Bug 1944329 - Remove inline event handler and use restrictive CSP for fxaPairDeviceDialog. r=settings-reviewers,Gijs

Differential Revision: https://phabricator.services.mozilla.com/D236197

browser/components/preferences/fxaPairDevice.js

@@ -35,6 +35,11 @@ const MIN_PAIRING_LOADING_TIME_MS = 1000;
  */
 var gFxaPairDeviceDialog = {
   init() {
+    window.addEventListener("unload", () => this.uninit());
+    document
+      .getElementById("qrError")
+      .addEventListener("click", () => this.startPairingFlow());
+
     this._resetBackgroundQR();
     // We let the modal show itself before eventually showing a primary-password dialog later.
     Services.tm.dispatchToMainThread(() => this.startPairingFlow());
@@ -140,3 +145,5 @@ var gFxaPairDeviceDialog = {
     }
   },
 };
+
+window.addEventListener("load", () => gFxaPairDeviceDialog.init());

browser/components/preferences/fxaPairDevice.xhtml

@@ -10,10 +10,9 @@
   type="child"
   xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   xmlns:html="http://www.w3.org/1999/xhtml"
-  onload="gFxaPairDeviceDialog.init();"
-  onunload="gFxaPairDeviceDialog.uninit()"
   data-l10n-id="fxa-pair-device-dialog-sync2"
   data-l10n-attrs="style"
+  csp="default-src chrome:; img-src chrome: data:; style-src chrome: 'unsafe-inline';"
 >
   <dialog id="fxaPairDeviceDialog1" buttons="accept">
     <linkset>
@@ -59,7 +58,7 @@
         <vbox align="center" id="qrWrapper" pairing-status="loading">
           <box id="qrContainer"></box>
           <box id="qrSpinner"></box>
-          <vbox id="qrError" onclick="gFxaPairDeviceDialog.startPairingFlow();">
+          <vbox id="qrError">
             <image id="refresh-qr" />
             <label
               class="qr-error-text"