Add assertion that all new about: pages ship with a CSP
Categories
(Core :: DOM: Security, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox61 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
6.15 KB,
patch
|
smaug
:
review+
Gijs
:
review+
|
Details | Diff | Splinter Review |
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Assignee | ||
Comment 3•7 years ago
|
||
Comment 4•7 years ago
|
||
Assignee | ||
Comment 5•7 years ago
|
||
Assignee | ||
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
Assignee | ||
Comment 8•7 years ago
|
||
Comment 9•7 years ago
|
||
Comment 10•7 years ago
|
||
Assignee | ||
Comment 11•7 years ago
|
||
Comment 12•7 years ago
|
||
Comment 13•7 years ago
|
||
Comment 14•7 years ago
|
||
bugherder |
Comment 15•6 years ago
|
||
Note that this assertion doesn't actually stop shipping… it only stops debug builds from using these about: pages :) about:compat was added and fails this assertion but since nothing tests that page in debug builds (not sure if there are any tests at all), this wasn't caught.
Comment 16•6 years ago
|
||
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #15)
Note that this assertion doesn't actually stop shipping… it only stops debug builds from using these about: pages :) about:compat was added and fails this assertion but since nothing tests that page in debug builds (not sure if there are any tests at all), this wasn't caught.
Is there anything we can reasonably do about this? :-(
I guess we could add a debug-only test that loads all about: pages, or something?
Comment 17•6 years ago
|
||
(In reply to :Gijs (he/him) from comment #16)
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #15)
Note that this assertion doesn't actually stop shipping… it only stops debug builds from using these about: pages :) about:compat was added and fails this assertion but since nothing tests that page in debug builds (not sure if there are any tests at all), this wasn't caught.
Is there anything we can reasonably do about this? :-(
I guess we could add a debug-only test that loads all about: pages, or something?
Right, that's what I was thinking. I was mostly pointing out that the commit didn't really achieve what the summary said.
Or don't allow new about: pages to be added without their own tests :) It's sad that there are no tests for about:compat from what I can tell.
Assignee | ||
Comment 18•6 years ago
|
||
FWIW, I filed bug 1537685 to check if it's possible to write a test that iterates all about: pages and ensures all of them have a valid csp.
Description
•