Closed Bug 1567877 Opened 3 years ago Closed 3 years ago

Apply Meta CSP to about:devtools-toolbox

Categories

(Core :: DOM: Security, task, P2)

task

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.

Brendan, what needs to be done to apply a CSP to about:devtools-toolbox? Put differently, where does that code live?

Flags: needinfo?(bdahl)
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]

toolbox.xul registered here

Flags: needinfo?(bdahl)

Hey Henri and Julian,

within this patch we would like to apply a CSP to *.xul pages, in particular 'about:devtools-toolbox'.

@Henri: Within [1] you already f+ed a similar patch where we added a custom attribute on the root element which allows us to pipe the policy through into the CSP machinery. Please note that this code works exactly the same as for any Meta CSP [2] with the only difference that we have to set the request context which is not needed for the Meta CSP since we already have a request context. The reason I moved the XULElement bits into this bug is because applying a CSP to about:downloads (see Bug 1497200) is more complicated and we have to fight some inline event handlers. Anyway, would you be willing to r+ that patch?

@Julian: I followed your instructions and tested the following scenarios:

  • Got to about:debugging
  • Select "This Nightly/This Firefox"
  • Click on any of the "inspect" buttons.
    I tried all of them and also using different CSPs making the CSP would block all schemes that are not whitelisted - everything what I tested seems to work. If you have any additional suggestions on how to test I am happy to do so, but looking at the code, it seems only chrome: and resource: URIs are used everywhere.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1497200#c9
[2] https://searchfox.org/mozilla-central/source/dom/html/HTMLMetaElement.cpp#118-128

Blocks: 1569495
Attachment #9080589 - Attachment description: Bug 1567877: Apply Meta CSP to about:devtools-toolbox. r=hsivonen,jdescottes → Bug 1567877: Apply Meta CSP to about:devtools-toolbox. r=ehsan,jdescottes
No longer blocks: 1569495
Depends on: 1569495
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/4d114e06d2bb
Apply Meta CSP to about:devtools-toolbox. r=jdescottes,Ehsan
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Regressions: 1571318
You need to log in before you can comment on or make changes to this bug.