Closed Bug 1957850 Opened 8 months ago Closed 8 months ago

Add a strict script-src CSP to hiddenWindowMac.xhtml

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox139 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1957850 - Add a strict script-src CSP to hiddenWindowMac.xhtml. r?Gijs
48 bytes, text/x-phabricator-request
Details | Review

We currently use the policy script-src-attr 'none' for hiddenWindowMac.xhtml's CSP, we should upgrade this to script-src chrome: resource:. The most important aspect is that this would disallow inline scripts in addition to inline event handlers.

Assignee: nobody → tschuster
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/75f3310bf965 Add a strict script-src CSP to hiddenWindowMac.xhtml. r=Gijs

https://hg.mozilla.org/mozilla-central/rev/75f3310bf965

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
QA Whiteboard: [qa-triage-done-c140/b139]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: