Closed Bug 956484 Opened 10 years ago Closed 10 years ago

Rewrite inline script/style in /mobile/android/chrome/content/aboutPrivateBrowsing.xhtml

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
26 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 29

People

(Reporter: desiradaniel2007, Assigned: nbleasdale)

References

(Blocks 1 open bug)

Details

(Whiteboard: [qa-])

Attachments

(1 file, 1 obsolete file)

bug956484.patch
4.21 KB, patch
Details | Diff | Splinter Review 
With the current plan to harden the security of Firefox, we want to disallow internal privileged pages to use inline JavaScript. Since their amount is fairly limited, we start this by rewriting them bit by bit.
Blocks: 923920
Attached patch bug956484.patch (obsolete) — Splinter Review 
Thought I'd look at this one as no one's picked it up yet.
Attachment #8358957 - Flags: review?(mbrubeck)
Comment on attachment 8358957 [details] [diff] [review]
bug956484.patch

Review of attachment 8358957 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.  Thanks!
Attachment #8358957 - Flags: review?(mbrubeck) → review+
Attached patch bug956484.patchSplinter Review 
Could someone add 'checkin-needed' to this? I don't have edit bugs privileges as yet.
Attachment #8358957 - Attachment is obsolete: true
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: checkin-needed
Assignee: nobody → nb.mozd
https://hg.mozilla.org/integration/fx-team/rev/4ddb7a3d9cae
Flags: in-testsuite-
Keywords: checkin-needed
Whiteboard: [fixed-in-fx-team]
https://hg.mozilla.org/mozilla-central/rev/4ddb7a3d9cae
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 29
Whiteboard: [qa-]
Hi. When I do about:privatebrowsing it shows some CSS as well.
<style type="text/css"><![CDATA[
      body.normal .showPrivate,
      body.private .showNormal {
        display: none;
      }
      body.appMenuButtonVisible .toolsMenu {
        display: none;
      }
      body.appMenuButtonInvisible .appMenuButton {
        display: none;
      }
    ]]></style>

Ideally this should also be kept in a diff css file the way we are putting any js code in separate file?
Am i correct or missing something?
Ideally the CSS would not be inline either, but the CSP prohibition on 'unsafe-inline' can be applied separately to scripts and style. CSP blocks both by default, but we may have enabled inline style since style injection is less likely to be harmful. Comment 0 only mentions script, the summary mentions both; I'm not sure which is intended.
Separate styles too. Updating description.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: