Bug 1872504 - Add img-src 'self' to JSON viewer CSP to allow favicon.ico to load r=freddyb,devtools-reviewers,nchevobbe

Differential Revision: https://phabricator.services.mozilla.com/D197674

devtools/client/jsonview/converter-child.js

@@ -26,7 +26,7 @@ const BufferStream = Components.Constructor(
   "setData"
 );
 
-const kCSP = "default-src 'none' ; script-src resource:; ";
+const kCSP = "default-src 'none'; script-src resource:; img-src 'self';";
 
 // Localization
 loader.lazyGetter(this, "jsonViewStrings", () => {

devtools/client/jsonview/test/browser.toml

@@ -53,6 +53,8 @@ support-files = ["chunked_json.sjs"]
 ["browser_jsonview_expand_collapse.js"]
 skip-if = ["os == 'linux' && bits == 64 && !debug"] # Bug 1794904
 
+["browser_jsonview_favicon.js"]
+
 ["browser_jsonview_filter.js"]
 
 ["browser_jsonview_filter_clear.js"]

devtools/client/jsonview/test/browser_jsonview_favicon.js

@@ -0,0 +1,46 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Check that, if browser.chrome.guess_favicon is enabled, the favicon.ico will
+// be loaded for the JSON viewer. The favicon could be prevented from loading
+// by a too strict CSP (Bug 1872504).
+
+const { HttpServer } = ChromeUtils.importESModule(
+  "resource://testing-common/httpd.sys.mjs"
+);
+
+add_task(async function test_favicon() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["browser.chrome.guess_favicon", true]],
+  });
+
+  const httpServer = new HttpServer();
+
+  httpServer.registerPathHandler("/", (_, response) => {
+    response.setHeader("Content-Type", "application/json");
+    response.write("{}");
+  });
+
+  const faviconPromise = new Promise(resolve => {
+    httpServer.registerPathHandler("/favicon.ico", () => {
+      resolve();
+    });
+  });
+
+  httpServer.start(-1);
+
+  const tab = await BrowserTestUtils.openNewForegroundTab({
+    gBrowser,
+    url: `http://localhost:${httpServer.identity.primaryPort}/`,
+  });
+
+  info("Waiting for favicon request to be received by server");
+  await faviconPromise;
+  ok("Server got request for favicon");
+
+  BrowserTestUtils.removeTab(tab);
+
+  httpServer.stop();
+});