Closed
Bug 1495983
Opened 6 years ago
Closed 6 years ago
Assert system privileged about: pages have a CSP
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
(deleted),
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → ckerschb
Blocks: 1492063
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 1•6 years ago
|
||
Smaug, ultimately we would like to apply a CSP to all about: pages. Some background, within Bug 965637 we are about to move the CSP into the Client which should allow us to apply a CSP to all about: pages, not only content privileged about pages. I guess it's time to update the assertion within nsDocument to cover all about: pages, whitelist the ones that don't have a CSP yet and then systematically apply a CSP to all about: pages.
Attachment #9014014 -
Flags: review?(bugs)
Comment 2•6 years ago
|
||
I guess not all about:, since about:blank is rather special ;)
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Olli Pettay [:smaug] (r- if the bug doesn't explain what the change(s) are about.) from comment #2)
> I guess not all about:, since about:blank is rather special ;)
all about pages where it's feasible :-)
Comment 4•6 years ago
|
||
Comment on attachment 9014014 [details] [diff] [review]
bug_1495983_assert_system_about_page_has_csp.patch
> #if defined(DEBUG) && !defined(ANDROID)
>-pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc");
>-// the following pref is for testing purposes only.
>-pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
>+// we can not apply a CSP to the following content privileged
>+// about: pages: blank, printpreview, srcdoc
I'm having trouble to parse this sentence. You list 3 pages (which aren't even privileged, at least two of them) and then the pref lists all the stuff.
Attachment #9014014 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 5•6 years ago
|
||
(In reply to Olli Pettay [:smaug] (pto Oct 4-7) from comment #4)
> >+// we can not apply a CSP to the following content privileged
> >+// about: pages: blank, printpreview, srcdoc
> I'm having trouble to parse this sentence. You list 3 pages (which aren't
> even privileged, at least two of them) and then the pref lists all the stuff.
I thought I am going to list the content privileged onces separately, but I guess it doesn't make a difference. I removed the comment.
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/37fcdbb6756c
Assert system privileged about: pages have CSP. r=smaug
Comment 7•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•