Closed Bug 1616881 Opened 5 years ago Closed 5 years ago

Get rid of `uses-unsafe-cpows`

Categories

(Firefox :: General, defect, P3)

Product:
Firefox
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 77
Tracking Flags:
Tracking Status
firefox77 --- fixed

People

(Reporter: Gijs, Assigned: Gijs)

References

(Regressed 1 open bug)

Details

Attachments

(3 files)

Bug 1616881 - remove saveImageURL which, besides the now-dead CPOW checks, just calls internalSave, r?mconley
47 bytes, text/x-phabricator-request
Details | Review
Bug 1616881 - clear up saveBrowser/saveDocument and remove all mentions of CPOWs from contentAreaUtils.js, r?mconley
47 bytes, text/x-phabricator-request
Details | Review
Bug 1616881 - get rid of `uses-unsafe-cpows`, r?mconley
47 bytes, text/x-phabricator-request
Details | Review

There are 7 tests that still use this. I think we can get rid of all of them:
browser/base/content/test/general/ :

  • browser_bug735471.js - This loads about:preferences and then accesses content, but that's in the parent process anyway. Also, this test looks kinda useless to me (we have a lot more actual tests for prefs in browser/components/preferences ) so we could just remove it altogether.
  • browser_clipboard.js - unclear what the CPOW usage here is, but I'm sure we could just rewrite it if there is any left...
  • browser_blockHPKP.js - fully disabled due to bug 1581884, which is assigned to Prathiksha but hasn't seen activity for 4 months. Unsure if there are really CPOWs left here. Given error page stuff is fission compatible now, and the test uses SpecialPowers.spawn, I would be surprised if that were the case?

browser/components/customizableui/test/:

toolkit/components/reader/test/:

toolkit/content/tests/browser/:

  • browser_datetime_datepicker.js - I don't see any CPOW usage here, though I could well be missing something.
  • browser_saveImageURL.js - this has an explicit test for a deprecated way of invoking "save image" from the context menu (after flipping dom.ipc.cpows.forbid-unsafe-from-browser) that I think we should just remove (including removing support for the CPOW stuff in the context menu etc.)

Relating to that last point, Kris, do you know what (if anything) is stopping us from removing dom.ipc.cpows.forbid-unsafe-from-browser and just not allowing them at all?

(In reply to :Gijs (he/him) from comment #0)

  • browser_saveImageURL.js - this has an explicit test for a deprecated way of invoking "save image" from the context menu (after flipping dom.ipc.cpows.forbid-unsafe-from-browser) that I think we should just remove (including removing support for the CPOW stuff in the context menu etc.)

Relating to that last point, Kris, do you know what (if anything) is stopping us from removing dom.ipc.cpows.forbid-unsafe-from-browser and just not allowing them at all?

Oops, +ni

Flags: needinfo?(kmaglione+bmo)

(In reply to :Gijs (he/him) from comment #0)

  • browser_saveImageURL.js - this has an explicit test for a deprecated way of invoking "save image" from the context menu (after flipping dom.ipc.cpows.forbid-unsafe-from-browser) that I think we should just remove (including removing support for the CPOW stuff in the context menu etc.)

Relating to that last point, Kris, do you know what (if anything) is stopping us from removing dom.ipc.cpows.forbid-unsafe-from-browser and just not allowing them at all?

No. We unconditionally forbid CPOW usage outside of automation, so any CPOW usage that isn't from a legacy test that needs to be updated should just be deleted. It won't have worked for ages.

Flags: needinfo?(kmaglione+bmo)

Side-note: It's possible that some of those tests wound up triggering unsafe CPOWs indirectly but don't anymore. And browser_bug735471.js may have been a false positive. I honestly don't remember how how I got the list of tests. It was probably a mix of things.

browser_datetime_datepicker.js had its CPOW usage fixed in bug 1492482.

Blocks: 1620226

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: General → Toolbars and Customization
Component: Toolbars and Customization → General

This removes the annotation from the following tests:

browser/base/content/test/general:

  • browser_bug735471.js by removing the test
  • browser_clipboard.js which seems like it's not using CPOWs anyway
  • browser_blockHPKP.js which is disabled and isn't using CPOWs anyway

browser/components/customizableui/test:

  • browser_934951_zoom_in_toolbar.js as CPOW usage was removed in bug 962248

toolkit/components/reader/test:

  • browser_readerMode_with_anchor.js as CPOW usage was already removed in bug 1492482

toolkit/content/tests/browser:

  • browser_datetime_datepicker.js as CPOW usage was removed in bug 149248
  • browser_saveImageURL.js which used deprecated CPOW-only APIs that I removed in an earlier cset

It also removes all the test framework code relying on this annotation.

Depends on D70685

Regressions: 1629609
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/3045d952dc94 remove saveImageURL which, besides the now-dead CPOW checks, just calls internalSave, r=mconley https://hg.mozilla.org/integration/autoland/rev/76645a14f8ca clear up saveBrowser/saveDocument and remove all mentions of CPOWs from contentAreaUtils.js, r=mconley https://hg.mozilla.org/integration/autoland/rev/7126b3a682a0 get rid of `uses-unsafe-cpows`, r=mconley

https://hg.mozilla.org/mozilla-central/rev/3045d952dc94
https://hg.mozilla.org/mozilla-central/rev/76645a14f8ca
https://hg.mozilla.org/mozilla-central/rev/7126b3a682a0

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: