gecko-dev/accessible
Kris Maglione b3cac601f6 Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs
This is a short-term solution to our inability to apply CSP to
chrome-privileged documents.

Ideally, we should be preventing all inline script execution in
chrome-privileged documents, since the reprecussions of XSS in chrome
documents are much worse than in content documents. Unfortunately, that's not
possible in the near term because a) we don't support CSP in system principal
documents at all, and b) we rely heavily on inline JS in our static XUL.

This stop-gap solution at least prevents some of the most common vectors of
XSS attack, by automatically sanitizing any HTML fragment created for a
chrome-privileged document.

MozReview-Commit-ID: 5w17celRFr

--HG--
extra : rebase_source : 1c0a1448a06d5b65e548d9f5362d06cc6d865dbe
extra : amend_source : 7184593019f238b86fd1e261941d8e8286fa4006
2018-01-24 14:56:48 -08:00
..
aom Bug 1419131 - adding a11y force disabled pref observer when accessibility service is being created. r=surkov 2017-11-29 00:01:18 -05:00
atk Bug 1278282 - Remove the 'MOZ_WIDGET_GTK == 2' defines r=karlt,lsalzman 2018-01-10 08:52:04 +01:00
base Bug 1426807 - Prevent the a11y code running on static clone (printing) docs. r=surkov 2018-01-24 20:02:15 +00:00
generic Bug 1430997 - Rename nsINode::IndexOf to nsINode::ComputeIndexOf, r=catalinb 2018-01-23 14:30:18 +01:00
html Bug 1423541: Use BaseRect access methods instead of member variables in accessible/ r=surkov 2018-01-12 12:07:29 -05:00
interfaces Bug 1427512 - Part 27: Remove nsIDOMCSSPrimitiveValue. r=xidorn,bz 2018-01-11 16:17:57 +08:00
ipc Bug 1430938 part 2: AccessibleHandler: When QueryService is called for IAccessibleAction or IAccessibleText, just use QI. r=MarcoZ 2018-01-17 10:23:07 +10:00
jsat Backed out 3 changesets (bug 1431533) for Android mochitest bustage. CLOSED TREE 2018-01-24 22:04:59 -08:00
mac Bug 1400460 - Rename nsIAtom as nsAtom. r=hiro. 2017-10-03 09:05:19 +11:00
other Bug 1394734 - Replace CONFIG['GNU_C*'] by CONFIG['CC_TYPE'] r=glandium 2017-12-07 22:09:15 +01:00
tests Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs 2018-01-24 14:56:48 -08:00
windows Bug 1423541: Use BaseRect access methods instead of member variables in accessible/ r=surkov 2018-01-12 12:07:29 -05:00
xpcom Bug 1423541: Use BaseRect access methods instead of member variables in accessible/ r=surkov 2018-01-12 12:07:29 -05:00
xul Bug 1423541: Use BaseRect access methods instead of member variables in accessible/ r=surkov 2018-01-12 12:07:29 -05:00
.eslintrc.js Bug 1425244 - Enable ESLint rule object-shorthand for accessible/. r=surkov 2017-12-11 13:08:14 +00:00
moz.build Bug 1329977 - creating doc accessibles for existing content documents. r=surkov 2017-10-31 09:48:07 -04:00