We're at <100 distinct users on 72 release who reported eval() usage, we don't have a great understanding on what the cases of those are, but they are pretty limited so I think we can let this roll out.

[Tracking Requested - why for this release]: This is a feature presently enabled on Beta that we want to enable in release by removing an ifdef.

Comment on attachment 9122733 [details]
Bug 1611238 - Enforce eval restrictions in the Parent Process/System Context r?ckerschb

Beta/Release Uplift Approval Request

• User impact if declined: We will delay a security hardening feature another release.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: Bug 1609474
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): This patch will turn on enforcement that eval() cannot be used in the parent process or system principal context. We currently collect telemetry that indicate a small (<100) number of users will be affected by this; but we don't know how they are able to run eval (at least, without sticking in some speculative privacy-concerning telemetry.)

It's possible that some use case we've never heard of will show up and tell us Firefox is broken.

That said, the risk is not related to the uplift; it's been enabled in Beta before. The next step is to finally enforce it in Release.

Bug 1609474 is not strictly necessary but it would eliminate one very edge case of telemetry we discovered.

• String changes made/needed:

https://hg.mozilla.org/mozilla-central/rev/25d7b70112bf

Comment on attachment 9122733 [details]
Bug 1611238 - Enforce eval restrictions in the Parent Process/System Context r?ckerschb

not seeing a strong reason to not let this ride to 74.