Remove inline event listeners from hiddenWindowMac.xhtml (and enforce with CSP)
Categories
(Core :: DOM: Security, task)
Tracking
()
Tracking | Status | |
---|---|---|
firefox136 | --- | fixed |
People
(Reporter: Gijs, Assigned: Gijs)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
On macOS a bunch of code is shared between the browser window and the "hidden" window which is used when no browser windows are open.
It is its own document so it gets its own CSP (or lack thereof) and although most of the code is shared there are some separate bits that we should update.
I'm not sure it's worth making this a meta, as I think now that the main browser window is done, we just need to fix those 2 things and apply the CSP, which feels like it can happen in this bug. I expect we have limited-to-no test coverage for the hidden window as such, so I'd expect any bugs to be found either through the main browser window and things not working there, or by manual testing for these 2 dock menuitems for this bug.
Assignee | ||
Comment 1•2 months ago
|
||
Updated•2 months ago
|
Updated•2 months ago
|
Comment 3•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 4•1 month ago
|
||
bugherder |
Updated•1 month ago
|
Assignee | ||
Comment 5•1 month ago
|
||
I don't know why the dependency was removed, but I still think it was correct? We could not have added CSP for hidden windows without all the work to remove inline handlers from the browser window, as the code is shared. Keeping relationships like this is useful in case of uplifts or regressions, as they make it more obvious what needs to happen in case of uplift/backout.
Description
•