Bug 1499354: Add object-src 'none' to the CSP of all about: pages. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D46950 --HG-- extra : moz-landing-system : lando
2019-09-26 16:22:41 +00:00 · 2019-09-26 16:22:41 +00:00 · 30285b4a58
--- a/browser/base/content/aboutFrameCrashed.html
+++ b/browser/base/content/aboutFrameCrashed.html
@ -6,7 +6,7 @@

 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <link rel="stylesheet" type="text/css" media="all"
        href="chrome://global/skin/in-content/info-pages.css"/>
  <link rel="stylesheet" type="text/css" media="all"
--- a/browser/base/content/aboutNetError.xhtml
+++ b/browser/base/content/aboutNetError.xhtml
@ -19,7 +19,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title>&loadError.label;</title>
    <link rel="stylesheet" href="chrome://browser/skin/aboutNetError.css" type="text/css" media="all" />
    <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
--- a/browser/base/content/aboutRestartRequired.xhtml
+++ b/browser/base/content/aboutRestartRequired.xhtml
@ -6,7 +6,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title data-l10n-id="restart-required-title"></title>
    <link rel="stylesheet" type="text/css" media="all"
          href="chrome://browser/skin/aboutRestartRequired.css"/>
--- a/browser/base/content/aboutRobots.xhtml
+++ b/browser/base/content/aboutRobots.xhtml
@ -5,7 +5,7 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title data-l10n-id="page-title"></title>
    <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" media="all"/>
    <link rel="icon" type="image/png" id="favicon" href="chrome://browser/content/robot.ico"/>
--- a/browser/base/content/aboutTabCrashed.xhtml
+++ b/browser/base/content/aboutTabCrashed.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <link rel="stylesheet" type="text/css" media="all"
          href="chrome://global/skin/in-content/info-pages.css"/>
    <link rel="stylesheet" type="text/css" media="all"
--- a/browser/base/content/blockedSite.xhtml
+++ b/browser/base/content/blockedSite.xhtml
@ -6,7 +6,7 @@
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <link rel="stylesheet" href="chrome://browser/skin/blockedSite.css" type="text/css" media="all" />
    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blocklist_favicon.png"/>
    <link rel="localization" href="branding/brand.ftl"/>
--- a/browser/base/content/newInstallPage.html
+++ b/browser/base/content/newInstallPage.html
@ -6,7 +6,7 @@

 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:">
+  <meta http-equiv="Content-Security-Policy" content="connect-src https:; default-src chrome:; object-src 'none'">
  <meta name="referrer" content="no-referrer">
  <link rel="stylesheet" type="text/css" href="chrome://global/skin/in-content/common.css">
  <link rel="stylesheet" type="text/css" href="chrome://browser/skin/newInstallPage.css">
--- a/browser/components/aboutconfig/content/aboutconfig.html
+++ b/browser/components/aboutconfig/content/aboutconfig.html
@ -5,7 +5,7 @@
 <!DOCTYPE html>
 <html>
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:">
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'">
    <meta charset="utf-8">
    <link rel="stylesheet" media="screen, projection" type="text/css"
          href="chrome://global/skin/in-content/common.css">
--- a/browser/components/downloads/content/contentAreaDownloadsView.xul
+++ b/browser/components/downloads/content/contentAreaDownloadsView.xul
@ -24,7 +24,7 @@
 <window id="contentAreaDownloadsView"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
        title="&downloads.title;"
-        csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:;">
+        csp="default-src chrome:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA=='; img-src chrome: moz-icon:; object-src 'none'">

