Closed Bug 1497584 Opened 2 years ago Closed 1 year ago

Apply Meta CSP to about:preferences

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Regressed 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Regressions: 1579608
Regressions: 1582073

This added
csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon:; style-src chrome: data: 'unsafe-inline'"

Where does the sha hash come from?

Flags: needinfo?(ckerschb)

(In reply to Magnus Melin [:mkmelin] from comment #4)

Where does the sha hash come from?

CSP allows to whitelist inline scripts by providing the hash of the scripts content, mostly used to whitelist inline event handlers. In that particular case it's the hash of "gSearchResultsPane.searchInput.focus();", see:
https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/browser/components/preferences/in-content/preferences.xul#163-165

Flags: needinfo?(ckerschb)
Regressions: 1584228
Regressions: 1582467
Regressions: 1584092
You need to log in before you can comment on or make changes to this bug.