Closed Bug 1594014 Opened 4 months ago Closed 3 months ago

Opening the add-on manager shows a CSP error

Categories

(Toolkit :: Add-ons Manager, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla72
Tracking Status
firefox72 --- verified

People

(Reporter: Gijs, Assigned: mstriemer)

Details

(Whiteboard: about:addons)

Attachments

(1 file)

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). from https://searchfox.org/mozilla-central/rev/3300072e993ae05d50d5c63d815260367eaf9179/toolkit/content/widgets/menupopup.js#67

Looks like this may be the inline <html:style> block?

I think we could remove the styles in html:style to use shadow parts. Basically instead of rules like :host(.in-menulist) .popup-internal-box::part(scrollbutton-up), we could apply the .in-menulist class onto the arrowscrollbox.popup-internal-box instead (at https://searchfox.org/mozilla-central/rev/8b7aa8af652f87d39349067a5bc9c0256bf6dedc/toolkit/content/widgets/menupopup.js#140) and then have rules like:

arrowscrollbox.in-menulist::part(scrollbutton-up) in the scrollbox.css files.

this.classList.add("in-menulist") would become this.scrollBox.classList.add("in-menulist"). I don't see any other references to this class so it should be safe to remove from the menupopup host.

Hm, except style-src includes unsafe-inline. Maybe my initial diagnosis was wrong? Christoph/Sebastian, could you doublecheck what's causing this?

Flags: needinfo?(sstreich)
Flags: needinfo?(ckerschb)

Hey, the extention.xul's csp does not include style-src: unsafe-inline so i guess the initial diagnosis was right :)

Flags: needinfo?(sstreich)

Huh, seems I was confused with aboutaddons.html ...

Flags: needinfo?(ckerschb)

I think we can probably get rid of the menupopups in extensions.xul.

@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a PopupAutoComplete [2] though, which I don't see in the HTML document.

[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836

Flags: needinfo?(lgreco)

(In reply to Mark Striemer [:mstriemer] from comment #6)

I think we can probably get rid of the menupopups in extensions.xul.

@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a PopupAutoComplete [2] though, which I don't see in the HTML document.

[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836

I took a look to the mercurial history and that PopupAutocomplete element has been originally introduced by Bug 1387624, to make the autocomplete popup to work as expected on the webextension inline options pages.

Sadly, it wasn't covered by any automated test and we missed to notice that it regressed (it can be verified using the same extension used to QA verify that bug in Bug 1387624 comment 26: https://addons.mozilla.org/en-US/firefox/addon/notification-sound/), I filed Bug 1595158 to track a fix for that regression (and added some additional details about it).

Anyway, about those XUL elements:

  • PopupAutoComplete shouldn't have any purpose anymore (the feature it should support has already regressed and there shouldn't be anything else that is making any use of it)
  • ContentSelectDropdown used to also support the select popup for the inline options, but we have already replaced it in the HTML about:addons view and so the XUL views are also gone and so it should not be used anymore for anything else
  • all the other XUL element seems to also be only related to the XUL views and so they doesn't seem to be used or needed anymore
Flags: needinfo?(lgreco)

Luca, curious what we should do with this. Will Bug 1595158 address this?

Flags: needinfo?(lgreco)
Whiteboard: about:addons

(In reply to Jim Mathies [:jimm] from comment #8)

Luca, curious what we should do with this. Will Bug 1595158 address this?

No, this should be fixed by removing the XUL element that are triggering it, as Mark mentioned in comment 6.

Bug 1595158 is just a regression that I noticed while double-checking if any of the XUL elements Mark mentioned in comment 6 was still being used, but the fix doesn't depend from any of those elements (anymore) and it can be fixed separately from this one.

Flags: needinfo?(lgreco)
Assignee: nobody → mstriemer
Pushed by rgurzau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f1c44a2eb604
Remove unused options UI helpers from extensions.xul r=rpl

Tried to push this for testing but got the following Eslint failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&revision=f1c44a2eb6041bc202b27d9d3a65254de00285af&selectedJob=276615515 and then i backed it out.

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=276615515&repo=autoland&lineNumber=54

[task 2019-11-17T08:30:10.620Z] executing ['bash', '-cx', 'cp -r /build/node_modules_eslint node_modules && ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules && ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules && ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json\n']in /builds/worker/checkouts/gecko
[task 2019-11-17T08:30:10.624Z] + cp -r /build/node_modules_eslint node_modules
[task 2019-11-17T08:30:10.967Z] + ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules
[task 2019-11-17T08:30:10.968Z] + ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules
[task 2019-11-17T08:30:10.969Z] + ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json
[task 2019-11-17T08:30:12.046Z] Using base prefix '/usr'
[task 2019-11-17T08:30:12.046Z] New python executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python3
[task 2019-11-17T08:30:12.046Z] Also creating executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python
[task 2019-11-17T08:30:14.537Z] Installing setuptools, pip, wheel...done.
[task 2019-11-17T08:30:15.828Z] b"running build_ext\nbuilding 'psutil._psutil_linux' extension\ncreating build\ncreating build/temp.linux-x86_64-3.5\ncreating build/temp.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o\ncreating build/lib.linux-x86_64-3.5\ncreating build/lib.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so\nbuilding 'psutil._psutil_posix' extension\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so -> psutil\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so -> psutil\n"
[task 2019-11-17T08:30:15.828Z] Error processing command. Ignoring because optional. (optional:packages.txt:comm/build/virtualenv_packages.txt)
[task 2019-11-17T08:45:01.616Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/toolkit/mozapps/extensions/content/extensions.js:12:9 | 'DeferredTask' is assigned a value but never used. (no-unused-vars)
[taskcluster 2019-11-17 08:45:01.989Z] === Task Finished ===
[taskcluster 2019-11-17 08:45:02.948Z] Unsuccessful task run with exit code: 1 completed in 913.517 seconds

Flags: needinfo?(mstriemer)
Backout by rgurzau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8b55cc4b1336
Backed out changeset f1c44a2eb604 for eslint failure at /content/extensions.js on a CLOSED TREE.
Pushed by mstriemer@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/975df36124a5
Remove unused options UI helpers from extensions.xul r=rpl
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Hello,
Verified the fix on the latest Nightly (72.0a1/20191119043902) under Windows 10 Pro 64-bit and MacOS Catalina 10.15.
Opening the add-on manager does not show a CSP error in Browser Console.

Status: RESOLVED → VERIFIED
Flags: needinfo?(mstriemer)
You need to log in before you can comment on or make changes to this bug.