Closed Bug 1330035 Opened 3 years ago Closed 3 years ago

Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP()

Categories

(Core :: DOM: Security, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

As discussed with Dan, we should not use URI_INHERITS_SECURITY_CONTEXT but rather use javascript: explictly, see:

https://bugzilla.mozilla.org/show_bug.cgi?id=1329198#c1
Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Comment on attachment 8825726 [details] [diff] [review]
bug_1330035_explicitly_use_javascript.patch

Review of attachment 8825726 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz

::: dom/security/nsCSPService.cpp
@@ +73,5 @@
>    if (NS_SUCCEEDED(rv) && match) {
>      return true;
>    }
> +  // finally we have to whitelist "about:" and "javascript:" which do
> +  // not fall into the category underneath but are not subject to CSP.

maybe "not subject to CSP content loading rules"? "javascript:" _is_ subject to CSP of course, but the script rules instead.
Attachment #8825726 - Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a1f0be6fa1d
Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz
https://hg.mozilla.org/mozilla-central/rev/4a1f0be6fa1d
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.