948898 - Move inline scripts and styles into separate file for mobile/android/chrome/content/aboutHealthReport.xhtml (URL=about:healthreport)

Status: RESOLVED FIXED

(Firefox for Android Graveyard :: General, defect)

Description

[Frederik Braun [:freddy]]

With the current plan to harden the security of Firefox, we want to disallow internal privileged pages to use inline JavaScript. Since their amount is fairly limited, we start this by rewriting them bit by bit.

Comment 1

[Sumit]

I like to work on this bug, but I can't understand clearly what I have to do.

Comment 2

[Frederik Braun [:freddy]]

You would need some basic understanding of HTML and JavaScript. You will need to modify the HTML to remove event handler attributes (onclick=, onload=, on...) and replace them with JavaScript.

We have a wiki page that explains this project: https://wiki.mozilla.org/Security/Inline_Scripts_and_Styles

Comment 3

[anton_11111]

Hello, can I have this bug assigned to me please?

Comment 4

[Frederik Braun [:freddy]]

Go for it! I hope you'll know better how to handle this, than the previous assignees :)

Comment 5

[anton_11111]

is it just the onload and onunload events in the body tags that need to be moved?

Comment 6

[anton_11111]

sorry I also meant to add this onto comment 5 does the script in the head also need changing?

Comment 7

[Frederik Braun [:freddy]]

It's just the onload and onunload.

Comment 8

[anton_11111]

Attachment: proposed changes to the abouthHealthReport.js

Sorry about the delay was busy with other things, is this on the right track?

Comment 9

[Frederik Braun [:freddy]]

Comment on attachment 8393376 [details]
proposed changes to the abouthHealthReport.js

Can you please provide this as a patch file instead?
There's a good guide on how to contribute patches here on MDN: https://developer.mozilla.org/en-US/docs/Developer_Guide/How_to_Submit_a_Patch

Comment 10

[anton_11111]

Attachment: proposed patch take 2 for aboutHealthReport.js

added now as a patch.

Comment 11

[Frederik Braun [:freddy]]

Sorry, but this is the patched file again, not a diff. Please read the instructions on the wiki. If you need additional help, I'm on IRC right now (Server irc.mozilla.org, channel #security)

Comment 12

[anton_11111]

Attachment: patch1forbug948898.patch

is this correct?, sorry about the other attempts as this is my first time.

Comment 13

[Frederik Braun [:freddy]]

Comment on attachment 8394687 [details] [diff] [review]
patch1forbug948898.patch

Review of attachment 8394687 [details] [diff] [review]:
-----------------------------------------------------------------

This patch has the correct format, but some bits are not functional.
You need to add an event listener seperately from the definition of the functions.
Please check our this wiki page that links to bugs similar to this. They should have attachments that show how to add event listeners. https://wiki.mozilla.org/Security/Inline_Scripts_and_Styles#Finding_Inspiration
If you need additional help on event listeners, take a look at https://developer.mozilla.org/en-US/docs/Web/API/EventTarget.addEventListener

::: mobile/android/chrome/content/aboutHealthReport.js
@@ +32,5 @@
>  // SharedPreferences.
>  let sharedPrefs = new SharedPreferences();
>  
>  let healthReportWrapper = {
> +  window.onload = (init): function () {

Both this and the "onunload" bit are not valid JavaScript :(

::: mobile/android/chrome/content/aboutHealthReport.xhtml
@@ +25,5 @@
>       type="text/css" />
>     <script type="text/javascript;version=1.8"
>       src="chrome://browser/content/aboutHealthReport.js" />
>    </head>
> +  <body>

This bit is correct! :)

Comment 14

[anton_11111]

Attachment: patch version 2 for bug 948898

I used the event handlers but wasn't too sure on location so I'm not fully sure if it is correct.

Comment 15

[anton_11111]

I am having issues creating a patch the lines I have changed aren't showing as modified in the patch file

Comment 16

[anton_11111]

Attachment: attempt number two for bug 948898 now with event listeners

Got my problem sorted so I hope this is closer to the goal :).

Comment 17

[Frederik Braun [:freddy]]

Comment on attachment 8396663 [details] [diff] [review]
attempt number two for bug 948898 now with event listeners

Review of attachment 8396663 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good. Please address these comments and then you should be good to go.

