Apply Meta CSP to about:debugging
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
No description provided.
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
|
||
Comment 2•6 years ago
|
||
Comment on attachment 9017074 [details] [diff] [review] bug_1497197_csp_about_debugging.patch Review of attachment 9017074 [details] [diff] [review]: ----------------------------------------------------------------- Someone who knows about:debugging should review this.
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9017074 [details] [diff] [review] bug_1497197_csp_about_debugging.patch Looks good to me. We are planning to switch to a new about:debugging UI soon. Do you want to apply the same fix to devtools/client/aboutdebugging-new/index.html or should I log a separate bug?
|
|
Assignee | |
Comment 4•6 years ago
|
||
(In reply to Julian Descottes [:jdescottes][:julian] from comment #3) > Looks good to me. We are planning to switch to a new about:debugging UI > soon. Do you want to apply the same fix to > devtools/client/aboutdebugging-new/index.html or should I log a separate > bug? We need a separate bug for that and remove the inline script, put and package it in an external file and load all of the JS [1] using a chrome: URL. Otherwise we would have to use 'unsafe-inline' in the CSP, and we are adding a CSP exactly to prevent inline script execution :-) [1] https://searchfox.org/mozilla-central/source/devtools/client/aboutdebugging-new/index.html#10-20
|
|
||
Comment 5•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4) > (In reply to Julian Descottes [:jdescottes][:julian] from comment #3) > > Looks good to me. We are planning to switch to a new about:debugging UI > > soon. Do you want to apply the same fix to > > devtools/client/aboutdebugging-new/index.html or should I log a separate > > bug? > > We need a separate bug for that and remove the inline script, put and > package it in an external file and load all of the JS [1] using a chrome: > URL. Otherwise we would have to use 'unsafe-inline' in the CSP, and we are > adding a CSP exactly to prevent inline script execution :-) > > [1] > https://searchfox.org/mozilla-central/source/devtools/client/aboutdebugging- > new/index.html#10-20 Ahah good point. Filed Bug 1499064, will address it later today.
|
|
Assignee | |
Comment 6•6 years ago
|
||
We should land those changes here together with the changes within Bug 1499064.
|
||
Comment 7•5 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ckerschb, could you have a look please?
|
|
Assignee | |
Comment 8•5 years ago
|
||
Before we can apply CSP to system privileged about pages we have to fix Bug 965637, in which we move the CSP from the Principal into the Client. Please note that the Meta Bug 1492063 for applying CSP to system privileged about: pages is blocked by 965637. At the moment we are fixing the last remaining blockers and as soon as we have landed Bug 965637 I'll try to land all the dependencies of Bug 1492063 so we end up having all about: pages secured by a CSP.
|
|
Assignee | |
Comment 10•5 years ago
|
||
|
|
Assignee | |
Comment 11•5 years ago
|
||
Hey Julian, I added a CSP to the 'old' and the 'new' about:debugging page (from Bug 1499064). The old version you already reviewed here a while ago. Could you please rubber stamp that again? Thanks!
|
||
Comment 12•5 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/e97f23bfa99c Apply Meta CSP to about:debugging. r=jdescottes
|
|
||
Comment 13•5 years ago
|
||
Backout by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7d105b9c1589 Backed out changeset e97f23bfa99c for devtools failures in devtools/client/aboutdebugging-new/test/browser/browser_aboutdebugging_profiler_dialog.js
|
|
||
Comment 14•5 years ago
•
|
||
Two things:
- we have test failures because we are using data urls in some tests. :gijs already has a fix for this in scope of bug 1560178
- I noticed that all images with data URLs as
srcare now empty
The first issue is not a big concern. But the second issue is much more problematic. Is there a way we can keep using data URL as image sources here?
For instance, would
<meta http-equiv="Content-Security-Policy"
content="default-src chrome: resource:; img-src data: chrome: resource:" />
be acceptable here?
|
|
Assignee | |
Comment 15•5 years ago
|
||
It seems there are some test updates that happen within Bug 1560178. We just wait for those and then land with a CSP of:
<meta http-equiv="Content-Security-Policy"
content="default-src chrome: resource:; img-src data: chrome: resource:" />
Opening up the CSP to allow data: for images is totally fine.
|
|
||
Comment 16•5 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/2c7ddea7649e Apply Meta CSP to about:debugging. r=jdescottes
|
||
Comment 17•5 years ago
|
||
| bugherder | ||
Description
•