nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity
fune/browser/base/content
History
Kris Maglione b3cac601f6 Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs 
This is a short-term solution to our inability to apply CSP to
chrome-privileged documents.

Ideally, we should be preventing all inline script execution in
chrome-privileged documents, since the reprecussions of XSS in chrome
documents are much worse than in content documents. Unfortunately, that's not
possible in the near term because a) we don't support CSP in system principal
documents at all, and b) we rely heavily on inline JS in our static XUL.

This stop-gap solution at least prevents some of the most common vectors of
XSS attack, by automatically sanitizing any HTML fragment created for a
chrome-privileged document.

MozReview-Commit-ID: 5w17celRFr

--HG--
extra : rebase_source : 1c0a1448a06d5b65e548d9f5362d06cc6d865dbe
extra : amend_source : 7184593019f238b86fd1e261941d8e8286fa4006
2018-01-24 14:56:48 -08:00
..
abouthome
defaultthemes
docs/sslerrorreport
illustrations
newtab Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
overrides
pageinfo Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
test Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs 2018-01-24 14:56:48 -08:00
aboutDialog-appUpdater.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
aboutDialog.css
aboutDialog.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
aboutDialog.xul bug 1408416 - Remove inconsistent Telemetry strings from About dialogs r=Dexter 2017-12-05 11:05:53 -05:00
aboutNetError.xhtml
aboutRobots-icon.png
aboutRobots-widget-left.png
aboutRobots.xhtml
aboutTabCrashed.css
aboutTabCrashed.js Bug 1424373 - Don't set crash reporting prefs when showing about:tabcrashed for a crash without a report. r=Mossop 2017-12-18 11:19:53 -05:00
aboutTabCrashed.xhtml
baseMenuOverlay.xul Bug 1352497 - Remove about:healthreport. r=gfritzsche,nechen 2017-11-28 11:38:15 +01:00
blockedSite.xhtml
browser-addons.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-captivePortal.js
browser-charsetmenu.inc
browser-compacttheme.js
browser-context.inc merge mozilla-inbound to mozilla-central. r=merge a=merge 2017-11-18 11:58:58 +02:00
browser-ctrlTab.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-customization.js
browser-data-submission-info-bar.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-development-helpers.js
browser-doctype.inc Bug 1428938 - Remove legacy toolbar customization code. r=Gijs 2018-01-11 16:35:17 +00:00
browser-feeds.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-fullScreenAndPointerLock.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-fullZoom.js Bug 592653 - script-generated patch to replace gPrefService with Services.prefs, r=Standard8. 2017-12-19 23:45:10 +01:00
browser-gestureSupport.js Bug 592653 - script-generated patch to replace gPrefService with Services.prefs, r=Standard8. 2017-12-19 23:45:10 +01:00
browser-media.js Bug 1431428 - use DOM instead of innerHTML for extension messaging in prefs, r=jaws 2018-01-18 18:19:10 +00:00
browser-menubar.inc Bug 1422106 - Show broken heart when unverified in synced tabs sidebar/panel. r=markh 2017-11-30 16:01:40 -05:00
browser-pageActions.js Bug 1432015 - Part 2 - Remove the setMainView methods. r=Gijs 2018-01-21 15:59:41 +00:00
browser-places.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-plugins.js
browser-safebrowsing.js
browser-sets.inc Bug 1384856 - Fix sync menu items showing incorrect state on mac r=eoger 2018-01-17 13:09:22 -05:00
browser-sidebar.js Bug 1374791 - Favicon should be used for sidebar icon when loading web content, r=gijs 2017-12-06 14:15:23 +05:30
browser-sync.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
browser-tabPreviews.xml Bug 1383217 - Update Ctrl+Tab preview styling to better match activity stream and photon. r=Mardak 2017-12-21 14:08:30 +01:00
browser-tabsintitlebar-stub.js
browser-tabsintitlebar.js Bug 1430747 - Stop setting unused customization-lwtheme attribute and --toolbox-rect-height, --toolbox-rect-height-with-unit CSS variables. r=mikedeboer 2018-01-16 12:38:41 +01:00
browser-thumbnails.js
browser-trackingprotection.js Bug 592653 - script-generated patch to replace gPrefService with Services.prefs, r=Standard8. 2017-12-19 23:45:10 +01:00
browser.css Bug 1424259 - Fix alignment of extension sidebar action icons r=mixedpuppy 2018-01-11 22:53:02 -06:00
browser.js Bug 1432016 - Part 2 - Move descriptionHeightWorkaround and some other methods to the PanelView class. r=Gijs 2018-01-25 15:35:45 +00:00
browser.xul Bug 1430872 - remove tab-view-deck and browser-panel. r=Gijs 2018-01-16 21:04:13 +01:00
browserMountPoints.inc
content.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
contentSearchUI.css
contentSearchUI.js
default-theme-icon.svg
global-scripts.inc
hiddenWindow.xul
macBrowserOverlay.xul
moz.build Backed out 11 changesets (bug 1252998) for faling browser-chrome on browser/base/content/test/sanitize/browser_sanitize-offlineData.js 2018-01-08 11:00:39 +02:00
nsContextMenu.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
popup-notifications.inc
report-phishing-overlay.xul
robot.ico
safeMode.css
safeMode.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
safeMode.xul
sanitize.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
sanitize.xul Bug 1379338 - scriptify preferences XBL; r=jaws 2018-01-04 21:37:47 -08:00
sanitizeDialog.css
sanitizeDialog.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
softwareUpdateOverlay.xul
static-robot.png
tab-content.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
tabbrowser.css Bug 1429929 - Remove tabbrowser-close-tab-button binding. r=Gijs 2018-01-14 13:12:05 +01:00
tabbrowser.xml Backed out changeset 5eba8dcac2bb (bug 1373055) for causing bug 1430466 2018-01-23 19:49:57 +02:00
theme-vars.inc.css
urlbarBindings.xml Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
utilityOverlay.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
viewSourceOverlay.xul
web-panels.js
web-panels.xul
webext-panels.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
webext-panels.xul
webrtcIndicator.js Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
webrtcIndicator.xul