Closed Bug 1000945 Opened 8 years ago Closed 7 years ago

CSP in CPP: Remove unused strings from


(Core :: DOM: Security, defect)

Not set





(Reporter: ckerschb, Assigned: ckerschb)


(Blocks 1 open bug)



(1 file, 1 obsolete file)

Once the new CSP implementation is landed, we should remove unused strings from
Depends on: 994782
Actually, we can't remove the strings until the old implementation is removed.  The blocking relationship here is right.  Adding the CSP metabug for tracking.
Blocks: CSP
Removing all strings that are currently unused in CSP. Sid, you are familiar with the old implementation of CSP. If you think we shouldn't delete all of those unused strings, but are rather should udpate the new CSP implementation to use some of those strings, let me know.
Attachment #8472798 - Flags: review?(sstamm)
Comment on attachment 8472798 [details] [diff] [review]

Review of attachment 8472798 [details] [diff] [review]:

Also see /dom/locales/en-US/chrome/security/ to remove the unused strings there.

Please re-flag me for another round.

::: dom/locales/en-US/chrome/security/
@@ -33,5 @@
>  # %1$S is the option that could not be understood
>  ignoringUnknownOption = Ignoring unknown option %1$S
> -# LOCALIZATION NOTE (reportURInotHttpsOrHttp2):
> -# %1$S is the ETLD of the report URI that is not HTTP or HTTPS
> -reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI.

Hm.  We used to post warnings to the error console when the report URI was not safe:

Do we want to keep the string around and add this back in?

@@ -60,5 @@
> -# inline style refers to CSS code that is embedded into the HTML document.
> -inlineStyleBlocked = An attempt to apply inline style sheets has been blocked
> -# LOCALIZATION NOTE (scriptFromStringBlocked):
> -# eval is a name and should not be localized.
> -scriptFromStringBlocked = An attempt to call JavaScript from a string (by calling a function like eval) has been blocked

I think inlineScriptBlocked, inlineStyleBlocked and scriptFromStringBlocked are still relevant.  Problem is we never use them.

We probably should use them here-ish:

Maybe keep the strings and file a follow-up bug?
Attachment #8472798 - Flags: review?(sstamm)
Assignee: nobody → mozilla
Depends on: 1070732
Depends on: 1070733
I filed two bugs, one for reporting non http/https reports and one for bringing back 'inlineStyleBlocked' and such; see dependency tree.
Attachment #8472798 - Attachment is obsolete: true
Attachment #8493162 - Flags: review?(sstamm)
Comment on attachment 8493162 [details] [diff] [review]

Review of attachment 8493162 [details] [diff] [review]:

looks good.
Attachment #8493162 - Flags: review?(sstamm) → review+
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.