Bug 1953866 - Add a strict script-src CSP to browser.xhtml for Nightly/Beta. r=freddyb,firefox-desktop-core-reviewers ,mossop

Differential Revision: https://phabricator.services.mozilla.com/D242273
2025-04-01 10:39:54 +00:00
parent 8ddc20523c
commit 02c4420952
1 changed files with 4 additions and 0 deletions
--- a/browser/base/content/browser.xhtml
+++ b/browser/base/content/browser.xhtml
@@ -30,7 +30,11 @@
        data-l10n-sync="true">
 <head>
  <!-- CSP might be disabled by C++ code. -->
+#if defined(EARLY_BETA_OR_EARLIER)
+  <meta http-equiv="Content-Security-Policy" content="script-src chrome: moz-src: resource: 'report-sample'" />
+#else
  <meta http-equiv="Content-Security-Policy" content="script-src-attr 'none' 'report-sample'" />
+#endif

  <!-- The "global.css" stylesheet is imported first to allow other stylesheets to
      override rules using selectors with the same specificity. This applies to