Bug 1942618 - Remove inline event handler and use restrictive CSP for selectBookmarkDialog. r=settings-reviewers,mossop

Differential Revision: https://phabricator.services.mozilla.com/D235456

browser/components/preferences/dialogs/selectBookmark.js

@@ -40,8 +40,11 @@ XPCOMUtils.defineLazyScriptGetter(
  */
 var SelectBookmarkDialog = {
   init: function SBD_init() {
-    document.getElementById("bookmarks").place =
+    let bookmarks = document.getElementById("bookmarks");
+    bookmarks.place =
       "place:type=" + Ci.nsINavHistoryQueryOptions.RESULTS_AS_ROOTS_QUERY;
+    bookmarks.addEventListener("dblclick", () => this.onItemDblClick());
+    bookmarks.addEventListener("select", () => this.selectionChanged());
 
     // Initial update of the OK button.
     this.selectionChanged();
@@ -117,3 +120,5 @@ var SelectBookmarkDialog = {
     window.arguments[0].names = names;
   },
 };
+
+window.addEventListener("load", () => SelectBookmarkDialog.init());

browser/components/preferences/dialogs/selectBookmark.xhtml

@@ -9,7 +9,7 @@
   data-l10n-id="select-bookmark-window2"
   data-l10n-attrs="title, style"
   persist="width height"
-  onload="SelectBookmarkDialog.init();"
+  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
   <dialog id="selectBookmarkDialog">
     <linkset>
@@ -46,8 +46,6 @@
       style="height: 15em"
       hidecolumnpicker="true"
       seltype="single"
-      ondblclick="SelectBookmarkDialog.onItemDblClick();"
-      onselect="SelectBookmarkDialog.selectionChanged();"
       disableUserActions="true"
     >
       <treecols>