Bug 1545415 - Remove new Function from parent_utils.js, r=MattN

Remove `new Function` from parent_utils.js and refactor affected code.
Remove parent_utils.js from eval()-whitelist.

Differential Revision: https://phabricator.services.mozilla.com/D28062

--HG--
extra : moz-landing-system : lando

browser/extensions/formautofill/test/mochitest/test_autofill_and_ordinal_forms.html

@@ -16,6 +16,8 @@
 
 "use strict";
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal", true]]});
+
 let MOCK_STORAGE = [{
   "given-name": "John",
   "additional-name": "R",

modules/libpref/init/all.js

@@ -2717,7 +2717,7 @@ pref("csp.overrule_about_uris_without_csp_whitelist", false);
 pref("csp.skip_about_page_has_csp_assert", false);
 // assertion flag will be set to false after fixing Bug 1473549
 pref("security.allow_eval_with_system_principal", false);
-pref("security.uris_using_eval_with_system_principal", "autocomplete.xml,redux.js,react-redux.js,content-task.js,preferencesbindings.js,lodash.js,jszip.js,sinon-7.2.7.js,ajv-4.1.1.js,setup,jsol.js,parent_utils.js,chrometask_chromescript,simpletest/testrunner.js,simpletest/simpletest.js,file_bug1018265.xul,helperappdlg.jsm,test_execute_async_script.py");
+pref("security.uris_using_eval_with_system_principal", "autocomplete.xml,redux.js,react-redux.js,content-task.js,preferencesbindings.js,lodash.js,jszip.js,sinon-7.2.7.js,ajv-4.1.1.js,setup,jsol.js,chrometask_chromescript,simpletest/testrunner.js,simpletest/simpletest.js,file_bug1018265.xul,helperappdlg.jsm,test_execute_async_script.py");
 #endif
 
 #if defined(DEBUG) || defined(FUZZING)

toolkit/components/satchel/test/parent_utils.js

@@ -101,6 +101,9 @@ var ParentUtils = {
     });
   },
 
+  // Tests using this function need to flip pref for exceptional use of
+  // `new Function` / `eval()`.
+  // See test_autofill_and_ordinal_forms.html for example.
   testMenuEntry(index, statement) {
     ContentTaskUtils.waitForCondition(() => {
       let el = gAutocompletePopup.richlistbox.getItemAtIndex(index);