is embedded into the HTML document.
> -inlineStyleBlocked = An attempt to apply inline style sheets has been blocked
> -# LOCALIZATION NOTE (scriptFromStringBlocked):
> -# eval is a name and should not be localized.
> -scriptFromStringBlocked = An attempt to call JavaScript from a string (by calling a function like eval) has been blocked

I think inlineScriptBlocked, inlineStyleBlocked and scriptFromStringBlocked are still relevant.  Problem is we never use them.

We probably should use them here-ish:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPContext.cpp#858

Maybe keep the strings and file a follow-up bug?
Attachment #8472798 - Flags: review?(sstamm)
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Depends on: 1070732
Depends on: 1070733
I filed two bugs, one for reporting non http/https reports and one for bringing back 'inlineStyleBlocked' and such; see dependency tree.
Attachment #8472798 - Attachment is obsolete: true
Attachment #8493162 - Flags: review?(sstamm)
Comment on attachment 8493162 [details] [diff] [review]
bug_1000945_remove_string_from_csp_properties.patch

Review of attachment 8493162 [details] [diff] [review]:
-----------------------------------------------------------------

looks good.
Attachment #8493162 - Flags: review?(sstamm) → review+
https://hg.mozilla.org/mozilla-central/rev/870358e0d0e4
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.