  <script src="chrome://global/content/globalOverlay.js"/>
  <script src="chrome://browser/content/downloads/contentAreaDownloadsView.js"/>
--- a/browser/components/enterprisepolicies/content/aboutPolicies.xhtml
+++ b/browser/components/enterprisepolicies/content/aboutPolicies.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
        <title data-l10n-id="about-policies-title"/>
        <link rel="stylesheet" href="chrome://browser/content/policies/aboutPolicies.css" type="text/css" />
        <link rel="localization" href="branding/brand.ftl"/>
--- a/browser/components/library/content/aboutLibrary.xhtml
+++ b/browser/components/library/content/aboutLibrary.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title>about:library</title>
    <link rel="stylesheet" href="chrome://browser/skin/aboutLibrary.css" type="text/css" media="all"/>
    <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
--- a/browser/components/migration/content/aboutWelcomeBack.xhtml
+++ b/browser/components/migration/content/aboutWelcomeBack.xhtml
@ -11,7 +11,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
    <title data-l10n-id="welcome-back-tab-title"></title>
    <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
    <link rel="stylesheet" href="chrome://browser/skin/aboutWelcomeBack.css" type="text/css" media="all"/>
--- a/browser/components/pocket/content/panels/saved.html
+++ b/browser/components/pocket/content/panels/saved.html
@ -2,7 +2,7 @@
 <html>
    <head>
        <meta charset="utf-8">
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
        <base href="chrome://pocket/content/panels/">
        <title>Pocket: Page Saved</title>
        <link rel="stylesheet" href="css/normalize.css">
--- a/browser/components/pocket/content/panels/signup.html
+++ b/browser/components/pocket/content/panels/signup.html
@ -2,7 +2,7 @@
 <html>
    <head>
        <meta charset="utf-8">
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
        <base href="chrome://pocket/content/panels/">
        <title>Pocket: Sign Up</title>
        <link rel="stylesheet" href="css/normalize.css">
--- a/browser/components/preferences/in-content/preferences.xul
+++ b/browser/components/preferences/in-content/preferences.xul
@ -24,7 +24,7 @@
     Additionally we should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
 <page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
      xmlns:html="http://www.w3.org/1999/xhtml"
-      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'"
+      csp="default-src chrome:; script-src chrome: 'sha512-X8+p/CqXeMdssOoFOf5RV+RpkvnN9pukQ20acGc7LqMgfYLW+lR0WAYT66OtSTpFHE/Qgx/ZCBs2RMc4QrA8FQ=='; img-src chrome: moz-icon: https:; style-src chrome: data: 'unsafe-inline'; object-src 'none'"
      role="document"
      data-l10n-id="pref-page"
      data-l10n-attrs="title">
--- a/browser/components/privatebrowsing/content/aboutPrivateBrowsing.xhtml
+++ b/browser/components/privatebrowsing/content/aboutPrivateBrowsing.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml" class="private">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'"/>
    <link rel="icon" type="image/png" href="chrome://browser/skin/privatebrowsing/favicon.svg"/>
    <link rel="stylesheet" href="chrome://browser/content/aboutPrivateBrowsing.css" type="text/css" media="all"/>
    <link rel="stylesheet" href="chrome://browser/skin/privatebrowsing/aboutPrivateBrowsing.css" type="text/css" media="all"/>
--- a/browser/components/protections/content/protections.html
+++ b/browser/components/protections/content/protections.html
@ -6,7 +6,7 @@
 <html>
  <head>
    <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:">
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: blob:; object-src 'none'">
    <link rel="localization" href="browser/branding/brandings.ftl"/>
    <link rel="localization" href="branding/brand.ftl"/>
    <link rel="localization" href="browser/branding/sync-brand.ftl">
--- a/browser/components/sessionstore/content/aboutSessionRestore.xhtml
+++ b/browser/components/sessionstore/content/aboutSessionRestore.xhtml
@ -11,7 +11,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'" />
    <title data-l10n-id="restore-page-tab-title"></title>
    <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css" media="all"/>
    <link rel="stylesheet" href="chrome://browser/skin/aboutSessionRestore.css" type="text/css" media="all"/>
--- a/browser/extensions/webcompat/manifest.json
+++ b/browser/extensions/webcompat/manifest.json
@ -46,7 +46,7 @@
    }
  },

-  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*;",
+  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*; object-src 'none';",

