Closed
Bug 1495983
Opened 6 years ago
Closed 6 years ago
Assert system privileged about: pages have a CSP
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
12.59 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → ckerschb
Blocks: 1492063
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 1•6 years ago
|
||
Smaug, ultimately we would like to apply a CSP to all about: pages. Some background, within Bug 965637 we are about to move the CSP into the Client which should allow us to apply a CSP to all about: pages, not only content privileged about pages. I guess it's time to update the assertion within nsDocument to cover all about: pages, whitelist the ones that don't have a CSP yet and then systematically apply a CSP to all about: pages.
Attachment #9014014 -
Flags: review?(bugs)
Comment 2•6 years ago
|
||
I guess not all about:, since about:blank is rather special ;)
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Olli Pettay [:smaug] (r- if the bug doesn't explain what the change(s) are about.) from comment #2) > I guess not all about:, since about:blank is rather special ;) all about pages where it's feasible :-)
Comment 4•6 years ago
|
||
Comment on attachment 9014014 [details] [diff] [review] bug_1495983_assert_system_about_page_has_csp.patch > #if defined(DEBUG) && !defined(ANDROID) >-pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc"); >-// the following pref is for testing purposes only. >-pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false); >+// we can not apply a CSP to the following content privileged >+// about: pages: blank, printpreview, srcdoc I'm having trouble to parse this sentence. You list 3 pages (which aren't even privileged, at least two of them) and then the pref lists all the stuff.
Attachment #9014014 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 5•6 years ago
|
||
(In reply to Olli Pettay [:smaug] (pto Oct 4-7) from comment #4) > >+// we can not apply a CSP to the following content privileged > >+// about: pages: blank, printpreview, srcdoc > I'm having trouble to parse this sentence. You list 3 pages (which aren't > even privileged, at least two of them) and then the pref lists all the stuff. I thought I am going to list the content privileged onces separately, but I guess it doesn't make a difference. I removed the comment.
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/37fcdbb6756c Assert system privileged about: pages have CSP. r=smaug
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/37fcdbb6756c
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•