Bug 1954940. Add CSP to exceptionDialog.xhtml r=tschuster

Differential Revision: https://phabricator.services.mozilla.com/D242484

dom/security/nsContentSecurityUtils.cpp

@@ -1943,7 +1943,6 @@ void nsContentSecurityUtils::AssertChromePageHasCSP(Document* aDocument) {
       "chrome://global/content/win.xhtml"_ns,
       "chrome://global/skin/in-content/info-pages.css"_ns,
       "chrome://layoutdebug/content/layoutdebug.xhtml"_ns,
-      "chrome://pippki/content/exceptionDialog.xhtml"_ns,
       "chrome://pippki/content/setp12password.xhtml"_ns,
       // Test files
       "chrome://mochikit/"_ns,

security/manager/pki/pippki.sys.mjs

@@ -298,3 +298,13 @@ function getChainForUsage(results, usage) {
   }
   return null;
 }
+
+// Performs an XMLHttpRequest because the script for the dialog is prevented
+// from doing so by CSP.
+export async function checkCertHelper(uri, grabber) {
+  let req = new XMLHttpRequest();
+  req.open("GET", uri.prePath);
+  req.onerror = grabber.bind(null, req);
+  req.onload = grabber.bind(null, req);
+  req.send(null);
+}

security/manager/pki/resources/content/exceptionDialog.js

@@ -4,7 +4,7 @@
 
 "use strict";
 
-const { setText, viewCertHelper } = ChromeUtils.importESModule(
+const { setText, viewCertHelper, checkCertHelper } = ChromeUtils.importESModule(
   "resource://gre/modules/psm/pippki.sys.mjs"
 );
 
@@ -28,6 +28,13 @@ function initExceptionDialog() {
   let l10nUpdatedElements = [confirmButton, warningText];
   confirmButton.disabled = true;
 
+  document
+    .getElementById("locationTextBox")
+    .addEventListener("input", () => handleTextChange());
+  document
+    .getElementById("viewCertButton")
+    .addEventListener("input", () => viewCertButtonClick());
+
   var args = window.arguments;
   if (args && args[0]) {
     if (args[0].location) {
@@ -117,11 +124,7 @@ async function checkCert() {
   let uri = getURI();
 
   if (uri) {
-    let req = new XMLHttpRequest();
+    checkCertHelper(uri, grabCert);
-    req.open("GET", uri.prePath);
-    req.onerror = grabCert.bind(this, req);
-    req.onload = grabCert.bind(this, req);
-    req.send(null);
   } else {
     gChecking = false;
     await document.l10n.translateElements(updateCertStatus());
@@ -324,3 +327,5 @@ function addException() {
 function inPrivateBrowsingMode() {
   return PrivateBrowsingUtils.isWindowPrivate(window);
 }
+
+window.addEventListener("load", () => initExceptionDialog());

security/manager/pki/resources/content/exceptionDialog.xhtml

@@ -3,13 +3,14 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
+<?csp default-src chrome:; image-src chrome: moz-icon; ?>
+
 <!DOCTYPE window>
 
 <window windowtype="mozilla:exceptiondialog"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
         xmlns:html="http://www.w3.org/1999/xhtml"
-        data-l10n-id="exception-mgr"
+        data-l10n-id="exception-mgr">
-        onload="initExceptionDialog();">
 <dialog id="exceptiondialog"
         buttonidextra1="exception-mgr-extra-button"
         buttons="cancel,extra1,extra2"
@@ -54,7 +55,6 @@
            id="certLocationLabel"
            data-l10n-id="exception-mgr-cert-location-url"/>
     <html:input id="locationTextBox"
-                oninput="handleTextChange();"
                 value="https://"
                 class="uri-element"/>
     <button id="checkCertButton"
@@ -68,8 +68,7 @@
                  flex="1"/>
     <button id="viewCertButton"
             data-l10n-id="exception-mgr-cert-status-view-cert"
-            disabled="true"
+            disabled="true"/>
-            oncommand="viewCertButtonClick();"/>
   </hbox>
   <description id="statusDescription"
                class="description"/>