  "permissions": [
    "webRequest",
--- a/devtools/client/aboutdebugging/index.html
+++ b/devtools/client/aboutdebugging/index.html
@ -7,7 +7,7 @@
    <meta charset="utf-8" />
    <title>Debugging</title>
    <meta http-equiv="Content-Security-Policy"
-      content="default-src chrome: resource:; img-src data: chrome: resource: https:" />
+      content="default-src chrome: resource:; img-src data: chrome: resource: https:; object-src 'none'" />
    <link rel="icon" type="image/png" href="chrome://browser/skin/developer.svg">
    <link rel="stylesheet" href="chrome://devtools/content/aboutdebugging/aboutdebugging.css"/>
    <script src="resource://devtools/client/aboutdebugging/initializer.js"></script>
--- a/devtools/client/framework/toolbox.xul
+++ b/devtools/client/framework/toolbox.xul
@ -16,7 +16,7 @@

 <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
        xmlns:html="http://www.w3.org/1999/xhtml"
-        csp="default-src chrome: resource:; img-src chrome: resource: data:;">
+        csp="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'">
  <linkset>
    <html:link rel="localization" href="devtools/tooltips.ftl"/>
  </linkset>
--- a/devtools/docs/frontend/csp.md
+++ b/devtools/docs/frontend/csp.md
@ -5,7 +5,7 @@ The DevTools toolbox is loaded in an iframe pointing to about:devtools-toolbox.

 The current policy for about:devtools-toolbox is:
 ```
-default-src chrome: resource:; img-src chrome: resource: data:;
+default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'
 ```

 This means:
--- a/devtools/startup/aboutdevtools/aboutdevtools.xhtml
+++ b/devtools/startup/aboutdevtools/aboutdevtools.xhtml
@ -9,7 +9,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml" dir="&locale.dir;">
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <title data-l10n-id="head-title"></title>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>a
  <link rel="stylesheet" href="chrome://global/skin/in-content/common.css" type="text/css"/>
--- a/docshell/resources/content/netError.xhtml
+++ b/docshell/resources/content/netError.xhtml
@ -22,7 +22,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title>&loadError.label;</title>
    <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
    <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@ -416,7 +416,8 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
  // which allows us to apply a strong CSP omitting 'unsafe-inline'. Ideally,
  // the CSP allows precisely the resources that need to be loaded; but it
  // should at least be as strong as:
-  // <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>
+  // <meta http-equiv="Content-Security-Policy" content="default-src chrome:;
+  // object-src 'none'"/>

  // Check if we should skip the assertion
  if (Preferences::GetBool("csp.skip_about_page_has_csp_assert")) {
@ -431,6 +432,7 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {

  nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
  bool foundDefaultSrc = false;
+  bool foundObjectSrc = false;
  if (csp) {
    uint32_t policyCount = 0;
    csp->GetPolicyCount(&policyCount);
@ -439,7 +441,9 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
      csp->GetPolicyString(i, parsedPolicyStr);
      if (parsedPolicyStr.Find("default-src") >= 0) {
        foundDefaultSrc = true;
-        break;
+      }
+      if (parsedPolicyStr.Find("object-src 'none'") >= 0) {
+        foundObjectSrc = true;
      }
    }
  }
@ -482,5 +486,7 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {

  MOZ_ASSERT(foundDefaultSrc,
             "about: page must contain a CSP including default-src");
+  MOZ_ASSERT(foundObjectSrc,
+             "about: page must contain a CSP denying object-src");
 }
 #endif
--- a/dom/tests/browser/file_load_module_script.html
+++ b/dom/tests/browser/file_load_module_script.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'"/>
  <script type="module" src="chrome://mochitests/content/browser/dom/tests/browser/file_module_loaded.js"></script>
 </head>
 <body></body>
--- a/mobile/android/extensions/webcompat/manifest.json
+++ b/mobile/android/extensions/webcompat/manifest.json
@ -46,7 +46,7 @@
    }
  },

-  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*;",
+  "content_security_policy": "script-src 'self' 'sha256-MmZkN2QaIHhfRWPZ8TVRjijTn5Ci1iEabtTEWrt9CCo='; default-src 'self'; base-uri moz-extension://*; object-src 'none'",

  "permissions": [
    "webRequest",
--- a/netwerk/protocol/about/nsAboutCache.cpp
+++ b/netwerk/protocol/about/nsAboutCache.cpp
@ -87,7 +87,7 @@ nsresult nsAboutCache::Channel::Init(nsIURI* aURI, nsILoadInfo* aLoadInfo) {
      "  <title>Network Cache Storage Information</title>\n"
      "  <meta charset=\"utf-8\">\n"
      "  <meta http-equiv=\"Content-Security-Policy\" content=\"default-src "
-      "chrome:\"/>\n"
+      "chrome:; object-src 'none'\"/>\n"
      "  <link rel=\"stylesheet\" href=\"chrome://global/skin/about.css\"/>\n"
      "  <link rel=\"stylesheet\" "
      "href=\"chrome://global/skin/aboutCache.css\"/>\n"
--- a/netwerk/protocol/about/nsAboutCacheEntry.cpp
+++ b/netwerk/protocol/about/nsAboutCacheEntry.cpp
@ -144,7 +144,7 @@ nsresult nsAboutCacheEntry::Channel::GetContentStream(nsIURI* uri,
      "<html>\n"
      "<head>\n"
      "  <meta http-equiv=\"Content-Security-Policy\" content=\"default-src "
-      "chrome:\" />\n"
+      "chrome:; object-src 'none'\" />\n"
      "  <title>Cache entry information</title>\n"
      "  <link rel=\"stylesheet\" "
      "href=\"chrome://global/skin/about.css\" type=\"text/css\"/>\n"
--- a/testing/mochitest/tests/browser/dummy.html
+++ b/testing/mochitest/tests/browser/dummy.html
@ -1,6 +1,6 @@
 <!DOCTYPE html>
 <html>
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'"></meta>
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; object-src 'none'"></meta>
  <title>This is a dummy page</title>
  <meta charset="utf-8">
  <body>This is a dummy page</body>
--- a/toolkit/components/aboutcheckerboard/content/aboutCheckerboard.xhtml
+++ b/toolkit/components/aboutcheckerboard/content/aboutCheckerboard.xhtml
@ -6,7 +6,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <meta name="viewport" content="width=device-width"/>
  <title>Checkerboard Analyzer</title>
  <link rel="stylesheet" href="chrome://global/content/aboutCheckerboard.css" type="text/css"/>
--- a/toolkit/components/aboutmemory/content/aboutMemory.xhtml
+++ b/toolkit/components/aboutmemory/content/aboutMemory.xhtml
@ -16,7 +16,7 @@
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <meta name="viewport" content="width=device-width"/>
    <title>Memory Analyzer</title>
    <link rel="stylesheet" href="chrome://global/skin/aboutMemory.css" type="text/css"/>
--- a/toolkit/components/aboutperformance/content/aboutPerformance.xhtml
+++ b/toolkit/components/aboutperformance/content/aboutPerformance.xhtml
@ -6,7 +6,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:;img-src data:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:;img-src data:; object-src 'none'" />
    <title data-l10n-id="about-performance-title"/>
    <link rel="icon" type="image/svg+xml" id="favicon"
          href="chrome://global/skin/icons/performance.svg"/>
--- a/toolkit/components/certviewer/content/certviewer.html
+++ b/toolkit/components/certviewer/content/certviewer.html
@ -7,7 +7,7 @@
 <html>
  <head>
    <meta name="viewport" content="width=device-width" />
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <link rel="localization" href="toolkit/about/certviewer.ftl">
    <link rel="localization" href="branding/brand.ftl">
    <script defer="defer" src="chrome://global/content/certviewer/pvutils_bundle.js"></script>
--- a/toolkit/components/normandy/content/about-studies/about-studies.html
+++ b/toolkit/components/normandy/content/about-studies/about-studies.html
@ -5,7 +5,7 @@
 <html>
  <head>
    <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; script-src resource:; style-src resource: chrome:"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; script-src resource:; style-src resource: chrome:; object-src 'none'"/>
    <title>about:studies</title>
    <link rel="stylesheet" href="chrome://global/skin/global.css">
    <link rel="stylesheet" href="chrome://global/skin/in-content/common.css">
--- a/toolkit/components/reader/content/aboutReader.html
+++ b/toolkit/components/reader/content/aboutReader.html
@ -6,7 +6,7 @@
 <html>

