Closed Bug 1495983 Opened Last year Closed Last year

Assert system privileged about: pages have a CSP

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox64 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.
Assignee: nobody → ckerschb
Blocks: 1492063
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Depends on: 1496010
Smaug, ultimately we would like to apply a CSP to all about: pages. Some background, within Bug 965637 we are about to move the CSP into the Client which should allow us to apply a CSP to all about: pages, not only content privileged about pages. I guess it's time to update the assertion within nsDocument to cover all about: pages, whitelist the ones that don't have a CSP yet and then systematically apply a CSP to all about: pages.
Attachment #9014014 - Flags: review?(bugs)
I guess not all about:, since about:blank is rather special ;)
(In reply to Olli Pettay [:smaug] (r- if the bug doesn't explain what the change(s) are about.) from comment #2)
> I guess not all about:, since about:blank is rather special ;)

all about pages where it's feasible :-)
Comment on attachment 9014014 [details] [diff] [review]
bug_1495983_assert_system_about_page_has_csp.patch

> #if defined(DEBUG) && !defined(ANDROID)
>-pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc");
>-// the following pref is for testing purposes only.
>-pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
>+// we can not apply a CSP to the following content privileged
>+// about: pages: blank, printpreview, srcdoc
I'm having trouble to parse this sentence. You list 3 pages (which aren't even privileged, at least two of them) and then the pref lists all the stuff.
Attachment #9014014 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] (pto Oct 4-7) from comment #4)
> >+// we can not apply a CSP to the following content privileged
> >+// about: pages: blank, printpreview, srcdoc
> I'm having trouble to parse this sentence. You list 3 pages (which aren't
> even privileged, at least two of them) and then the pref lists all the stuff.

I thought I am going to list the content privileged onces separately, but I guess it doesn't make a difference. I removed the comment.
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/37fcdbb6756c
Assert system privileged about: pages have CSP. r=smaug
Depends on: 1496386
No longer depends on: 1496010
No longer depends on: 1496386
https://hg.mozilla.org/mozilla-central/rev/37fcdbb6756c
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.