::: mobile/android/chrome/content/aboutHealthReport.js
@@ +59,5 @@
>      Services.obs.removeObserver(this, EVENT_HEALTH_RESPONSE);
>    },
>  
> +  window.addEventListener("unload", uninit, false);
> +  

About your changes to aboutHealthReport.js:
First, they don't belong in the definition of healthReportWrapper, they should go after it (basically, the end of the file).
For the scope to still work you'll have to prefix the function names with "healthReportWrapper." again.

Please also remove the extra blank lines after the window.addEventListener() calls.

Comment 18

[anton_11111]

Attachment: An updated patch with the changes requested from the previous patch

Is it ok just updating the previous patch file with the new changes I made?

Comment 19

[Frederik Braun [:freddy]]

Comment on attachment 8399413 [details] [diff] [review]
An updated patch with the changes requested from the previous patch

Review of attachment 8399413 [details] [diff] [review]:
-----------------------------------------------------------------

Looking good. Please address this minor comment and then flag someone else fore review, e.g. Margaret Leibovic.

::: mobile/android/chrome/content/aboutHealthReport.js
@@ +192,5 @@
>    },
>  };
> +
> +  window.addEventListener("load", healthReportWrapper.init, false);
> +  window.addEventListener("unload", healthReportWrapper.uninit, false);

Nit: Please remove the spaces at the start of the lines.

Comment 20

[anton_11111]

Attachment: patch for bug 948898 with the removed spaces

hopefully this is the final patch I removed the spaces on the lines as requested :)

Comment 21

[:Margaret Leibovic]

Comment on attachment 8399415 [details] [diff] [review]
patch for bug 948898 with the removed spaces

Review of attachment 8399415 [details] [diff] [review]:
-----------------------------------------------------------------

Did you test this patch? If you did, you would see that about:healthreport doesn't load :)

::: mobile/android/chrome/content/aboutHealthReport.js
@@ +192,5 @@
>    },
>  };
> +
> +window.addEventListener("load", healthReportWrapper.init, false);
> +window.addEventListener("unload", healthReportWrapper.uninit, false);

These will not work because thet will call healthReportWrapper.init/uninit with the event context, not with the healthReportWrapper context (meaning the value of `this` will not be what we want inside the init/uninit functions).

To fix this, add .bind(healthReportWrapper) to these functions, like this:
window.addEventListener("unload", healthReportWrapper.init.bind(healthReportWrapper), false);

For more info, see:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind

Comment 22

[anton_11111]

I'm not sure i can test the changes on windows if I'm looking at the wiki correctly. I have made the changes but I'm not entirely sure how to test it locally?

Comment 23

[anton_11111]

Attachment: added bind to the event handlers

is it ok if i can get feedback on this patch suggestion while I'm setting up a way to be able to test changes?

sorry for any inconvenience as this is my first time and I'm getting used to the different tools and techniques :)

Comment 24

[:Margaret Leibovic]

(In reply to anton_11111 from comment #22)
> I'm not sure i can test the changes on windows if I'm looking at the wiki
> correctly. I have made the changes but I'm not entirely sure how to test it
> locally?

Yes, unfortunately we don't support building Firefox for Android on Windows, so I'm guessing that means you didn't build these changes? If you're using Windows, you can use a Linux VM to build Firefox:
https://wiki.mozilla.org/Mobile/Fennec/Android#Windows_.28using_Linux_VM.29

After you have a build, you can test it on most Android devices, or using the Android emulator.

In general, we like to encourage contributors to get a local build/test environment set up before working on patches, but it's fine that you got a head start :)

Comment 25

[:Margaret Leibovic]

Comment on attachment 8400150 [details] [diff] [review]
added bind to the event handlers

Review of attachment 8400150 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good, thanks for addressing my feedback.

Comment 26

[anton_11111]

I'm not sure if this is a bad question but what do I need to do next?

Comment 27

[:Margaret Leibovic]

(In reply to anton_11111 from comment #26)
> I'm not sure if this is a bad question but what do I need to do next?

Have you been able to test this? This patch is good to land, so I'll mark this bug as checkin-needed so that someone will commit it for you, but you should make sure you can test local changes before taking on your next Firefox for Android bug :)

Comment 28

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/fx-team/rev/6e1666ecd351

Comment 29

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/6e1666ecd351