Closed Bug 1567867 Opened 9 months ago Closed 9 months ago

Remove about:newtab from 'not providing a CSP' whitelist

Categories

(Core :: DOM: Security, task, P2)

task

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.

It seems about:newtab provides the following CSP:

default-src 'none'; object-src 'none'; script-src resource: chrome:; connect-src https:; img-src https: data: blob:; style-src 'unsafe-inline'

which is 'good enough' so the assertion within AssertAboutPageHasCSP does not fire. Even though I would like some updates, like e.g. the 'unsafe-inline' from from style-src should be removed, I think we can remove about:newtab from the whitelist.

Depends on: 1500061
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/7bd9fdf6b1ee
Remove about:newtab from 'not providing a CSP' whitelist.r=k88hudson
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.