Closed Bug 1755311 Opened 3 years ago Closed 3 years ago

Stop relying on `security.csp.enable` for tests in devtools/client/framework/tests

Categories

(DevTools :: General, task)

Product:
DevTools
Component:
General
Type:
task

Tracking

(firefox99 fixed)

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox99 --- fixed

People

(Reporter: freddy, Assigned: jdescottes)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1755311 - Stop relying on "security.csp.enable" for tests in devtools/client/framework/tests
48 bytes, text/x-phabricator-request
Details | Review

In bug #1754301, we want to remove the pref for disalinb CSP security.csp.enable. CSP has become a cornerstone of web security and supporting configurations in which it has been disabled seems like a lot of unnecessary work.

In order for us to remove the pref, we need the tests browser_toolbox_show_toolbox_tool_ready.js and browser_toolbox_textbox_context_menu.js to stop using it.

I tried to move the current data: URLs to support-files URLs but have not yet been successful as https://example.org or https://mochi.test:8888`` is not allowed by CSP. A next step would be to load them viachrome://`, I suppose, but that seems to fail within devtools own code? I can share a WIP patch either way.

@jdescottes: Can you share how the toolbox tool is lazy loaded? Is it using an iframe? I'm also not sure what the "top level document" is and where its CSP is stored. I'm wondering if we could relax the CSP for that document to include data: but only when under test.

Flags: needinfo?(jdescottes)

Hi Freddy! Some answers below:

The document for the toolbox is at: https://searchfox.org/mozilla-central/source/devtools/client/framework/toolbox.xhtml, and it defines a CSP

It is loaded in an iframe via the URL about:devtools-toolbox, at https://searchfox.org/mozilla-central/rev/94d7c959115c03ea1e9406d6105b36cabe63775d/devtools/client/framework/toolbox-host-manager.js#124

The frame is created at https://searchfox.org/mozilla-central/rev/94d7c959115c03ea1e9406d6105b36cabe63775d/devtools/client/framework/toolbox-hosts.js#418-434

That being said, I prefer not to allow data: in tests, because we might miss regressions.
Let's update the tests to make them use resource or chrome URLs. I'll push a patch to review shortly

Flags: needinfo?(jdescottes)
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
Pushed by jdescottes@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e5277fd73a48 Stop relying on "security.csp.enable" for tests in devtools/client/framework/tests r=devtools-reviewers,freddyb,nchevobbe

https://hg.mozilla.org/mozilla-central/rev/e5277fd73a48

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: