Brendan, what needs to be done to apply a CSP to about:devtools-toolbox? Put differently, where does that code live?

toolbox.xul registered here

Hey Henri and Julian,

within this patch we would like to apply a CSP to *.xul pages, in particular 'about:devtools-toolbox'.

@Henri: Within [1] you already f+ed a similar patch where we added a custom attribute on the root element which allows us to pipe the policy through into the CSP machinery. Please note that this code works exactly the same as for any Meta CSP [2] with the only difference that we have to set the request context which is not needed for the Meta CSP since we already have a request context. The reason I moved the XULElement bits into this bug is because applying a CSP to about:downloads (see Bug 1497200) is more complicated and we have to fight some inline event handlers. Anyway, would you be willing to r+ that patch?

@Julian: I followed your instructions and tested the following scenarios:

• Got to about:debugging
• Select "This Nightly/This Firefox"
• Click on any of the "inspect" buttons.
  I tried all of them and also using different CSPs making the CSP would block all schemes that are not whitelisted - everything what I tested seems to work. If you have any additional suggestions on how to test I am happy to do so, but looking at the code, it seems only chrome: and resource: URIs are used everywhere.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1497200#c9
[2] https://searchfox.org/mozilla-central/source/dom/html/HTMLMetaElement.cpp#118-128

https://hg.mozilla.org/mozilla-central/rev/4d114e06d2bb