Closed Bug 1492063 Opened 6 years ago Closed 5 years ago

[meta] Apply Meta CSP to remaining about: pages

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Depends on 1 open bug, Blocks 3 open bugs)

Details

(Keywords: meta, Whiteboard: [domsecurity-meta])

Similar to what we do within Bug 1449872, where we enforce that all content privileged about: pages ship with a CSP, we can update AssertContentPrivilegedAboutPageHasCSP() within CSP to also assert on system privileged about pages. We still have to wait till Bug 965637 has landed before we can start doing that though.
Blocks: 1430748
Depends on: 965637
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1449872
Summary: Apply Meta CSP to more System Privileged about: pages → [meta] Apply Meta CSP to more System Privileged about: pages[
Priority: -- → P3
Whiteboard: [domsecurity-meta]
Assignee: nobody → ckerschb
Summary: [meta] Apply Meta CSP to more System Privileged about: pages[ → [meta] Apply Meta CSP to more System Privileged about: pages
Depends on: 1495983
Status: NEW → ASSIGNED
Depends on: 1496010
Depends on: 1496386
Depends on: 1496406
Depends on: 1496418
Depends on: 1497189
Depends on: 1497190
Depends on: 1497191
Depends on: 1497195
Depends on: 1497197
Depends on: 1497199
Depends on: 1497200
Depends on: 1497201
Depends on: 1497202
Depends on: 1497203
Depends on: 1497204
Depends on: 1497205
Depends on: 1497206
Depends on: 1497207
Depends on: 1497209
Depends on: 1497211
Depends on: 1497212
Depends on: 1497213
Depends on: 1497214
Depends on: 1497216
Depends on: 1497217
Depends on: 1497584
Depends on: 1499064
Depends on: 1499354
Depends on: 1498060
Depends on: 1533595
Blocks: 1537685
Depends on: 1566386
Depends on: 1567352
Depends on: 1567867
Depends on: 1567877

I am renaming this bug as we are not exclusively dealing with system privileged about pages anymore within this tracking bug.

Summary: [meta] Apply Meta CSP to more System Privileged about: pages → [meta] Apply Meta CSP to remaining about: pages
Depends on: 1567910

Brendan, Brian, within the dependencies of this bug we are applying a Content Security Policy to all our about: pages. At this point we have applied CSPs to pretty much all about: pages except the ones that are written in *.xul files, namely:

  • about:addons
  • about:config
  • about:downloads
  • about:preferences
  • about:devtools-toolbox

Within Bug 1567877 we are adding a special attribute 'csp' to the root element so we can pipe that CSP through to the CSP machinery within Firefox. I started to apply a CSP to about:downloads but it's rather cumbersome because of all the inline event handlers and what not. Before moving any further I just wanted to quickly check if there are any plans to convert the above about pages to rely on (x)html rather then *.xul in the upcoming future?

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1497200#c11

Flags: needinfo?(bgrinstead)
Flags: needinfo?(bdahl)

There a few things in the works, but I think for what you need it will still be a few months away. I just landed a change to make all XUL pages load as XHTML documents in bug 1550801. I'll also soon be renaming XUL files to XHTML, however the DOM structure in the files will still be "XUL like". We're going to start re-structuring the XUL documents to be more "html like", but we're starting with browser.xhtml in bug 1492582.

Flags: needinfo?(bgrinstead)
Flags: needinfo?(bdahl)
Depends on: 1578231
Depends on: 1583489
Depends on: 1584485

All dependencies for this bug have cleared and all 50+ about pages are secured by a CSP. I think it's time to close this bug.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Depends on: 1587417
You need to log in before you can comment on or make changes to this bug.