 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; img-src data: *; media-src *" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; img-src data: *; media-src *; object-src 'none'" />
  <meta content="text/html; charset=UTF-8" http-equiv="content-type" />
  <meta name="viewport" content="width=device-width; user-scalable=0" />
  <link rel="stylesheet" href="chrome://global/skin/aboutReader.css" type="text/css"/>
--- a/toolkit/components/viewconfig/content/config.xul
+++ b/toolkit/components/viewconfig/content/config.xul
@ -9,7 +9,7 @@
 <?xml-stylesheet href="chrome://global/skin/config.css" type="text/css"?>

 <window id="config"
-        csp="default-src chrome:"
+        csp="default-src chrome:; object-src 'none'"
        data-l10n-id="config-window"
        aria-describedby="warningTitle warningText"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
--- a/toolkit/content/aboutAbout.xhtml
+++ b/toolkit/content/aboutAbout.xhtml
@ -7,7 +7,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <title data-l10n-id="about-about-title"></title>
  <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
  <link rel="localization" href="toolkit/about/aboutAbout.ftl"/>
--- a/toolkit/content/aboutNetworking.xhtml
+++ b/toolkit/content/aboutNetworking.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
        <title data-l10n-id="title"/>
        <link rel="stylesheet" href="chrome://mozapps/skin/aboutNetworking.css" type="text/css" />
        <script src="chrome://global/content/aboutNetworking.js" />
--- a/toolkit/content/aboutProfiles.xhtml
+++ b/toolkit/content/aboutProfiles.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title data-l10n-id="profiles-title"></title>
    <link rel="icon" type="image/png" id="favicon" href="chrome://branding/content/icon32.png" />
    <link rel="stylesheet" href="chrome://mozapps/skin/aboutProfiles.css" type="text/css" />
--- a/toolkit/content/aboutRights-unbranded.xhtml
+++ b/toolkit/content/aboutRights-unbranded.xhtml
@ -11,7 +11,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml">

 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <title data-l10n-id="rights-title"></title>
  <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
  <link rel="localization" href="branding/brand.ftl"/>
--- a/toolkit/content/aboutRights.xhtml
+++ b/toolkit/content/aboutRights.xhtml
@ -11,7 +11,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml">

 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <title data-l10n-id="rights-title"></title>
  <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css"/>
  <link rel="stylesheet" href="chrome://global/skin/aboutRights.css" type="text/css"/>
--- a/toolkit/content/aboutServiceWorkers.xhtml
+++ b/toolkit/content/aboutServiceWorkers.xhtml
@ -10,7 +10,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
-        <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+        <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
        <title data-l10n-id="about-service-workers-title"></title>
        <link rel="stylesheet" href="chrome://global/skin/about.css" type="text/css" />
        <link rel="stylesheet" href="chrome://mozapps/skin/aboutServiceWorkers.css" type="text/css" />
--- a/toolkit/content/aboutSupport.xhtml
+++ b/toolkit/content/aboutSupport.xhtml
@ -11,7 +11,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title data-l10n-id="page-title"/>

    <link rel="icon" type="image/png" id="favicon"
--- a/toolkit/content/aboutTelemetry.xhtml
+++ b/toolkit/content/aboutTelemetry.xhtml
@ -8,7 +8,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; object-src 'none'" />
    <title data-l10n-id="about-telemetry-page-title"></title>
    <link rel="stylesheet" href="chrome://global/content/aboutTelemetry.css"
          type="text/css"/>
--- a/toolkit/content/aboutUrlClassifier.xhtml
+++ b/toolkit/content/aboutUrlClassifier.xhtml
@ -10,7 +10,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <title data-l10n-id="url-classifier-title"></title>
  <link rel="stylesheet" href="chrome://global/content/aboutUrlClassifier.css" type="text/css"/>
  <link rel="localization" href="toolkit/about/url-classifier.ftl"/>
--- a/toolkit/content/aboutwebrtc/aboutWebrtc.html
+++ b/toolkit/content/aboutwebrtc/aboutWebrtc.html
@ -6,7 +6,7 @@

