Closed
Bug 1497584
Opened 6 years ago
Closed 5 years ago
Apply Meta CSP to about:preferences
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla71
Tracking | Status | |
---|---|---|
firefox71 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
No description provided.
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Assignee | ||
Comment 1•5 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/f68d89e1996c Apply Meta CSP to about:preferences. r=Gijs
Comment 3•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Comment 4•5 years ago
|
||
This added
csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon:; style-src chrome: data: 'unsafe-inline'"
Where does the sha hash come from?
Flags: needinfo?(ckerschb)
Assignee | ||
Comment 5•5 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #4)
Where does the sha hash come from?
CSP allows to whitelist inline scripts by providing the hash of the scripts content, mostly used to whitelist inline event handlers. In that particular case it's the hash of "gSearchResultsPane.searchInput.focus();", see:
https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/browser/components/preferences/in-content/preferences.xul#163-165
Flags: needinfo?(ckerschb)
You need to log in
before you can comment on or make changes to this bug.
Description
•