948883 - Move inline scripts and styles into separate file for toolkit/content/aboutSupport.xhtml (URL=about:support)

Status: RESOLVED FIXED

(Firefox :: General, defect)

Description

[Frederik Braun [:freddy]]

With the current plan to harden the security of Firefox, we want to disallow internal privileged pages to use inline JavaScript. Since their amount is fairly limited, we start this by rewriting them bit by bit.

Comment 1

[Georgiana [:gia]]

I think the inline scripts for toolkit/content/aboutSupport.xhtml had already moved into 
toolkit/content/aboutSupport.js .

Comment 2

[Ryan VanderMeulen [:RyanVM]]

checkin-needed means that there's a patch that needs landing.

Comment 3

[Tim Taubert [:ttaubert] (inactive)]

(In reply to Georgiana [:gia] from comment #1)
> I think the inline scripts for toolkit/content/aboutSupport.xhtml had
> already moved into 
> toolkit/content/aboutSupport.js .

Yes, it seems that we don't need to fix anything about this file. Thank you for checking, Georgiana!

Comment 4

[Frederik Braun [:freddy]]

I think we're overlooking something here ;)
I see a lot of onclick and style attributes that should be merged into aboutSupport.js and aboutSupport.css respectively.

Comment 5

[Tim Taubert [:ttaubert] (inactive)]

Oh, yes. Sorry I forgot about those.

Comment 6

[Anup Kumar [:reznord]]

Hi, I am interested in working on this bug. So can you please assign this to me?

Thanks in advance,

Comment 7

[Michael Green]

Hi, I am interested in working on this bug as part of a university project. If possible can it be assigned to me? Thankyou

Comment 8

[Michael Green]

How would I go about debugging the changes I have made?

Comment 9

[Michael Green]

Wondering if I can have any feedback on my progress so far, not sure on how to test? https://github.com/mozilla/gecko-dev/pull/6

Comment 10

[Michael Green]

Attachment: hg version of proposed git patch

Comment 11

[Frederik Braun [:freddy]]

Comment on attachment 8372196 [details] [diff] [review]
hg version of proposed git patch

Review of attachment 8372196 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for this patch, it looks like a good first try!
Please address these comments and flag me with "feedback?" again.

::: toolkit/content/aboutSupport.js
@@ +605,5 @@
> +var ShowUpdateHistory-button = document.getElementById("ShowUpdateHistory-button");
> +ShowUpdateHistory-button.addEventListener("click",showUpdateHistory());
> +
> +var ProfileDir-button = document.getElementById("ProfileDir-button");
> +ProfileDir-button.addEventListener("click",openProfileDirectory());
\ No newline at end of file

Most of your introduced variable names are invalid to JavaScript. Please look through our Coding Guidelines: https://developer.mozilla.org/en/docs/Developer_Guide/Coding_Style

::: toolkit/themes/windows/global/aboutSupport.css
@@ +118,5 @@
> +}
> +
> +#prefs-user-js-section{
> +  display:none;
> +}

Your CSS patch should work, but you could consider creating two classes (one with display:block and one with display:none). And assign those to the elements instead of unique IDs.

Comment 12

[Florian Bender]

(In reply to Michael Green from comment #9)
> Wondering if I can have any feedback on my progress so far, not sure on how
> to test? https://github.com/mozilla/gecko-dev/pull/6

That repository is read-only, any pull request will be ignored.

Comment 13

[Michael Green]

Attachment: Proposed 948883.patch

Comment 14

[Frederik Braun [:freddy]]

Comment on attachment 8384641 [details] [diff] [review]
Proposed 948883.patch

Review of attachment 8384641 [details] [diff] [review]:
-----------------------------------------------------------------

Looks OK. I'll give it a test later on.

::: toolkit/content/aboutSupport.xhtml
@@ +28,5 @@
>    </head>
>  
>    <body dir="&locale.dir;">
>  
> +    <div id="reset-box">

You have introduced a CSS class "hidden", I think you want to use it here.

Comment 15

[Frederik Braun [:freddy]]

Comment on attachment 8384641 [details] [diff] [review]
Proposed 948883.patch

Looks good from here. Let's get a Toolkit module peer to review!

Comment 16

[Michael Green]

I have added the CSS class I missed, should I add another attachment?

Comment 17

[Frederik Braun [:freddy]]

Ah, right I forgot that part. Please obsolete the previous patch, carry over my "feedback+" rating and ask Blair for a review on the new patch.
Thanks! :)

Comment 18

[Michael Green]

Attachment: patch-948883.patch

Comment 19

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Comment on attachment 8386776 [details] [diff] [review]
patch-948883.patch

Review of attachment 8386776 [details] [diff] [review]:
-----------------------------------------------------------------

Almost there

::: toolkit/content/aboutSupport.js
@@ +589,5 @@
> +/**
> + * Set up event listeners for buttons.
> + */
> +function setupEventListeners(){
> +  document.getElementById("show-update-history-button").onclick = function(event) {

Always use addEventListener() to handle events.

Also, you can shorten these lines a bit. This file defines a $ function, which is just document.getElementById(). So you can do:
  $("show-update-history-button")

@@ +591,5 @@
> + */
> +function setupEventListeners(){
> +  document.getElementById("show-update-history-button").onclick = function(event) {
> +	  var prompter = Cc["@mozilla.org/updates/update-prompt;1"].createInstance(Ci.nsIUpdatePrompt);
> +	  prompter.showUpdateHistory(window);

Mozilla code always uses 2 spaces for indentation - you're used a tab characters here.

@@ +600,5 @@
> +  document.getElementById("copy-raw-data-to-clipboard").onclick = function(event){
> +	copyRawDataToClipboard(this);
> +  }
> +  document.getElementById("copy-to-clipboard").onclick = function(event){
> +	copyContentsToClipboard();

For cases like this, you can simplify by just registering this function as the event listener:

  document.getElementById("copy-to-clipboard").addEventListener("click", copyContentsToClipboard);

::: toolkit/content/aboutSupport.xhtml
@@ +26,5 @@
>      <script type="application/javascript;version=1.7"
>              src="chrome://global/content/resetProfile.js"/>
>    </head>
>    <body dir="&locale.dir;">
> +    <div id="reset-box class="hide">

Typo here - missing the end quote at the end of the id attribute value. 

But also, this shouldn't have the "hide" class. The original inline style never had display:none, so adding it here is changing the behaviour.

::: toolkit/themes/windows/global/aboutSupport.css
@@ +102,5 @@
>    margin: auto;
>  }
> +
> +.block {
> +display:block;

Indent the contents of rules by 2 spaces.

@@ +105,5 @@
> +.block {
> +display:block;
> +}
> +
> +.hide {

Convention is to name this class "hidden".

Comment 20

[Michael Green]

Attachment: patch-948883.patch

I have made the changes that were mentioned by Blair.

Michael

Comment 21

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Comment on attachment 8390055 [details] [diff] [review]
patch-948883.patch

Review of attachment 8390055 [details] [diff] [review]:
-----------------------------------------------------------------

Can you post the full diff? This is changes made on top of your other changes - what we ideally want is changes to a clean tree.

The reason being is that it's hard to review just a diff of a diff - generally reviewers want each revision to be a complete standalone diff, to see the whole picture. We have tools to get an interdiff (diff between two revisions of a patch) when it's useful.

Comment 22

[Michael Green]

Attachment: patch-948883.patch

Changes against the clean tree,

Michael

Comment 23

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Comment on attachment 8390468 [details] [diff] [review]
patch-948883.patch

Review of attachment 8390468 [details] [diff] [review]:
-----------------------------------------------------------------

Awesome :) Good to go!

Comment 24

[Ryan VanderMeulen [:RyanVM]]

Doesn't apply to fx-team.

Comment 25

[Michael Green]

Hi, just wondering what the above comments means? Are any changes needed? 
Thanks! :)

Comment 26

[Ekanan Ketunuti]

(In reply to Michael Green from comment #25)
> Hi, just wondering what the above comments means? Are any changes needed? 
> Thanks! :)

This patch doesn't apply cleanly against current fx-team tip (https://hg.mozilla.org/integration/fx-team/) 
i guess because this patch has no newline at end of file, but current fx-team has newline at eof.

-------
$ hg qpush patch-948883.patch

applying patch-948883.patch
patching file toolkit/content/aboutSupport.js
Hunk #2 FAILED at 574
1 out of 2 hunks FAILED -- saving rejects to file toolkit/content/aboutSupport.js.rej
patching file toolkit/content/aboutSupport.xhtml
Hunk #6 FAILED at 314
1 out of 6 hunks FAILED -- saving rejects to file toolkit/content/aboutSupport.xhtml.rej
patching file toolkit/themes/windows/global/aboutSupport.css
Hunk #1 FAILED at 83
1 out of 1 hunks FAILED -- saving rejects to file toolkit/themes/windows/global/aboutSupport.css.rej
patch failed to apply
toolkit/content/aboutSupport.js
toolkit/content/aboutSupport.xhtml
patch failed, rejects left in working dir
errors during apply, please fix and refresh patch-948883.patch
-------

Please post a patch based on current fx-team tree and re-request checkin.

Comment 27

[Michael Green]

Attachment: patch-948883.patch

Comment 28

[Ekanan Ketunuti]

Thank you, Michael. Tree sheriff will get to this soon.
Try run for reference: https://tbpl.mozilla.org/?tree=Try&rev=c7af18348ce3

Comment 29

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/fx-team/rev/12b62c93d740

Comment 30

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/12b62c93d740