Commit 30285b4a authored by Christoph Kerschbaumer's avatar Christoph Kerschbaumer
Browse files

Bug 1499354: Add object-src 'none' to the CSP of all about: pages. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D46950

--HG--
extra : moz-landing-system : lando
parent 6f69ca74
......@@ -6,7 +6,7 @@
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<link rel="stylesheet" type="text/css" media="all"
href="chrome://global/skin/in-content/info-pages.css"/>
<link rel="stylesheet" type="text/css" media="all"
......
......@@ -19,7 +19,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<title>&loadError.label;</title>
<link rel="stylesheet" href="chrome://browser/skin/aboutNetError.css" type="text/css" media="all" />
<!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
......
......@@ -6,7 +6,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<title data-l10n-id="restart-required-title"></title>
<link rel="stylesheet" type="text/css" media="all"
href="chrome://browser/skin/aboutRestartRequired.css"/>
......
......@@ -5,7 +5,7 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<title data-l10n-id="page-title"></title>
<link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" media="all"/>
<link rel="icon" type="image/png" id="favicon" href="chrome://browser/content/robot.ico"/>
......
......@@ -8,7 +8,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<link rel="stylesheet" type="text/css" media="all"
href="chrome://global/skin/in-content/info-pages.css"/>
<link rel="stylesheet" type="text/css" media="all"
......
......@@ -6,7 +6,7 @@
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
<link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blocklist_favicon.png"/>
<link rel="localization" href="branding/brand.ftl"/>
......
......@@ -6,7 +6,7 @@
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:">
<meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:; object-src 'none'">
<meta name="referrer" content="no-referrer">
<link rel="stylesheet" type="text/css" href="chrome://global/skin/in-content/common.css">
<link rel="stylesheet" type="text/css" href="chrome://browser/skin/newInstallPage.css">
......
......@@ -5,7 +5,7 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:">
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'">
<meta charset="utf-8">
<link rel="stylesheet" media="screen, projection" type="text/css"
href="chrome://global/skin/in-content/common.css">
......
......@@ -24,7 +24,7 @@
<window id="contentAreaDownloadsView"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
title="&downloads.title;"
csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:;">
csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:; object-src 'none'">
<script src="chrome://global/content/globalOverlay.js"/>
<script src="chrome://browser/content/downloads/contentAreaDownloadsView.js"/>
......
......@@ -8,7 +8,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<title data-l10n-id="about-policies-title"/>
<link rel="stylesheet" href="chrome://browser/content/policies/aboutPolicies.css" type="text/css" />
<link rel="localization" href="branding/brand.ftl"/>
......
......@@ -8,7 +8,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<title>about:library</title>
<link rel="stylesheet" href="chrome://browser/skin/aboutLibrary.css" type="text/css" media="all"/>
<link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
......
......@@ -11,7 +11,7 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
<title data-l10n-id="welcome-back-tab-title"></title>
<link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
<link rel="stylesheet" href="chrome://browser/skin/aboutWelcomeBack.css" type="text/css" media="all"/>
......
......@@ -2,7 +2,7 @@
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<base href="chrome://pocket/content/panels/">
<title>Pocket: Page Saved</title>
<link rel="stylesheet" href="css/normalize.css">
......
......@@ -2,7 +2,7 @@
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
<base href="chrome://pocket/content/panels/">
<title>Pocket: Sign Up</title>
<link rel="stylesheet" href="css/normalize.css">
......
......@@ -24,7 +24,7 @@
Additionally we should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
<page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'"
csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'; object-src 'none'"
role="document"
data-l10n-id="pref-page"
data-l10n-attrs="title">
......
......@@ -8,7 +8,7 @@
<html xmlns="http://www.w3.org/1999/xhtml" class="private">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:"/>
<meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'"/>
<link rel="icon" type="image/png" href="chrome://browser/skin/privatebrowsing/favicon.svg"/>
<link rel="stylesheet" href="chrome://browser/content/aboutPrivateBrowsing.css" type="text/css" media="all"/>
<link rel="stylesheet" href="chrome://browser/skin/privatebrowsing/aboutPrivateBrowsing.css" type="text/css" media="all"/>
......
......@@ -6,7 +6,7 @@
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:">
<meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'">
<link rel="localization" href="browser/branding/brandings.ftl"/>
<link rel="localization" href="branding/brand.ftl"/>
<link rel="localization" href="browser/branding/sync-brand.ftl">
......
......@@ -11,7 +11,7 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
<title data-l10n-id="restore-page-tab-title"></title>
<link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
<link rel="stylesheet" href="chrome://browser/skin/aboutSessionRestore.css" type="text/css" media="all"/>
......
......@@ -46,7 +46,7 @@
}
},
"content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*;",
"content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*; object-src 'none';",
"permissions": [
"webRequest",
......
......@@ -7,7 +7,7 @@
<meta charset="utf-8" />
<title>Debugging</title>
<meta http-equiv="Content-Security-Policy"
content="default-src chrome: resource:; img-src data: chrome: resource: https:" />
content="default-src chrome: resource:; img-src data: chrome: resource: https:; object-src 'none'" />
<link rel="icon" type="image/png" href="chrome://browser/skin/developer.svg">
<link rel="stylesheet" href="chrome://devtools/content/aboutdebugging/aboutdebugging.css"/>
<script src="resource://devtools/client/aboutdebugging/initializer.js"></script>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment