Smaug, ultimately we would like to apply a CSP to all about: pages. Some background, within Bug 965637 we are about to move the CSP into the Client which should allow us to apply a CSP to all about: pages, not only content privileged about pages. I guess it's time to update the assertion within nsDocument to cover all about: pages, whitelist the ones that don't have a CSP yet and then systematically apply a CSP to all about: pages.

I guess not all about:, since about:blank is rather special ;)

(In reply to Olli Pettay [:smaug] (r- if the bug doesn't explain what the change(s) are about.) from comment #2) > I guess not all about:, since about:blank is rather special ;) all about pages where it's feasible :-)

Comment on attachment 9014014 [details] [diff] [review] bug_1495983_assert_system_about_page_has_csp.patch > #if defined(DEBUG) && !defined(ANDROID) >-pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc"); >-// the following pref is for testing purposes only. >-pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false); >+// we can not apply a CSP to the following content privileged >+// about: pages: blank, printpreview, srcdoc I'm having trouble to parse this sentence. You list 3 pages (which aren't even privileged, at least two of them) and then the pref lists all the stuff.

(In reply to Olli Pettay [:smaug] (pto Oct 4-7) from comment #4) > >+// we can not apply a CSP to the following content privileged > >+// about: pages: blank, printpreview, srcdoc > I'm having trouble to parse this sentence. You list 3 pages (which aren't > even privileged, at least two of them) and then the pref lists all the stuff. I thought I am going to list the content privileged onces separately, but I guess it doesn't make a difference. I removed the comment.

Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/37fcdbb6756c Assert system privileged about: pages have CSP. r=smaug