 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
  <meta charset="utf-8" />
  <title>about:webrtc</title>
  <link rel="stylesheet" type="text/css" media="all"
--- a/toolkit/content/buildconfig.html
+++ b/toolkit/content/buildconfig.html
@ -7,7 +7,7 @@
 #include @TOPOBJDIR@/source-repo.h
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:" />
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:; object-src 'none'" />
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width; user-scalable=false;">
  <title>Build Configuration</title>
--- a/toolkit/content/license.html
+++ b/toolkit/content/license.html
@ -5,7 +5,7 @@

 <html lang="en">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:; img-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:; img-src chrome:; object-src 'none'" />
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
    <title>Licenses</title>
    <link rel="stylesheet" href="chrome://global/skin/in-content/info-pages.css" type="text/css">
--- a/toolkit/content/mozilla.xhtml
+++ b/toolkit/content/mozilla.xhtml
@ -12,7 +12,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src chrome:; object-src 'none'" />
    <meta charset='utf-8' />
    <title>&mozilla.title.11.14;</title>
    <link rel="stylesheet" href="chrome://global/content/aboutMozilla.css"/>" type="text/css"/>
--- a/toolkit/content/plugins.html
+++ b/toolkit/content/plugins.html
@ -6,7 +6,7 @@

 <html>
 <head>
-<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:" />
+<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; object-src 'none'" />
 <title data-l10n-id="title-label"></title>
 <link rel="stylesheet" type="text/css" href="chrome://global/content/plugins.css">
 <link rel="stylesheet" type="text/css" href="chrome://global/skin/plugins.css">
--- a/toolkit/crashreporter/content/crashes.xhtml
+++ b/toolkit/crashreporter/content/crashes.xhtml
@ -6,7 +6,7 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <link rel="localization" href="crashreporter/aboutcrashes.ftl"/>
    <link rel="stylesheet" type="text/css" href="chrome://global/content/crashes.css"/>
    <link rel="stylesheet" media="screen, projection" type="text/css"
--- a/toolkit/mozapps/extensions/content/aboutaddons.html
+++ b/toolkit/mozapps/extensions/content/aboutaddons.html
@ -6,7 +6,7 @@
 <html>
  <head>
    <!-- Bug 1571346 Remove 'unsafe-inline' from style-src within about:addons -->
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; script-src chrome:; style-src chrome: 'unsafe-inline'; img-src chrome: file: jar: https: http:; connect-src chrome: data: https: http:">
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; script-src chrome:; style-src chrome: 'unsafe-inline'; img-src chrome: file: jar: https: http:; connect-src chrome: data: https: http:; object-src 'none'">
    <link rel="stylesheet" href="chrome://global/content/tabprompts.css">
    <link rel="stylesheet" href="chrome://global/skin/tabprompts.css">

--- a/toolkit/mozapps/extensions/content/extensions.xul
+++ b/toolkit/mozapps/extensions/content/extensions.xul
@ -21,7 +21,7 @@
   -->
 <page xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
      xmlns:xhtml="http://www.w3.org/1999/xhtml"
-      csp="default-src chrome:; frame-src chrome: data: http: https:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA==' 'sha512-kSDNX67wegjpcf8CSj/L6h46a0QUKm2CyijGxC5PhSWVvPU9gdd28QVBBFq9t8N5UGKUFdDcZsjYbGSlYG0y3g==';"
+      csp="default-src chrome:; frame-src chrome: data: http: https:; script-src chrome: 'sha512-4o5Uf4E4EG+90Mb820FH2YFDf4IuX4bfUwQC7reK1ZhgcXWJBKMK2330XIELaFJJ8HiPffS9mP60MPjuXMIrHA==' 'sha512-kSDNX67wegjpcf8CSj/L6h46a0QUKm2CyijGxC5PhSWVvPU9gdd28QVBBFq9t8N5UGKUFdDcZsjYbGSlYG0y3g=='; object-src 'none'"
      id="addons-page" data-l10n-id="addons-window"
      role="application" windowtype="Addons:Manager">