It seems we have !defined(ANDROID) where we do the assert to make sure all about pages ship with a strong CSP [1]. We should remove that and make sure all about: pages on android also have a strong CSP.

[1] https://hg.mozilla.org/mozilla-central/rev/42ac00d4125c#l1.30

Bugbug thinks this bug is a task, but please change it back in case of error.

Snorp, we are currently applying strong CSPs to all of our about: pages (at least for desktop). In a first try run [1] I wanted to see how much work there is on android. It seems like a lot :-(

I assume every single about: page is different on android and desktop versions of Firefox? I can certainly tackle some of them, but I was wondering if we coordinate the effort somehow to get some help with that. Happy to hop on a meeting to discuss details. Just wanted to get your initial feedback on how we could tackle that and also apply strong CSPs to all of android's about: pages.

[1] https://treeherder.mozilla.org/#/jobs?repo=try&revision=b15c60948bd05b80050a329be8b21c509c04caf6&selectedJob=258266917

For GeckoView, I think we really only have about:config as special. Fennec has more[1], and we might be accidentally including some of those in GeckoView. Maybe there should be some kind of audit done at the same time?

[1] https://searchfox.org/mozilla-central/source/mobile/android/chrome/content

https://hg.mozilla.org/mozilla-central/rev/afc198c3f9fe