Bug 1727803: Create security exemptions for about:sync and about:downloads r=freddyb

This will also fix Bug 1727770

Differential Revision: https://phabricator.services.mozilla.com/D123790

dom/security/nsContentSecurityUtils.cpp

@@ -524,7 +524,8 @@ void PossiblyCrash(const char* aPrefSuffix, const char* aUnsafeCrashString,
     // MOZ_CRASH_UNSAFE_PRINTF("%s",
     //                        nsContentSecurityUtils::SmartFormatCrashString(aUnsafeCrashString));
     MOZ_CRASH_UNSAFE_PRINTF(
-        "%s", nsContentSecurityUtils::SmartFormatCrashString(aSafeCrashString.get()));
+        "%s",
+        nsContentSecurityUtils::SmartFormatCrashString(aSafeCrashString.get()));
   }
 }
 #endif
@@ -1041,6 +1042,9 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
     "about:printpreview"_ns,
     // about:logo just displays the firefox logo -> no CSP
     "about:logo"_ns,
+    // about:sync is a special mozilla-signed developer addon with low usage ->
+    // no CSP
+    "about:sync"_ns,
 #  if defined(ANDROID)
     "about:config"_ns,
 #  endif
@@ -1206,8 +1210,20 @@ bool nsContentSecurityUtils::ValidateScriptFilename(const char* aFilename,
     return true;
   }
 
+  auto kAllowedFilenames = {
+      // Allow through the injection provided by about:sync addon
+      u"data:,new function() {\n  Components.utils.import(\"chrome://aboutsync/content/AboutSyncRedirector.js\");\n  AboutSyncRedirector.register();\n}"_ns,
+      // Until 371900 is fixed, we need to do something about about:downloads
+      // and this is the most reasonable. See 1727770
+      u"about:downloads"_ns};
+  for (auto allowedFilename : kAllowedFilenames) {
+    if (filenameU == allowedFilename) {
+      return true;
+    }
+  }
+
   // Log to MOZ_LOG
-  MOZ_LOG(sCSMLog, LogLevel::Info,
+  MOZ_LOG(sCSMLog, LogLevel::Error,
           ("ValidateScriptFilename System:%i %s\n", (aIsSystemRealm ? 1 : 0),
            aFilename));