Bug 1594234 remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu

Differential Revision: https://phabricator.services.mozilla.com/D101212
2021-01-19 19:43:09 +00:00 · 2021-01-19 19:43:09 +00:00 · 6a2b434485
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@ -414,9 +414,6 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(

  nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
  if (!csp) {
-    if (!StaticPrefs::extensions_content_script_csp_enabled()) {
-      return true;
-    }
    // Get the CSP for addon sandboxes.  If the principal is expanded and has a
    // csp, we're probably in luck.
    auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -1113,9 +1113,6 @@ bool xpc::GlobalProperties::DefineInSandbox(JSContext* cx,
 * provided by the extension in its manifest.
 */
 nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) {
-  if (!StaticPrefs::extensions_content_script_csp_enabled()) {
-    return NS_OK;
-  }
  nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(prinOrSop);
  if (!principal) {
    return NS_OK;
@ -1166,9 +1163,7 @@ nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) {
  csp = new nsCSPContext();
  MOZ_TRY(csp->SetRequestContextWithPrincipal(expanded, selfURI, u""_ns, 0));

-  bool reportOnly = StaticPrefs::extensions_content_script_csp_report_only();
-
-  MOZ_TRY(csp->AppendPolicy(baseCSP, reportOnly, false));
+  MOZ_TRY(csp->AppendPolicy(baseCSP, false, false));

  expanded->SetCsp(csp);
  return NS_OK;
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -3660,18 +3660,6 @@
  value: false
  mirror: always

-# This pref governs whether we enable content script CSP in extensions.
- name: extensions.content_script_csp.enabled
-  type: bool
-  value: false
-  mirror: always
-
-# This pref governs whether content script CSP is report-only.
- name: extensions.content_script_csp.report_only
-  type: bool
-  value: true
-  mirror: always
-
 # This pref governs whether we run webextensions in a separate process (true)
 # or the parent/main process (false)
 - name: extensions.webextensions.remote
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js
@ -6,9 +6,6 @@ const { TestUtils } = ChromeUtils.import(
  "resource://testing-common/TestUtils.jsm"
 );

-// Enable and turn off report-only so we can validate the results.
-Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true);
-Services.prefs.setBoolPref("extensions.content_script_csp.report_only", false);
 Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);

 const server = createHttpServer({
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
@ -39,7 +39,6 @@ var gContentSecurityPolicy = null;

 const BASE_URL = `http://example.com`;
 const CSP_REPORT_PATH = "/csp-report.sjs";
-const CSP_REPORT_URL = `http://csplog.example.net/csp-report.sjs`;

 /**
 * Registers a static HTML document with the given content at the given
@ -1320,24 +1319,7 @@ add_task(async function test_contentscript_csp() {
 * content page.
 */
 add_task(async function test_extension_contentscript_csp() {
-  Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true);
-  Services.prefs.setBoolPref(
-    "extensions.content_script_csp.report_only",
-    false
-  );
-
-  // Add reporting to base and default CSP as this cannot be done via manifest.
-  let baseCSP = Services.prefs.getStringPref(
-    "extensions.webextensions.base-content-security-policy"
-  );
-  Services.prefs.setStringPref(
-    "extensions.webextensions.base-content-security-policy",
-    `${baseCSP} report-uri ${CSP_REPORT_URL};`
-  );
-  Services.prefs.setStringPref(
-    "extensions.webextensions.default-content-security-policy",
-    `script-src 'self' 'report-sample'; object-src 'self' 'report-sample'; report-uri ${CSP_REPORT_URL};`
-  );
+  Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);

  // TODO bug 1408193: We currently don't get the full set of CSP reports when
  // running in network scheduling chaos mode. It's not entirely clear why.
@ -1346,7 +1328,14 @@ add_task(async function test_extension_contentscript_csp() {

  gContentSecurityPolicy = `default-src 'none' 'report-sample'; script-src 'nonce-deadbeef' 'unsafe-eval' 'report-sample'; report-uri ${CSP_REPORT_PATH};`;

-  let extension = ExtensionTestUtils.loadExtension(EXTENSION_DATA);
+  let data = {
+    ...EXTENSION_DATA,
+    manifest: {
+      ...EXTENSION_DATA.manifest,
+      manifest_version: 3,
+    },
+  };
+  let extension = ExtensionTestUtils.loadExtension(data);
  await extension.startup();

  let urlsPromise = extension.awaitMessage("css-sources").then(msg => {
@ -1369,4 +1358,5 @@ add_task(async function test_extension_contentscript_csp() {

  await extension.unload();
  await contentPage.close();
+  Services.prefs.clearUserPref("extensions.manifestV3.enabled");
 });