Kris Maglione b3cac601f6 Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs ... This is a short-term solution to our inability to apply CSP to chrome-privileged documents. Ideally, we should be preventing all inline script execution in chrome-privileged documents, since the reprecussions of XSS in chrome documents are much worse than in content documents. Unfortunately, that's not possible in the near term because a) we don't support CSP in system principal documents at all, and b) we rely heavily on inline JS in our static XUL. This stop-gap solution at least prevents some of the most common vectors of XSS attack, by automatically sanitizing any HTML fragment created for a chrome-privileged document. MozReview-Commit-ID: 5w17celRFr --HG-- extra : rebase_source : 1c0a1448a06d5b65e548d9f5362d06cc6d865dbe extra : amend_source : 7184593019f238b86fd1e261941d8e8286fa4006		2018-01-24 14:56:48 -08:00
..
browser	Bug 1405796 - Don't traverse into relocated children in scoped TreeWalker. r=surkov	2017-12-22 11:25:00 -05:00
crashtests	Backed out changeset 47637ccbabfd (bug 1396478) for leaks on a newly-added accessability test on a CLOSED TREE	2017-12-21 23:27:27 +02:00
mochitest	Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs	2018-01-24 14:56:48 -08:00