Bug 1579608 - add CSP to about:accounts and about:downloads and about:support. r=khushil

The dom.security.skip_about_page_has_csp_assert pref is still needed since we have inline scripts. => assertion: "about: page must not contain a CSP including 'unsafe-inline'"
2020-11-15 12:54:37 +02:00 · 2020-11-15 12:54:37 +02:00 · 780a779ff7
--- a/mail/components/about-support/content/aboutSupport.xhtml
+++ b/mail/components/about-support/content/aboutSupport.xhtml
@ -13,7 +13,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
-    <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
+    <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" />
    <title data-l10n-id="page-title"/>

    <link rel="icon" type="image/png" id="favicon"
--- a/mail/components/downloads/content/aboutDownloads.xhtml
+++ b/mail/components/downloads/content/aboutDownloads.xhtml
@ -17,6 +17,7 @@
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" xmlns:html="http://www.w3.org/1999/xhtml"
        xmlns:xhtml="http://www.w3.org/1999/xhtml"
        title="&aboutDownloads.title;"
+        csp="default-src chrome:; object-src 'none'; script-src chrome: 'unsafe-inline'"
        lightweightthemes="true"
        onload="DownloadsView.init();">
  <xhtml:link rel="shortcut icon"
--- a/mailnews/base/prefs/content/AccountManager.xhtml
+++ b/mailnews/base/prefs/content/AccountManager.xhtml
@ -16,6 +16,7 @@
 <window windowtype="mailnews:accountmanager"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" xmlns:html="http://www.w3.org/1999/xhtml"
        title="&accountManagerTitle.label;"
+        csp="default-src chrome:; script-src chrome: 'unsafe-inline'; img-src chrome: moz-icon: https: data:; style-src chrome: data: 'unsafe-inline'; object-src 'none'"
        persist="width height screenX screenY"
        onload="onLoad(event);"
        onunload="onUnload();">