Bug 1588816 - Remove userChrome.css case since XBL is dead in Nightly r=bgrins

Differential Revision: https://phabricator.services.mozilla.com/D50964 --HG-- extra : moz-landing-system : lando
2019-10-29 17:10:59 +00:00 · 2019-10-29 17:10:59 +00:00 · d72a6eb2f3
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@ -300,11 +300,11 @@ bool nsContentSecurityUtils::IsEvalAllowed(JSContext* cx,
    return true;
  }

-  // We only perform checks of these two preferences on the Main Thread
-  // (because a String-based preference checks is only safe on Main Thread.)
+  // We only perform a check of this preference on the Main Thread
+  // (because a String-based preference check is only safe on Main Thread.)
  // The consequence of this is that if a user is using userChromeJS _and_
  // the scripts they use start a worker and that worker uses eval - we will
-  // enter this function, skip over these pref checks that would normally cause
+  // enter this function, skip over this pref check that would normally cause
  // us to allow the eval usage - and we will block it.
  // While not ideal, we do not officially support userChromeJS, and hopefully
  // the usage of workers and eval in workers is even lower that userChromeJS
@ -324,22 +324,6 @@ bool nsContentSecurityUtils::IsEvalAllowed(JSContext* cx,
                                   : "in parent process")));
      return true;
    }
-
-    // This preference is better known as userchrome.css which allows
-    // customization of the Firefox UI. Believe it or not, you can also
-    // use XBL bindings to get it to run Javascript in the same manner
-    // as userChromeJS above, so even though 99.9% of people using
-    // userchrome.css aren't doing that, we're still going to need to
-    // disable the eval() assertion for them.
-    if (Preferences::GetBool(
-            "toolkit.legacyUserProfileCustomizations.stylesheets")) {
-      MOZ_LOG(sCSMLog, LogLevel::Debug,
-              ("Allowing eval() %s because of "
-               "toolkit.legacyUserProfileCustomizations.stylesheets",
-               (aIsSystemPrincipal ? "with System Principal"
-                                   : "in parent process")));
-      return true;
-    }
  }

  // We permit these two common idioms to get access to the global JS object