Closed Bug 1936336 Opened 11 months ago Closed 11 months ago

Disallow inline event handlers in browser.xhtml in debug builds (and test)

Categories

(Firefox :: General, task)

Product:
Firefox
Component:
General
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox135 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

Details

Attachments

(1 file)

Bug 1936336 - Disallow inline event handlers in browser.xhtml in debug builds (and test). r?freddyb!,Gijs!
48 bytes, text/x-phabricator-request
Details | Review

After we have removed all inline event handlers from browser.xhtml we should add something like this to its HTML:

#ifdef NIGHTLY_BUILD
  <meta http-equiv="Content-Security-Policy" content="script-src-attr 'self'" />
#endif

Additionally we should have some kind of test that ensures that e.g. using setAttribute("onclick") on the browser is correctly blocked.

Blocks: 1890547
No longer depends on: 1890547
Assignee: nobody → tschuster
Summary: Dissallow inline event handlers in browser.xhtml in Nightly (and test) → Disallow inline event handlers in browser.xhtml in Nightly (and test)
Depends on: 1936522

Big try push

Attachment #9442886 - Attachment description: WIP: Bug 1936336 - Disallow inline event handlers in browser.xhtml in Nightly (and test) → WIP: Bug 1936336 - Disallow inline event handlers in browser.xhtml in debug builds (and test)
Summary: Disallow inline event handlers in browser.xhtml in Nightly (and test) → Disallow inline event handlers in browser.xhtml in debug builds (and test)
Duplicate of this bug: 1937078
Depends on: 1937540
Attachment #9442886 - Attachment description: WIP: Bug 1936336 - Disallow inline event handlers in browser.xhtml in debug builds (and test) → Bug 1936336 - Disallow inline event handlers in browser.xhtml in debug builds (and test). r?freddyb!,Gijs!
Depends on: 1938082
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4f1ddec217ba Disallow inline event handlers in browser.xhtml in debug builds (and test). r=freddyb,Gijs

Backed out for causing bc failures @ browser_policy_managedbookmarks.js

TEST-UNEXPECTED-FAIL | browser/components/enterprisepolicies/tests/browser/managedbookmarks/browser_policy_managedbookmarks.js | Uncaught exception in test bound test_policy_managedbookmarks - at chrome://mochitests/content/browser/browser/components/enterprisepolicies/tests/browser/managedbookmarks/browser_policy_managedbookmarks.js:35 - TypeError: can't access property "label", managedBookmarksMenu.menupopup.children[0] is undefined
Flags: needinfo?(tschuster)

Bug 1938883

Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c84982de770a Disallow inline event handlers in browser.xhtml in debug builds (and test). r=freddyb,Gijs

https://hg.mozilla.org/mozilla-central/rev/c84982de770a

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Regressions: 1939553
No longer regressions: 1939553
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: