Bug 1452604 - Meta CSP applied to content privileged about:blocked r=Gijs,ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D880 --HG-- rename : browser/base/content/blockedSite.xhtml => browser/base/content/blockedSite.js extra : moz-landing-system : lando
2024-11-24 13:21:05 +00:00 · 2018-07-04 09:12:52 +00:00 · 2018-07-04 09:12:52 +00:00 · 9e4df63c72
commit 9e4df63c72
parent 96a00916f7
4 changed files with 160 additions and 162 deletions
--- a/browser/base/content/blockedSite.js
+++ b/browser/base/content/blockedSite.js
@ -0,0 +1,155 @@
+// Error url MUST be formatted like this:
+//   about:blocked?e=error_code&u=url(&o=1)?
+//     (o=1 when user overrides are allowed)
+
+// Note that this file uses document.documentURI to get
+// the URL (with the format from above). This is because
+// document.location.href gets the current URI off the docshell,
+// which is the URL displayed in the location bar, i.e.
+// the URI that the user attempted to load.
+
+function getErrorCode() {
+  var url = document.documentURI;
+  var error = url.search(/e\=/);
+  var duffUrl = url.search(/\&u\=/);
+  return decodeURIComponent(url.slice(error + 2, duffUrl));
+}
+
+function getURL() {
+  var url = document.documentURI;
+  var match = url.match(/&u=([^&]+)&/);
+
+  // match == null if not found; if so, return an empty string
+  // instead of what would turn out to be portions of the URI
+  if (!match)
+    return "";
+
+  url = decodeURIComponent(match[1]);
+
+  // If this is a view-source page, then get then real URI of the page
+  if (url.startsWith("view-source:"))
+    url = url.slice(12);
+  return url;
+}
+
+/**
+ * Check whether this warning page is overridable or not, in which case
+ * the "ignore the risk" suggestion in the error description
+ * should not be shown.
+ */
+function getOverride() {
+  var url = document.documentURI;
+  var match = url.match(/&o=1&/);
+  return !!match;
+}
+
+/**
+ * Attempt to get the hostname via document.location.  Fail back
+ * to getURL so that we always return something meaningful.
+ */
+function getHostString() {
+  try {
+    return document.location.hostname;
+  } catch (e) {
+    return getURL();
+  }
+}
+
+function onClickSeeDetails() {
+  let details = document.getElementById("errorDescriptionContainer");
+  if (details.hidden) {
+    details.removeAttribute("hidden");
+  } else {
+    details.setAttribute("hidden", "true");
+  }
+}
+
+function initPage() {
+  var error = "";
+  switch (getErrorCode()) {
+    case "malwareBlocked" :
+      error = "malware";
+      break;
+    case "deceptiveBlocked" :
+      error = "phishing";
+      break;
+    case "unwantedBlocked" :
+      error = "unwanted";
+      break;
+    case "harmfulBlocked" :
+      error = "harmful";
+      break;
+    default:
+      return;
+  }
+
+  var el;
+
+  if (error !== "malware") {
+    el = document.getElementById("errorTitleText_malware");
+    el.remove();
+    el = document.getElementById("errorShortDescText_malware");
+    el.remove();
+    el = document.getElementById("errorLongDesc_malware");
+    el.remove();
+  }
+
+  if (error !== "phishing") {
+    el = document.getElementById("errorTitleText_phishing");
+    el.remove();
+    el = document.getElementById("errorShortDescText_phishing");
+    el.remove();
+    el = document.getElementById("errorLongDesc_phishing");
+    el.remove();
+  }
+
+  if (error !== "unwanted") {
+    el = document.getElementById("errorTitleText_unwanted");
+    el.remove();
+    el = document.getElementById("errorShortDescText_unwanted");
+    el.remove();
+    el = document.getElementById("errorLongDesc_unwanted");
+    el.remove();
+  }
+
+  if (error !== "harmful") {
+    el = document.getElementById("errorTitleText_harmful");
+    el.remove();
+    el = document.getElementById("errorShortDescText_harmful");
+    el.remove();
+    el = document.getElementById("errorLongDesc_harmful");
+    el.remove();
+  }
+
+  // Decide which version of the string should be visible in the error description.
+  if (getOverride()) {
+    document.getElementById(error + "_error_desc_no_override").remove();
+  } else {
+    document.getElementById(error + "_error_desc_override").remove();
+  }
+
+  // Set sitename in error details.
+  let sitenameElem = document.getElementById(error + "_sitename");
+  sitenameElem.setAttribute("class", "sitename");
+  sitenameElem.textContent = getHostString();
+
+  document.title = document.getElementById("errorTitleText_" + error).textContent;
+
+  // Inform the test harness that we're done loading the page.
+  var event = new CustomEvent("AboutBlockedLoaded",
+    {
+      bubbles: true,
+      detail: {
+        url: this.getURL(),
+        err: error
+      }
+    });
+  document.dispatchEvent(event);
+}
+
+let seeDetailsButton = document.getElementById("seeDetailsButton");
+seeDetailsButton.addEventListener("click", onClickSeeDetails);
+// Note: It is important to run the script this way, instead of using
+// an onload handler. This is because error pages are loaded as
+// LOAD_BACKGROUND, which means that onload handlers will not be executed.
+initPage();
--- a/browser/base/content/blockedSite.xhtml
+++ b/browser/base/content/blockedSite.xhtml
@ -17,161 +17,10 @@

 <html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
  <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
    <link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
-
-    <script type="application/javascript"><![CDATA[
-      // Error url MUST be formatted like this:
-      //   about:blocked?e=error_code&u=url(&o=1)?
-      //     (o=1 when user overrides are allowed)
-
-      // Note that this file uses document.documentURI to get
-      // the URL (with the format from above). This is because
-      // document.location.href gets the current URI off the docshell,
-      // which is the URL displayed in the location bar, i.e.
-      // the URI that the user attempted to load.
-
-      function getErrorCode() {
-        var url = document.documentURI;
-        var error = url.search(/e\=/);
-        var duffUrl = url.search(/\&u\=/);
-        return decodeURIComponent(url.slice(error + 2, duffUrl));
-      }
-
-      function getURL() {
-        var url = document.documentURI;
-        var match = url.match(/&u=([^&]+)&/);
-
-        // match == null if not found; if so, return an empty string
-        // instead of what would turn out to be portions of the URI
-        if (!match)
-          return "";
-
-        url = decodeURIComponent(match[1]);
-
-        // If this is a view-source page, then get then real URI of the page
-        if (url.startsWith("view-source:"))
-          url = url.slice(12);
-        return url;
-      }
-
-      /**
-       * Check whether this warning page is overridable or not, in which case
-       * the "ignore the risk" suggestion in the error description
-       * should not be shown.
-       */
-      function getOverride() {
-        var url = document.documentURI;
-        var match = url.match(/&o=1&/);
-        return !!match;
-      }
-
-      /**
-       * Attempt to get the hostname via document.location.  Fail back
-       * to getURL so that we always return something meaningful.
-       */
-      function getHostString() {
-        try {
-          return document.location.hostname;
-        } catch (e) {
-          return getURL();
-        }
-      }
-
-      function onClickSeeDetails() {
-        let details = document.getElementById("errorDescriptionContainer");
-        if (details.hidden) {
-          details.removeAttribute("hidden");
-        } else {
-          details.setAttribute("hidden", "true");
-        }
-      }
-
-      function initPage() {
-        var error = "";
-        switch (getErrorCode()) {
-          case "malwareBlocked" :
-            error = "malware";
-            break;
-          case "deceptiveBlocked" :
-            error = "phishing";
-            break;
-          case "unwantedBlocked" :
-            error = "unwanted";
-            break;
-          case "harmfulBlocked" :
-            error = "harmful";
-            break;
-          default:
-            return;
-        }
-
-        var el;
-
-        if (error !== "malware") {
-          el = document.getElementById("errorTitleText_malware");
-          el.remove();
-          el = document.getElementById("errorShortDescText_malware");
-          el.remove();
-          el = document.getElementById("errorLongDesc_malware");
-          el.remove();
-        }
-
-        if (error !== "phishing") {
-          el = document.getElementById("errorTitleText_phishing");
-          el.remove();
-          el = document.getElementById("errorShortDescText_phishing");
-          el.remove();
-          el = document.getElementById("errorLongDesc_phishing");
-          el.remove();
-        }
-
-        if (error !== "unwanted") {
-          el = document.getElementById("errorTitleText_unwanted");
-          el.remove();
-          el = document.getElementById("errorShortDescText_unwanted");
-          el.remove();
-          el = document.getElementById("errorLongDesc_unwanted");
-          el.remove();
-        }
-
-        if (error !== "harmful") {
-          el = document.getElementById("errorTitleText_harmful");
-          el.remove();
-          el = document.getElementById("errorShortDescText_harmful");
-          el.remove();
-          el = document.getElementById("errorLongDesc_harmful");
-          el.remove();
-        }
-
-        // Decide which version of the string should be visible in the error description.
-        if (getOverride()) {
-          document.getElementById(error + "_error_desc_no_override").remove();
-        } else {
-          document.getElementById(error + "_error_desc_override").remove();
-        }
-
-        // Set sitename in error details.
-        let sitenameElem = document.getElementById(error + "_sitename");
-        sitenameElem.setAttribute("class", "sitename");
-        sitenameElem.textContent = getHostString();
-
-        document.title = document.getElementById("errorTitleText_" + error).textContent;
-
-        // Inform the test harness that we're done loading the page.
-        var event = new CustomEvent("AboutBlockedLoaded",
-          {
-            bubbles: true,
-            detail: {
-              url: this.getURL(),
-              err: error
-            }
-          });
-        document.dispatchEvent(event);
-      }
-    ]]></script>
  </head>
-
  <body dir="&locale.dir;">
    <div id="errorPageContainer" class="container">

@ -202,7 +51,7 @@
        <div id="buttons" class="button-container">
          <!-- Commands handled in browser.js -->
          <button id="goBackButton">&safeb.palm.accept.label2;</button>
-          <button id="seeDetailsButton" onclick="onClickSeeDetails();">&safeb.palm.seedetails.label;</button>
+          <button id="seeDetailsButton">&safeb.palm.seedetails.label;</button>
        </div>
      </div>
      <div id="errorDescriptionContainer" hidden="true">
@ -228,13 +77,6 @@
        </div>
      </div>
    </div>
-    <!--
-    - Note: It is important to run the script this way, instead of using
-    - an onload handler. This is because error pages are loaded as
-    - LOAD_BACKGROUND, which means that onload handlers will not be executed.
-    -->
-    <script type="application/javascript">
-      initPage();
-    </script>
  </body>
+  <script type="application/javascript" src="chrome://browser/content/blockedSite.js"/>
 </html>
--- a/browser/base/jar.mn
+++ b/browser/base/jar.mn
@ -112,6 +112,7 @@ browser.jar:
 *       content/browser/license.html                  (/toolkit/content/license.html)
 % override chrome://global/content/license.html chrome://browser/content/license.html
        content/browser/blockedSite.xhtml               (content/blockedSite.xhtml)
+        content/browser/blockedSite.js                  (content/blockedSite.js)

 % override chrome://global/content/netError.xhtml chrome://browser/content/aboutNetError.xhtml

--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2512,7 +2512,7 @@ pref("security.csp.enableStrictDynamic", true);

 #if defined(DEBUG) && !defined(ANDROID)
 // about:welcome has been added until Bug 1448359 is fixed at which time home, newtab, and welcome will all be removed.
-pref("csp.content_privileged_about_uris_without_csp", "blank,blocked,home,newtab,printpreview,srcdoc,welcome");
+pref("csp.content_privileged_about_uris_without_csp", "blank,home,newtab,printpreview,srcdoc,welcome");
 #endif

 #ifdef NIGHTLY_BUILD