diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index a0a35f33cacc..03d58446988b 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -414,9 +414,6 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction( nsCOMPtr subjectPrincipal = nsContentUtils::SubjectPrincipal(); if (!csp) { - if (!StaticPrefs::extensions_content_script_csp_enabled()) { - return true; - } // Get the CSP for addon sandboxes. If the principal is expanded and has a // csp, we're probably in luck. auto* basePrin = BasePrincipal::Cast(subjectPrincipal); diff --git a/js/xpconnect/src/Sandbox.cpp b/js/xpconnect/src/Sandbox.cpp index 34d4fc25b526..05fba5125efb 100644 --- a/js/xpconnect/src/Sandbox.cpp +++ b/js/xpconnect/src/Sandbox.cpp @@ -1113,9 +1113,6 @@ bool xpc::GlobalProperties::DefineInSandbox(JSContext* cx, * provided by the extension in its manifest. */ nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) { - if (!StaticPrefs::extensions_content_script_csp_enabled()) { - return NS_OK; - } nsCOMPtr principal = do_QueryInterface(prinOrSop); if (!principal) { return NS_OK; @@ -1166,9 +1163,7 @@ nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) { csp = new nsCSPContext(); MOZ_TRY(csp->SetRequestContextWithPrincipal(expanded, selfURI, u""_ns, 0)); - bool reportOnly = StaticPrefs::extensions_content_script_csp_report_only(); - - MOZ_TRY(csp->AppendPolicy(baseCSP, reportOnly, false)); + MOZ_TRY(csp->AppendPolicy(baseCSP, false, false)); expanded->SetCsp(csp); return NS_OK; diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml index 77386c9fb073..29da2682196d 100644 --- a/modules/libpref/init/StaticPrefList.yaml +++ b/modules/libpref/init/StaticPrefList.yaml @@ -3660,18 +3660,6 @@ value: false mirror: always -# This pref governs whether we enable content script CSP in extensions. -- name: extensions.content_script_csp.enabled - type: bool - value: false - mirror: always - -# This pref governs whether content script CSP is report-only. -- name: extensions.content_script_csp.report_only - type: bool - value: true - mirror: always - # This pref governs whether we run webextensions in a separate process (true) # or the parent/main process (false) - name: extensions.webextensions.remote diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js index 039fc8122e2c..cf770d91b4f0 100644 --- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js +++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js @@ -6,9 +6,6 @@ const { TestUtils } = ChromeUtils.import( "resource://testing-common/TestUtils.jsm" ); -// Enable and turn off report-only so we can validate the results. -Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true); -Services.prefs.setBoolPref("extensions.content_script_csp.report_only", false); Services.prefs.setBoolPref("extensions.manifestV3.enabled", true); const server = createHttpServer({ diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js index 993ee071abb0..223f0650e943 100644 --- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js +++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js @@ -39,7 +39,6 @@ var gContentSecurityPolicy = null; const BASE_URL = `http://example.com`; const CSP_REPORT_PATH = "/csp-report.sjs"; -const CSP_REPORT_URL = `http://csplog.example.net/csp-report.sjs`; /** * Registers a static HTML document with the given content at the given @@ -1320,24 +1319,7 @@ add_task(async function test_contentscript_csp() { * content page. */ add_task(async function test_extension_contentscript_csp() { - Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true); - Services.prefs.setBoolPref( - "extensions.content_script_csp.report_only", - false - ); - - // Add reporting to base and default CSP as this cannot be done via manifest. - let baseCSP = Services.prefs.getStringPref( - "extensions.webextensions.base-content-security-policy" - ); - Services.prefs.setStringPref( - "extensions.webextensions.base-content-security-policy", - `${baseCSP} report-uri ${CSP_REPORT_URL};` - ); - Services.prefs.setStringPref( - "extensions.webextensions.default-content-security-policy", - `script-src 'self' 'report-sample'; object-src 'self' 'report-sample'; report-uri ${CSP_REPORT_URL};` - ); + Services.prefs.setBoolPref("extensions.manifestV3.enabled", true); // TODO bug 1408193: We currently don't get the full set of CSP reports when // running in network scheduling chaos mode. It's not entirely clear why. @@ -1346,7 +1328,14 @@ add_task(async function test_extension_contentscript_csp() { gContentSecurityPolicy = `default-src 'none' 'report-sample'; script-src 'nonce-deadbeef' 'unsafe-eval' 'report-sample'; report-uri ${CSP_REPORT_PATH};`; - let extension = ExtensionTestUtils.loadExtension(EXTENSION_DATA); + let data = { + ...EXTENSION_DATA, + manifest: { + ...EXTENSION_DATA.manifest, + manifest_version: 3, + }, + }; + let extension = ExtensionTestUtils.loadExtension(data); await extension.startup(); let urlsPromise = extension.awaitMessage("css-sources").then(msg => { @@ -1369,4 +1358,5 @@ add_task(async function test_extension_contentscript_csp() { await extension.unload(); await contentPage.close(); + Services.prefs.clearUserPref("extensions.manifestV3.enabled"); });