Bug 1499354: Add object-src 'none' to the CSP of all about: pages. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D46950

--HG--
extra : moz-landing-system : lando

browser/base/content/aboutFrameCrashed.html

@@ -6,7 +6,7 @@
 
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
   <link rel="stylesheet" type="text/css" media="all"
         href="chrome://global/skin/in-content/info-pages.css"/>
   <link rel="stylesheet" type="text/css" media="all"

browser/base/content/aboutNetError.xhtml

@@ -19,7 +19,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <title>&loadError.label;</title>
     <link rel="stylesheet" href="chrome://browser/skin/aboutNetError.css" type="text/css" media="all" />
     <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in

browser/base/content/aboutRestartRequired.xhtml

@@ -6,7 +6,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <title data-l10n-id="restart-required-title"></title>
     <link rel="stylesheet" type="text/css" media="all"
           href="chrome://browser/skin/aboutRestartRequired.css"/>

browser/base/content/aboutRobots.xhtml

@@ -5,7 +5,7 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <title data-l10n-id="page-title"></title>
     <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" media="all"/>
     <link rel="icon" type="image/png" id="favicon" href="chrome://browser/content/robot.ico"/>

browser/base/content/aboutTabCrashed.xhtml

@@ -8,7 +8,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <link rel="stylesheet" type="text/css" media="all"
           href="chrome://global/skin/in-content/info-pages.css"/>
     <link rel="stylesheet" type="text/css" media="all"

browser/base/content/blockedSite.xhtml

@@ -6,7 +6,7 @@
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
     <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blocklist_favicon.png"/>
     <link rel="localization" href="branding/brand.ftl"/>

browser/base/content/newInstallPage.html

@@ -6,7 +6,7 @@
 
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:">
+  <meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:; object-src 'none'">
   <meta name="referrer" content="no-referrer">
   <link rel="stylesheet" type="text/css" href="chrome://global/skin/in-content/common.css">
   <link rel="stylesheet" type="text/css" href="chrome://browser/skin/newInstallPage.css">

browser/components/aboutconfig/content/aboutconfig.html

@@ -5,7 +5,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:">
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'">
     <meta charset="utf-8">
     <link rel="stylesheet" media="screen, projection" type="text/css"
           href="chrome://global/skin/in-content/common.css">

browser/components/downloads/content/contentAreaDownloadsView.xul

@@ -24,7 +24,7 @@
 <window id="contentAreaDownloadsView"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
         title="&downloads.title;"
-        csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:;">
+        csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:; object-src 'none'">
 
   <script src="chrome://global/content/globalOverlay.js"/>
   <script src="chrome://browser/content/downloads/contentAreaDownloadsView.js"/>

browser/components/enterprisepolicies/content/aboutPolicies.xhtml

@@ -8,7 +8,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
     <head>
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
         <title data-l10n-id="about-policies-title"/>
         <link rel="stylesheet" href="chrome://browser/content/policies/aboutPolicies.css" type="text/css" />
         <link rel="localization" href="branding/brand.ftl"/>

browser/components/library/content/aboutLibrary.xhtml

@@ -8,7 +8,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
     <title>about:library</title>
     <link rel="stylesheet" href="chrome://browser/skin/aboutLibrary.css" type="text/css" media="all"/>
     <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>

browser/components/migration/content/aboutWelcomeBack.xhtml

@@ -11,7 +11,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
     <title data-l10n-id="welcome-back-tab-title"></title>
     <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
     <link rel="stylesheet" href="chrome://browser/skin/aboutWelcomeBack.css" type="text/css" media="all"/>

browser/components/pocket/content/panels/saved.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="utf-8">
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
         <base href="chrome://pocket/content/panels/">
         <title>Pocket: Page Saved</title>
         <link rel="stylesheet" href="css/normalize.css">

browser/components/pocket/content/panels/signup.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="utf-8">
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
         <base href="chrome://pocket/content/panels/">
         <title>Pocket: Sign Up</title>
         <link rel="stylesheet" href="css/normalize.css">

browser/components/preferences/in-content/preferences.xul

@@ -24,7 +24,7 @@
      Additionally we should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
 <page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
       xmlns:html="http://www.w3.org/1999/xhtml"
-      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'"
+      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'; object-src 'none'"
       role="document"
       data-l10n-id="pref-page"
       data-l10n-attrs="title">

browser/components/privatebrowsing/content/aboutPrivateBrowsing.xhtml

@@ -8,7 +8,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml" class="private">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'"/>
     <link rel="icon" type="image/png" href="chrome://browser/skin/privatebrowsing/favicon.svg"/>
     <link rel="stylesheet" href="chrome://browser/content/aboutPrivateBrowsing.css" type="text/css" media="all"/>
     <link rel="stylesheet" href="chrome://browser/skin/privatebrowsing/aboutPrivateBrowsing.css" type="text/css" media="all"/>

browser/components/protections/content/protections.html

@@ -6,7 +6,7 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:">
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'">
     <link rel="localization" href="browser/branding/brandings.ftl"/>
     <link rel="localization" href="branding/brand.ftl"/>
     <link rel="localization" href="browser/branding/sync-brand.ftl">

browser/components/sessionstore/content/aboutSessionRestore.xhtml

@@ -11,7 +11,7 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
   <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
     <title data-l10n-id="restore-page-tab-title"></title>
     <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
     <link rel="stylesheet" href="chrome://browser/skin/aboutSessionRestore.css" type="text/css" media="all"/>

browser/extensions/webcompat/manifest.json

@@ -46,7 +46,7 @@
     }
   },
 
-  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*;",
+  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*; object-src 'none';",
 
   "permissions": [
     "webRequest",

devtools/client/aboutdebugging/index.html

@@ -7,7 +7,7 @@
     <meta charset="utf-8" />
     <title>Debugging</title>
     <meta http-equiv="Content-Security-Policy"
-      content="default-src chrome: resource:; img-src data: chrome: resource: https:" />
+      content="default-src chrome: resource:; img-src data: chrome: resource: https:; object-src 'none'" />
     <link rel="icon" type="image/png" href="chrome://browser/skin/developer.svg">
     <link rel="stylesheet" href="chrome://devtools/content/aboutdebugging/aboutdebugging.css"/>
     <script src="resource://devtools/client/aboutdebugging/initializer.js"></script>