1594014 - Opening the add-on manager shows a CSP error

Status: VERIFIED FIXED

(Toolkit :: Add-ons Manager, defect)

Description

[:Gijs (he/him)]

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). from https://searchfox.org/mozilla-central/rev/3300072e993ae05d50d5c63d815260367eaf9179/toolkit/content/widgets/menupopup.js#67

Looks like this may be the inline <html:style> block?

Comment 1

[Brian Grinstead [:bgrins]]

I think we could remove the styles in html:style to use shadow parts. Basically instead of rules like :host(.in-menulist) .popup-internal-box::part(scrollbutton-up), we could apply the .in-menulist class onto the arrowscrollbox.popup-internal-box instead (at https://searchfox.org/mozilla-central/rev/8b7aa8af652f87d39349067a5bc9c0256bf6dedc/toolkit/content/widgets/menupopup.js#140) and then have rules like:

arrowscrollbox.in-menulist::part(scrollbutton-up) in the scrollbox.css files.

Comment 2

[Brian Grinstead [:bgrins]]

this.classList.add("in-menulist") would become this.scrollBox.classList.add("in-menulist"). I don't see any other references to this class so it should be safe to remove from the menupopup host.

Comment 3

[:Gijs (he/him)]

Hm, except style-src includes unsafe-inline. Maybe my initial diagnosis was wrong? Christoph/Sebastian, could you doublecheck what's causing this?

Comment 4

[Sebastian Streich [:sstreich]]

Hey, the extention.xul's csp does not include style-src: unsafe-inline so i guess the initial diagnosis was right :)

Comment 5

[:Gijs (he/him)]

Huh, seems I was confused with aboutaddons.html ...

Comment 6

[Mark Striemer [:mstriemer]]

I think we can probably get rid of the menupopups in extensions.xul.

@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a PopupAutoComplete [2] though, which I don't see in the HTML document.

[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836

Comment 7

[Luca Greco [:rpl] [:luca] [:lgreco]]

(In reply to Mark Striemer [:mstriemer] from comment #6)

I think we can probably get rid of the menupopups in extensions.xul.

@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a PopupAutoComplete [2] though, which I don't see in the HTML document.

[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836

I took a look to the mercurial history and that PopupAutocomplete element has been originally introduced by Bug 1387624, to make the autocomplete popup to work as expected on the webextension inline options pages.

Sadly, it wasn't covered by any automated test and we missed to notice that it regressed (it can be verified using the same extension used to QA verify that bug in Bug 1387624 comment 26: https://addons.mozilla.org/en-US/firefox/addon/notification-sound/), I filed Bug 1595158 to track a fix for that regression (and added some additional details about it).

Anyway, about those XUL elements:

• PopupAutoComplete shouldn't have any purpose anymore (the feature it should support has already regressed and there shouldn't be anything else that is making any use of it)
• ContentSelectDropdown used to also support the select popup for the inline options, but we have already replaced it in the HTML about:addons view and so the XUL views are also gone and so it should not be used anymore for anything else
• all the other XUL element seems to also be only related to the XUL views and so they doesn't seem to be used or needed anymore

Comment 8

[Jim Mathies [:jimm]]

Luca, curious what we should do with this. Will Bug 1595158 address this?

Comment 9

[Luca Greco [:rpl] [:luca] [:lgreco]]

(In reply to Jim Mathies [:jimm] from comment #8)

Luca, curious what we should do with this. Will Bug 1595158 address this?

No, this should be fixed by removing the XUL element that are triggering it, as Mark mentioned in comment 6.

Bug 1595158 is just a regression that I noticed while double-checking if any of the XUL elements Mark mentioned in comment 6 was still being used, but the fix doesn't depend from any of those elements (anymore) and it can be fixed separately from this one.

Comment 10

[Mark Striemer [:mstriemer]]

Attachment: Bug 1594014 - Remove unused options UI helpers from extensions.xul r?rpl

Comment 11

[Pulsebot]

Pushed by rgurzau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f1c44a2eb604
Remove unused options UI helpers from extensions.xul r=rpl

Comment 12

[Raul Gurzau (:RaulG)]

Tried to push this for testing but got the following Eslint failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&revision=f1c44a2eb6041bc202b27d9d3a65254de00285af&selectedJob=276615515 and then i backed it out.

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=276615515&repo=autoland&lineNumber=54

[task 2019-11-17T08:30:10.620Z] executing ['bash', '-cx', 'cp -r /build/node_modules_eslint node_modules && ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules && ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules && ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json\n']in /builds/worker/checkouts/gecko
[task 2019-11-17T08:30:10.624Z] + cp -r /build/node_modules_eslint node_modules
[task 2019-11-17T08:30:10.967Z] + ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules
[task 2019-11-17T08:30:10.968Z] + ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules
[task 2019-11-17T08:30:10.969Z] + ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json
[task 2019-11-17T08:30:12.046Z] Using base prefix '/usr'
[task 2019-11-17T08:30:12.046Z] New python executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python3
[task 2019-11-17T08:30:12.046Z] Also creating executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python
[task 2019-11-17T08:30:14.537Z] Installing setuptools, pip, wheel...done.
[task 2019-11-17T08:30:15.828Z] b"running build_ext\nbuilding 'psutil._psutil_linux' extension\ncreating build\ncreating build/temp.linux-x86_64-3.5\ncreating build/temp.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o\ncreating build/lib.linux-x86_64-3.5\ncreating build/lib.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so\nbuilding 'psutil._psutil_posix' extension\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so -> psutil\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so -> psutil\n"
[task 2019-11-17T08:30:15.828Z] Error processing command. Ignoring because optional. (optional:packages.txt:comm/build/virtualenv_packages.txt)
[task 2019-11-17T08:45:01.616Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/toolkit/mozapps/extensions/content/extensions.js:12:9 | 'DeferredTask' is assigned a value but never used. (no-unused-vars)
[taskcluster 2019-11-17 08:45:01.989Z] === Task Finished ===
[taskcluster 2019-11-17 08:45:02.948Z] Unsuccessful task run with exit code: 1 completed in 913.517 seconds

Comment 13

[Pulsebot]

Backout by rgurzau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8b55cc4b1336
Backed out changeset f1c44a2eb604 for eslint failure at /content/extensions.js on a CLOSED TREE.

Comment 14

[Pulsebot]

Pushed by mstriemer@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/975df36124a5
Remove unused options UI helpers from extensions.xul r=rpl

Comment 15

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/975df36124a5

Comment 16

[Daniel Orban]

Hello,
Verified the fix on the latest Nightly (72.0a1/20191119043902) under Windows 10 Pro 64-bit and MacOS Catalina 10.15.
Opening the add-on manager does not show a CSP error in Browser Console.