GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still and

Commit 701d0e69 authored by Mike Conley's avatar Mike Conley
Browse files

Bug 1699892 - Allow the Firefox Accounts avatar server to use SVG context...

Bug 1699892 - Allow the Firefox Accounts avatar server to use SVG context properties. r=dholbert, a=RyanVM

Differential Revision:
parent 55d6ae04
......@@ -2398,3 +2398,10 @@ pref("first-startup.timeout", 30000);
#ifdef XP_WIN
pref("default-browser-agent.enabled", true);
// Mozilla-controlled domains that are allowed to use non-standard
// context properties for SVG images for use in the browser UI. Please
// keep this list short. This preference (and SVG `context-` keyword support)
// are expected to go away once a standardized alternative becomes
// available.
pref("svg.context-properties.content.allowed-domains", ",");
......@@ -53,6 +53,10 @@ bool SVGContextPaint::IsAllowedForImageFromURI(nsIURI* aURI) {
// extension developers coming to rely on image context paint either, we only
// enable context-paint for extensions that are signed by Mozilla.
// We also allow this for browser UI icons that are served up from
// Mozilla-controlled domains listed in the
// svg.context-properties.content.allowed-domains pref.
nsAutoCString scheme;
if (NS_SUCCEEDED(aURI->GetScheme(scheme)) &&
(scheme.EqualsLiteral("chrome") || scheme.EqualsLiteral("resource") ||
......@@ -61,6 +65,7 @@ bool SVGContextPaint::IsAllowedForImageFromURI(nsIURI* aURI) {
RefPtr<BasePrincipal> principal =
BasePrincipal::CreateContentPrincipal(aURI, OriginAttributes());
nsString addonId;
if (NS_SUCCEEDED(principal->GetAddonId(addonId))) {
if (StringEndsWith(addonId, NS_LITERAL_STRING("")) ||
......@@ -68,7 +73,11 @@ bool SVGContextPaint::IsAllowedForImageFromURI(nsIURI* aURI) {
return true;
return false;
bool isInAllowList = false;
return isInAllowList;
Any copyright is dedicated to the Public Domain.
img {
-moz-context-properties: fill;
fill: green;
<img src="file_context_fill_fallback_red.svg" style="width: 100px; height: 100px;"/>
Any copyright is dedicated to the Public Domain.
<svg xmlns="" version="1.1"
<rect height="100%" width="100%" fill="context-fill red" />
......@@ -2,6 +2,10 @@
support-files =
support-files =
support-files =
<meta charset="utf-8">
<title>Bug 1699892 - SVG context properties for allowed domains</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<script src="/tests/SimpleTest/WindowSnapshot.js"></script>
<link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
* Returns a Promise that resolves when target fires a load event.
function waitForLoad(target) {
return new Promise(resolve => {
target.addEventListener("load", () => {
if ( == target) {
}}, { once: true });
* Given an iframe, loads src in it, and waits for the load event
* for the iframe to fire. Then it snapshots the iframe and returns
* the snapshot.
* src can be a URL starting with http, or is otherwise assumed to be
* a srcdoc string.
async function loadSrcImageAndSnapshot(frame, src) {
if (!src.startsWith("http")) {
frame.srcdoc = src;
} else {
frame.src = src;
await waitForLoad(frame);
return await snapshotWindow(frame, false);
add_task(async () => {
const ALLOWED_DOMAIN = "";
const CONTEXT_FILL_SVG = "tests/layout/svg/tests/file_context_fill_fallback_red.html";
await SpecialPowers.pushPrefEnv({
set: [["svg.context-properties.content.allowed-domains", ALLOWED_DOMAIN]]
let frame = document.getElementById("frame");
// When the context properties are allowed, we expect a green square. When they are
// not allowed, we expected a red square.
let redReference = await loadSrcImageAndSnapshot(
`<div style="width: 100px; height: 100px; background: red"></div>`
let greenReference = await loadSrcImageAndSnapshot(
`<div style="width: 100px; height: 100px; background: green"></div>`
let allowedSnapshot = await loadSrcImageAndSnapshot(frame, ALLOWED);
let disallowedSnapshot = await loadSrcImageAndSnapshot(frame, DISALLOWED);
let result = compareSnapshots(redReference, greenReference, false);
ok(result[0], "First, ensure that red and green do not match.");
result = compareSnapshots(allowedSnapshot, greenReference, true);
ok(result[0], "The allowed domain should show green.");
result = compareSnapshots(disallowedSnapshot, redReference, true);
ok(result[0], "The disallowed domain should show red.");
<iframe id="frame"></iframe>
......@@ -8699,6 +8699,19 @@
value: false
mirror: always
# Enables the 'context-fill' and 'context-stroke' keywords for particular
# domains. We expect this list to be Mozilla-controlled properties, since the
# 'context-*' keywords are not part of any spec. We expect to remove this
# preference and the 'context-` keyword support entirely in the
# not-too-distant future when a standardized alternative ships. This preference
# is _not_ for allowing web content to use these keywords. For performance
# reasons, the list of domains in this preference should remain short in
# length.
- name: svg.context-properties.content.allowed-domains
type: String
value: ""
mirror: never
# Enable the use of display-lists for SVG hit-testing.
- name: svg.display-lists.hit-testing.enabled
type: bool
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment