Bug 1954869. Add CSP to downloadcert.xhtml r=tschuster

Differential Revision: https://phabricator.services.mozilla.com/D242069
2025-03-19 16:44:45 +00:00
parent 7093ec86e9
commit dc32a811fb
3 changed files with 9 additions and 13 deletions
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -1291,6 +1291,7 @@ static nsLiteralCString sStyleSrcUnsafeInlineAllowList[] = {
    "chrome://pippki/content/certManager.xhtml"_ns,
    "chrome://pippki/content/deletecert.xhtml"_ns,
    "chrome://pippki/content/device_manager.xhtml"_ns,
+    "chrome://pippki/content/downloadcert.xhtml"_ns,
 };
 // img-src data: blob:
 static nsLiteralCString sImgSrcDataBlobAllowList[] = {
@@ -1933,7 +1934,6 @@ void nsContentSecurityUtils::AssertChromePageHasCSP(Document* aDocument) {
      "chrome://global/content/win.xhtml"_ns,
      "chrome://global/skin/in-content/info-pages.css"_ns,
      "chrome://layoutdebug/content/layoutdebug.xhtml"_ns,
-      "chrome://pippki/content/downloadcert.xhtml"_ns,
      "chrome://pippki/content/editcacert.xhtml"_ns,
      "chrome://pippki/content/exceptionDialog.xhtml"_ns,
      "chrome://pippki/content/load_device.xhtml"_ns,
--- a/security/manager/pki/resources/content/downloadcert.js
+++ b/security/manager/pki/resources/content/downloadcert.js
@@ -60,13 +60,10 @@ function onLoad() {
    "trustHeader",
    bundle.getFormattedString("newCAMessage1", [caName])
  );
-}

-/**
- * Handler for the "View Cert" button.
- */
-function viewCert() {
+  document.getElementById("viewC-button").addEventListener("command", () => {
    viewCertHelper(window, gCert, "window");
+  });
 }

 /**
@@ -89,3 +86,5 @@ function onDialogCancel() {
  let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
  retVals.setPropertyAsBool("importConfirmed", false);
 }
+
+window.addEventListener("load", () => onLoad());
--- a/security/manager/pki/resources/content/downloadcert.xhtml
+++ b/security/manager/pki/resources/content/downloadcert.xhtml
@@ -3,6 +3,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window
@@ -10,7 +12,6 @@
  data-l10n-attrs="title, style"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
-  onload="onLoad();"
 >
  <dialog id="download_cert" buttons="accept,cancel">
    <linkset>
@@ -50,11 +51,7 @@
      <description data-l10n-id="download-cert-message-desc"></description>
      <separator />
      <hbox>
-        <button
-          id="viewC-button"
-          data-l10n-id="download-cert-view-cert"
-          oncommand="viewCert();"
-        />
+        <button id="viewC-button" data-l10n-id="download-cert-view-cert" />
        <description
          style="margin: 4px"
          data-l10n-id="download-cert-view-text"