1951670 - Add a report-only CSP for blocking inline event handlers in browser.xhtml (for Release)

Status: RESOLVED FIXED

(Core :: DOM: Security, task)

Comment 1

[Tom Schuster (MoCo)]

Attachment: Bug 1951670 - Add a report-only CSP pref for blocking inline event handlers in browser.xhtml. r?freddyb

Comment 2

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7a2ecdf66a2b
Add a report-only CSP pref for blocking inline event handlers in browser.xhtml. r=freddyb,firefox-desktop-core-reviewers ,mconley

Comment 3

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/7a2ecdf66a2b

Comment 4

[Tom Schuster (MoCo)]

Comment on attachment 9469744 [details]
Bug 1951670 - Add a report-only CSP pref for blocking inline event handlers in browser.xhtml. r?freddyb

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: We want to collect this Telemetry as soon as possible in Release so uplifting to Beta gives us a way to do this.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: bug 1953374
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): We had a blocking CSP in Nightly/Beta for a while now. We are going to have a non-blocking (report-only) CSP for late beta/release. This is covered by tests.
• String changes made/needed:
• Is Android affected?: Yes

Comment 5

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/86749876a700