зеркало из https://github.com/mozilla/gecko-dev.git
b3cac601f6
This is a short-term solution to our inability to apply CSP to chrome-privileged documents. Ideally, we should be preventing all inline script execution in chrome-privileged documents, since the reprecussions of XSS in chrome documents are much worse than in content documents. Unfortunately, that's not possible in the near term because a) we don't support CSP in system principal documents at all, and b) we rely heavily on inline JS in our static XUL. This stop-gap solution at least prevents some of the most common vectors of XSS attack, by automatically sanitizing any HTML fragment created for a chrome-privileged document. MozReview-Commit-ID: 5w17celRFr --HG-- extra : rebase_source : 1c0a1448a06d5b65e548d9f5362d06cc6d865dbe extra : amend_source : 7184593019f238b86fd1e261941d8e8286fa4006 |
||
---|---|---|
.. | ||
aom | ||
atk | ||
base | ||
generic | ||
html | ||
interfaces | ||
ipc | ||
jsat | ||
mac | ||
other | ||
tests | ||
windows | ||
xpcom | ||
xul | ||
.eslintrc.js | ||
moz.build |