Closed Bug 1497584 Opened 6 years ago Closed 5 years ago

Apply Meta CSP to about:preferences

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

      No description provided.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/f68d89e1996c
Apply Meta CSP to about:preferences. r=Gijs
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Regressions: 1579608
Regressions: 1582073

This added
csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon:; style-src chrome: data: 'unsafe-inline'"

Where does the sha hash come from?

Flags: needinfo?(ckerschb)

(In reply to Magnus Melin [:mkmelin] from comment #4)

Where does the sha hash come from?

CSP allows to whitelist inline scripts by providing the hash of the scripts content, mostly used to whitelist inline event handlers. In that particular case it's the hash of "gSearchResultsPane.searchInput.focus();", see:
https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/browser/components/preferences/in-content/preferences.xul#163-165

Flags: needinfo?(ckerschb)
Regressions: 1584228
Regressions: 1582467
Regressions: 1584092
You need to log in before you can comment on or make changes to this bug.