Closed
Bug 956484
Opened 10 years ago
Closed 10 years ago
Rewrite inline script/style in /mobile/android/chrome/content/aboutPrivateBrowsing.xhtml
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
Firefox 29
People
(Reporter: desiradaniel2007, Assigned: nbleasdale)
References
(Blocks 1 open bug)
Details
(Whiteboard: [qa-])
Attachments
(1 file, 1 obsolete file)
4.21 KB,
patch
|
Details | Diff | Splinter Review |
With the current plan to harden the security of Firefox, we want to disallow internal privileged pages to use inline JavaScript. Since their amount is fairly limited, we start this by rewriting them bit by bit.
Assignee | ||
Comment 1•10 years ago
|
||
Thought I'd look at this one as no one's picked it up yet.
Attachment #8358957 -
Flags: review?(mbrubeck)
Comment 2•10 years ago
|
||
Comment on attachment 8358957 [details] [diff] [review] bug956484.patch Review of attachment 8358957 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Thanks!
Attachment #8358957 -
Flags: review?(mbrubeck) → review+
Assignee | ||
Comment 3•10 years ago
|
||
Could someone add 'checkin-needed' to this? I don't have edit bugs privileges as yet.
Attachment #8358957 -
Attachment is obsolete: true
Updated•10 years ago
|
Updated•10 years ago
|
Assignee: nobody → nb.mozd
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4ddb7a3d9cae
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 29
Updated•10 years ago
|
Whiteboard: [qa-]
Comment 6•10 years ago
|
||
Hi. When I do about:privatebrowsing it shows some CSS as well. <style type="text/css"><![CDATA[ body.normal .showPrivate, body.private .showNormal { display: none; } body.appMenuButtonVisible .toolsMenu { display: none; } body.appMenuButtonInvisible .appMenuButton { display: none; } ]]></style> Ideally this should also be kept in a diff css file the way we are putting any js code in separate file? Am i correct or missing something?
Comment 7•10 years ago
|
||
Ideally the CSS would not be inline either, but the CSP prohibition on 'unsafe-inline' can be applied separately to scripts and style. CSP blocks both by default, but we may have enabled inline style since style injection is less likely to be harmful. Comment 0 only mentions script, the summary mentions both; I'm not sure which is intended.
Reporter | ||
Comment 8•10 years ago
|
||
Separate styles too. Updating description.
You need to log in
before you can comment on or make changes to this bug.
Description
•