Closed Bug 1939584 Opened 2 months ago Closed 1 month ago

Remove inline event listeners from hiddenWindowMac.xhtml (and enforce with CSP)

Categories

(Core :: DOM: Security, task)

Desktop
All
task

Tracking

()

RESOLVED FIXED
136 Branch
Tracking Status
firefox136 --- fixed

People

(Reporter: Gijs, Assigned: Gijs)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

On macOS a bunch of code is shared between the browser window and the "hidden" window which is used when no browser windows are open.

It is its own document so it gets its own CSP (or lack thereof) and although most of the code is shared there are some separate bits that we should update.

I'm not sure it's worth making this a meta, as I think now that the main browser window is done, we just need to fix those 2 things and apply the CSP, which feels like it can happen in this bug. I expect we have limited-to-no test coverage for the hidden window as such, so I'd expect any bugs to be found either through the main browser window and things not working there, or by manual testing for these 2 dock menuitems for this bug.

Blocks: 1935985
Type: defect → task
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attachment #9445446 - Attachment description: Bug 1939584 - clean up nonbrowser-mac.js and stop using inline event handlers in the mac hidden window, r?tschuster! → Bug 1939584 - clean up nonbrowser-mac.js and stop using inline event handlers in the mac hidden window, r?tschuster!,#firefox-desktop-core-reviewers
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/8c30826cb1b6 clean up nonbrowser-mac.js and stop using inline event handlers in the mac hidden window, r=tschuster,firefox-desktop-core-reviewers ,mossop

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → DOM: Security
Product: Firefox → Core
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Blocks: 1940445
No longer blocks: 1935985
No longer depends on: 1890547

I don't know why the dependency was removed, but I still think it was correct? We could not have added CSP for hidden windows without all the work to remove inline handlers from the browser window, as the code is shared. Keeping relationships like this is useful in case of uplifts or regressions, as they make it more obvious what needs to happen in case of uplift/backout.

Depends on: 1890547
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: