Closed Bug 1567867 Opened 5 years ago Closed 5 years ago

Remove about:newtab from 'not providing a CSP' whitelist

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox70 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1567867: Remove about:newtab from 'not providing a CSP' whitelist.r=khudson
47 bytes, text/x-phabricator-request
Details | Review
No description provided.

It seems about:newtab provides the following CSP:

default-src 'none'; object-src 'none'; script-src resource: chrome:; connect-src https:; img-src https: data: blob:; style-src 'unsafe-inline'

which is 'good enough' so the assertion within AssertAboutPageHasCSP does not fire. Even though I would like some updates, like e.g. the 'unsafe-inline' from from style-src should be removed, I think we can remove about:newtab from the whitelist.

Depends on: 1500061
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/7bd9fdf6b1ee
Remove about:newtab from 'not providing a CSP' whitelist.r=k88hudson

https://hg.mozilla.org/mozilla-central/rev/7bd9fdf6b1ee

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: