Closed Bug 1472606 Opened 6 years ago Closed 6 years ago

Enable self-xss protection on CodeMirror JsTerm

Categories

(DevTools :: Console, enhancement, P1)

enhancement

Tracking

(firefox63 fixed)

RESOLVED FIXED
Firefox 63
Tracking Status
firefox63 --- fixed

People

(Reporter: nchevobbe, Assigned: nchevobbe)

References

(Blocks 1 open bug)

Details

(Whiteboard: [boogaloo-mvp])

Attachments

(2 files)

      No description provided.
Assignee: nobody → nchevobbe
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [boogaloo-mvp]
Summary: Enable self-xss protetion on CodeMirror JsTerm → Enable self-xss protection on CodeMirror JsTerm
Blocks: 1463674
Comment on attachment 8990000 [details]
Bug 1472606 - Enable self-xss protection on CodeMirror JsTerm; .

https://reviewboard.mozilla.org/r/255024/#review262162

Looks good

R+

Thanks Nicolas!
Honza
Attachment #8990000 - Flags: review?(odvarko) → review+
Comment on attachment 8990001 [details]
Bug 1472606 - Split browser_jsterm_selfxss test; .

https://reviewboard.mozilla.org/r/255026/#review262160

Works for me, just one inline question.

R+ assuming try is green

Thanks!
Honza

::: devtools/client/webconsole/test/mochitest/browser_jsterm_selfxss.js
(Diff revision 2)
> -    jsterm.setInputValue(i);
> +    jsterm.setInputValue(i.toString());
>      jsterm.execute();
>    }
>    is(WebConsoleUtils.usageCount, 4, "Usage count incremented");
>    WebConsoleUtils.usageCount = 0;
> -  updateEditUIVisibility();

What is the `updateEditUIVisibility` function for? Why it isn't used anymore?
Attachment #8990001 - Flags: review?(odvarko) → review+
Comment on attachment 8990001 [details]
Bug 1472606 - Split browser_jsterm_selfxss test; .

https://reviewboard.mozilla.org/r/255026/#review262160

> What is the `updateEditUIVisibility` function for? Why it isn't used anymore?

This is a platform function: https://searchfox.org/mozilla-central/rev/1193ef6a61cb6e350460eb2e8468184d3cb0321d/browser/base/content/browser.js#4443-4463 

This is the only place in devtools where it was used, and I don't see why we needed to call it in the first place (probably historical reason).
It's still being used in browser_jsterm_autocomplete_paste_undo.js. Is that ok?

Honza
oh, let me remove it :D
Pushed by nchevobbe@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a4c3f565ace1
Enable self-xss protection on CodeMirror JsTerm; r=Honza.
https://hg.mozilla.org/integration/autoland/rev/bb94d7f91e67
Split browser_jsterm_selfxss test; r=Honza.
https://hg.mozilla.org/mozilla-central/rev/a4c3f565ace1
https://hg.mozilla.org/mozilla-central/rev/bb94d7f91e67
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
You need to log in before you can comment on or make changes to this bug.