Opening the add-on manager shows a CSP error
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox72 | --- | verified |
People
(Reporter: Gijs, Assigned: mstriemer)
Details
(Whiteboard: about:addons)
Attachments
(1 file)
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
from https://searchfox.org/mozilla-central/rev/3300072e993ae05d50d5c63d815260367eaf9179/toolkit/content/widgets/menupopup.js#67
Looks like this may be the inline <html:style>
block?
Comment 1•5 years ago
|
||
I think we could remove the styles in html:style to use shadow parts. Basically instead of rules like :host(.in-menulist) .popup-internal-box::part(scrollbutton-up),
we could apply the .in-menulist
class onto the arrowscrollbox.popup-internal-box instead (at https://searchfox.org/mozilla-central/rev/8b7aa8af652f87d39349067a5bc9c0256bf6dedc/toolkit/content/widgets/menupopup.js#140) and then have rules like:
arrowscrollbox.in-menulist::part(scrollbutton-up)
in the scrollbox.css files.
Comment 2•5 years ago
|
||
this.classList.add("in-menulist") would become this.scrollBox.classList.add("in-menulist"). I don't see any other references to this class so it should be safe to remove from the menupopup host.
Reporter | ||
Comment 3•5 years ago
|
||
Hm, except style-src
includes unsafe-inline
. Maybe my initial diagnosis was wrong? Christoph/Sebastian, could you doublecheck what's causing this?
Comment 4•5 years ago
|
||
Hey, the extention.xul's csp does not include style-src: unsafe-inline
so i guess the initial diagnosis was right :)
Reporter | ||
Comment 5•5 years ago
|
||
Huh, seems I was confused with aboutaddons.html ...
Assignee | ||
Comment 6•5 years ago
|
||
I think we can probably get rid of the menupopups in extensions.xul.
@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a PopupAutoComplete
[2] though, which I don't see in the HTML document.
[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836
Comment 7•5 years ago
|
||
(In reply to Mark Striemer [:mstriemer] from comment #6)
I think we can probably get rid of the menupopups in extensions.xul.
@Luca, do you remember if we're using any of these XUL elements [1]? I tried removing them and the options UI seemed to work fine. I see we're telling the browser about a
PopupAutoComplete
[2] though, which I don't see in the HTML document.[1] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/extensions.xul#35-58
[2] https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/toolkit/mozapps/extensions/content/aboutaddons.js#1836
I took a look to the mercurial history and that PopupAutocomplete
element has been originally introduced by Bug 1387624, to make the autocomplete popup to work as expected on the webextension inline options pages.
Sadly, it wasn't covered by any automated test and we missed to notice that it regressed (it can be verified using the same extension used to QA verify that bug in Bug 1387624 comment 26: https://addons.mozilla.org/en-US/firefox/addon/notification-sound/), I filed Bug 1595158 to track a fix for that regression (and added some additional details about it).
Anyway, about those XUL elements:
PopupAutoComplete
shouldn't have any purpose anymore (the feature it should support has already regressed and there shouldn't be anything else that is making any use of it)ContentSelectDropdown
used to also support the select popup for the inline options, but we have already replaced it in the HTML about:addons view and so the XUL views are also gone and so it should not be used anymore for anything else- all the other XUL element seems to also be only related to the XUL views and so they doesn't seem to be used or needed anymore
Comment 8•5 years ago
|
||
Luca, curious what we should do with this. Will Bug 1595158 address this?
Comment 9•5 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #8)
Luca, curious what we should do with this. Will Bug 1595158 address this?
No, this should be fixed by removing the XUL element that are triggering it, as Mark mentioned in comment 6.
Bug 1595158 is just a regression that I noticed while double-checking if any of the XUL elements Mark mentioned in comment 6 was still being used, but the fix doesn't depend from any of those elements (anymore) and it can be fixed separately from this one.
Assignee | ||
Comment 10•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Pushed by rgurzau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1c44a2eb604 Remove unused options UI helpers from extensions.xul r=rpl
Comment 12•5 years ago
|
||
Tried to push this for testing but got the following Eslint failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&revision=f1c44a2eb6041bc202b27d9d3a65254de00285af&selectedJob=276615515 and then i backed it out.
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=276615515&repo=autoland&lineNumber=54
[task 2019-11-17T08:30:10.620Z] executing ['bash', '-cx', 'cp -r /build/node_modules_eslint node_modules && ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules && ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules && ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json\n']in /builds/worker/checkouts/gecko
[task 2019-11-17T08:30:10.624Z] + cp -r /build/node_modules_eslint node_modules
[task 2019-11-17T08:30:10.967Z] + ln -s ../tools/lint/eslint/eslint-plugin-mozilla node_modules
[task 2019-11-17T08:30:10.968Z] + ln -s ../tools/lint/eslint/eslint-plugin-spidermonkey-js node_modules
[task 2019-11-17T08:30:10.969Z] + ./mach lint -l eslint -f treeherder --quiet -f json:/builds/worker/mozlint.json
[task 2019-11-17T08:30:12.046Z] Using base prefix '/usr'
[task 2019-11-17T08:30:12.046Z] New python executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python3
[task 2019-11-17T08:30:12.046Z] Also creating executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/bin/python
[task 2019-11-17T08:30:14.537Z] Installing setuptools, pip, wheel...done.
[task 2019-11-17T08:30:15.828Z] b"running build_ext\nbuilding 'psutil._psutil_linux' extension\ncreating build\ncreating build/temp.linux-x86_64-3.5\ncreating build/temp.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o\ncreating build/lib.linux-x86_64-3.5\ncreating build/lib.linux-x86_64-3.5/psutil\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o build/temp.linux-x86_64-3.5/psutil/_psutil_linux.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so\nbuilding 'psutil._psutil_posix' extension\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_common.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_common.o\nx86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=563 -DPSUTIL_LINUX=1 -I/usr/include/python3.5m -I/builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init_py3/include/python3.5m -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o\nx86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.5/psutil/_psutil_common.o build/temp.linux-x86_64-3.5/psutil/_psutil_posix.o -o build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_linux.cpython-35m-x86_64-linux-gnu.so -> psutil\ncopying build/lib.linux-x86_64-3.5/psutil/_psutil_posix.cpython-35m-x86_64-linux-gnu.so -> psutil\n"
[task 2019-11-17T08:30:15.828Z] Error processing command. Ignoring because optional. (optional:packages.txt:comm/build/virtualenv_packages.txt)
[task 2019-11-17T08:45:01.616Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/toolkit/mozapps/extensions/content/extensions.js:12:9 | 'DeferredTask' is assigned a value but never used. (no-unused-vars)
[taskcluster 2019-11-17 08:45:01.989Z] === Task Finished ===
[taskcluster 2019-11-17 08:45:02.948Z] Unsuccessful task run with exit code: 1 completed in 913.517 seconds
Comment 13•5 years ago
|
||
Backout by rgurzau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8b55cc4b1336 Backed out changeset f1c44a2eb604 for eslint failure at /content/extensions.js on a CLOSED TREE.
Comment 14•5 years ago
|
||
Pushed by mstriemer@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/975df36124a5 Remove unused options UI helpers from extensions.xul r=rpl
Comment 15•5 years ago
|
||
bugherder |
Comment 16•5 years ago
|
||
Hello,
Verified the fix on the latest Nightly (72.0a1/20191119043902) under Windows 10 Pro 64-bit and MacOS Catalina 10.15.
Opening the add-on manager does not show a CSP error in Browser Console.
Assignee | ||
Updated•5 years ago
|
Description
•