Bug 1954941. Add CSP to load_device.xhtml r=tschuster

Differential Revision: https://phabricator.services.mozilla.com/D242286
2025-03-21 07:35:19 +00:00
parent d7008a7ddb
commit 800cf9b049
4 changed files with 14 additions and 9 deletions
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -1293,6 +1293,7 @@ static nsLiteralCString sStyleSrcUnsafeInlineAllowList[] = {
    "chrome://pippki/content/device_manager.xhtml"_ns,
    "chrome://pippki/content/downloadcert.xhtml"_ns,
    "chrome://pippki/content/editcacert.xhtml"_ns,
+    "chrome://pippki/content/load_device.xhtml"_ns,
 };
 // img-src data: blob:
 static nsLiteralCString sImgSrcDataBlobAllowList[] = {
@@ -1936,7 +1937,6 @@ void nsContentSecurityUtils::AssertChromePageHasCSP(Document* aDocument) {
      "chrome://global/skin/in-content/info-pages.css"_ns,
      "chrome://layoutdebug/content/layoutdebug.xhtml"_ns,
      "chrome://pippki/content/exceptionDialog.xhtml"_ns,
-      "chrome://pippki/content/load_device.xhtml"_ns,
      "chrome://pippki/content/setp12password.xhtml"_ns,
      // Test files
      "chrome://mochikit/"_ns,
--- a/security/manager/pki/resources/content/load_device.js
+++ b/security/manager/pki/resources/content/load_device.js
@@ -81,3 +81,12 @@ function validateModuleName() {
    dialogNode.setAttribute("buttondisabledaccept", true);
  }
 }
+
+window.addEventListener("load", () => {
+  document
+    .getElementById("device_name")
+    .addEventListener("change", () => validateModuleName());
+  document
+    .getElementById("browse")
+    .addEventListener("command", () => onBrowseBtnPress());
+});
--- a/security/manager/pki/resources/content/load_device.xhtml
+++ b/security/manager/pki/resources/content/load_device.xhtml
@@ -3,6 +3,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window
@@ -36,18 +38,12 @@
        id="device_name"
        data-l10n-id="load-device-modname-default"
        data-l10n-attrs="value"
-        onchange="validateModuleName();"
      />
    </hbox>
    <hbox align="center">
      <label data-l10n-id="load-device-filename" control="device_path" />
      <html:input id="device_path" />
-      <button
-        id="browse"
-        flex="1"
-        data-l10n-id="load-device-browse"
-        oncommand="onBrowseBtnPress();"
-      />
+      <button id="browse" flex="1" data-l10n-id="load-device-browse" />
    </hbox>
    <label id="helpText" value="" />
  </dialog>
--- a/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
@@ -285,7 +285,7 @@ async function testModuleNameHelper(moduleName, acceptButtonShouldBeDisabled) {
  let moduleNameBox = win.document.getElementById("device_name");
  moduleNameBox.value = moduleName;
  // this makes this not a great test, but it's the easiest way to simulate this
-  moduleNameBox.onchange();
+  moduleNameBox.dispatchEvent(new Event("change", { bubbles: true }));

  let dialogNode = win.document.querySelector("dialog");
  Assert.equal(