Closed Bug 1939490 Opened 10 months ago Closed 9 months ago

Remove inline style from MozPanel

Categories

(Toolkit :: UI Widgets, defect)

Product:
Toolkit
Component:
UI Widgets
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox136 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1939490 - Stop using inline style for MozPanel. r?Gijs
48 bytes, text/x-phabricator-request
Details | Review

Every time I open the devtools, I see a bunch of CSP violations in the parent process.

Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “default-src chrome: resource:” 2 customElements.js:499:25
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “default-src chrome: resource:”

This is apparently caused by the inline style in the MozPanel markup.

I plan on adding telemetry for CSP violations in the parent process, so this would be nice to avoid. Otherwise I am just going to filter these out.

See Also: → 1937080
Severity: -- → S3
Priority: -- → P3

These other usages of panel doesn't seem to trigger CSP warning, whereas they are also done on chrome: document.
Any idea why they wouldn't be triggered against browser.xhtml?

Other panel users probably have a less restrictive CSP or no CSP at all. Devtools seems to use default-src chrome: resource:; and no style-src.

Obviously it would best to remove the inline style instead of making the devtools' CSP weaker.

indeed, the following seems to make the error go away:

diff --git a/devtools/client/framework/toolbox.xhtml b/devtools/client/framework/toolbox.xhtml
--- a/devtools/client/framework/toolbox.xhtml
+++ b/devtools/client/framework/toolbox.xhtml
@@ -7,7 +7,7 @@
 <window
   xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   xmlns:html="http://www.w3.org/1999/xhtml"
-  csp="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'"
+  csp="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'; style-src 'unsafe-inline';"
   role="application"
 >
   <linkset>

Looks like you're using a custom element that has a style= attribute. The more minimal CSP would allow style-src-attr rather than all of style-src.

I think the code is from https://searchfox.org/mozilla-central/rev/ead020d3989d3e9477b353d3d117f9c0f4b16f53/toolkit/content/widgets/panel.js#12, so maybe we should move this to Toolkit :: UI Widgets so that it's fixed at the source and for all consumers?

Flags: needinfo?(tschuster)
Component: General → UI Widgets
Flags: needinfo?(tschuster)
Product: DevTools → Toolkit
Summary: Opening the devtools creates a Content-Security-Policy violation → Remove inline style from MozPanel

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit BugBot documentation.

Priority: P3 → --

I will try to fix this so we don't end up with so many unnecessary telemetry pings.

Assignee: nobody → tschuster
Attachment #9460667 - Attachment description: WIP: Bug 1939490 - Stop using inline style for MozPanel → Bug 1939490 - Stop using inline style for MozPanel. r?Gijs
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bb65a5456898 Stop using inline style for MozPanel. r=Gijs,emilio
Blocks: 1943925

https://hg.mozilla.org/mozilla-central/rev/bb65a5456898

Status: NEW → RESOLVED
Closed: 9 months ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: