Bug 1941365 - Use a <?csp ?> processing instructions instead of a csp attribute. r=Gijs,settings-reviewers,devtools-reviewers,places-reviewers,ochameau

Differential Revision: https://phabricator.services.mozilla.com/D238474
2025-02-26 16:13:13 +00:00
parent 8edc706ec0
commit f81d16e706
35 changed files with 84 additions and 45 deletions
--- a/browser/base/content/aboutDialog.xhtml
+++ b/browser/base/content/aboutDialog.xhtml
@@ -4,6 +4,8 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

+<?csp default-src chrome: resource:; object-src 'none'; ?>
+
 <window xmlns:html="http://www.w3.org/1999/xhtml"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
        id="aboutDialog"
@@ -13,7 +15,6 @@
 #endif
        role="dialog"
        aria-describedby="version distribution distributionId communityDesc contributeDesc trademark"
-        csp="default-src chrome: resource:; object-src 'none';"
        >
 #ifdef XP_MACOSX
 #include macWindow.inc.xhtml
--- a/browser/base/content/hiddenWindowMac.xhtml
+++ b/browser/base/content/hiddenWindowMac.xhtml
@@ -6,10 +6,11 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #define HIDDEN_WINDOW

+<?csp script-src-attr 'none'; ?>
+
 <window id="main-window"
        xmlns:html="http://www.w3.org/1999/xhtml"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        csp="script-src-attr 'none'"
        data-l10n-sync="true">
  <html:link
    rel="stylesheet"
--- a/browser/base/content/pageinfo/pageInfo.xhtml
+++ b/browser/base/content/pageinfo/pageInfo.xhtml
@@ -2,6 +2,7 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+<?csp default-src chrome:; img-src *; media-src *; style-src chrome: 'unsafe-inline'; ?>

 <window id="main-window"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -16,8 +17,7 @@
 #endif
  align="stretch"
  screenX="10" screenY="10"
-  persist="screenX screenY width height sizemode"
-  csp="default-src chrome:; img-src *; media-src *; style-src chrome: 'unsafe-inline';">
+  persist="screenX screenY width height sizemode">

  <linkset>
    <html:link
--- a/browser/base/content/sanitize.xhtml
+++ b/browser/base/content/sanitize.xhtml
@@ -1,9 +1,10 @@
 <?xml version="1.0"?>
-
 <!-- -*- Mode: Java; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- -->
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<?csp default-src chrome:; img-src chrome: moz-icon:; style-src chrome:
+'unsafe-inline'; ?>

 <!DOCTYPE window>

@@ -15,7 +16,6 @@
  persist="lastSelected screenX screenY"
  data-l10n-id="sanitize-dialog-title"
  data-l10n-attrs="style"
-  csp="default-src chrome:; img-src chrome: moz-icon:; style-src chrome: 'unsafe-inline';"
 >
  <dialog buttons="accept,cancel">
    <hbox>
--- a/browser/base/content/sanitize_v2.xhtml
+++ b/browser/base/content/sanitize_v2.xhtml
@@ -1,9 +1,10 @@
 <?xml version="1.0"?>
-
 <!-- -*- Mode: Java; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- -->
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<?csp default-src chrome:; img-src chrome: moz-icon:; style-src chrome:
+'unsafe-inline'; ?>

 <!DOCTYPE window>

@@ -15,7 +16,6 @@
  persist="lastSelected screenX screenY"
  data-l10n-id="sanitize-dialog-title2"
  data-l10n-attrs="style"
-  csp="default-src chrome:; img-src chrome: moz-icon:; style-src chrome: 'unsafe-inline';"
 >
  <dialog buttons="accept,cancel">
    <hbox>
--- a/browser/components/downloads/content/contentAreaDownloadsView.xhtml
+++ b/browser/components/downloads/content/contentAreaDownloadsView.xhtml
@@ -4,13 +4,14 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

+<?csp default-src chrome:; img-src chrome: moz-icon:; object-src 'none'; ?>
+
 <!DOCTYPE window>

 <window id="contentAreaDownloadsView"
        data-l10n-id="downloads-window"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        xmlns:html="http://www.w3.org/1999/xhtml"
-        csp="default-src chrome:; img-src chrome: moz-icon:; object-src 'none'">
+        xmlns:html="http://www.w3.org/1999/xhtml">

  <linkset>
    <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
--- a/browser/components/places/content/bookmarkProperties.xhtml
+++ b/browser/components/places/content/bookmarkProperties.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,8 +13,7 @@
        id="bookmarkproperties"
        headerparent="bookmarkpropertiesdialog"
        neediconheader="true"
-        style="min-width: 40em;"
-        csp="default-src chrome:; style-src 'unsafe-inline';">
+        style="min-width: 40em;">
 <dialog id="bookmarkpropertiesdialog"
        buttons="accept, cancel">

--- a/browser/components/places/content/bookmarksSidebar.xhtml
+++ b/browser/components/places/content/bookmarksSidebar.xhtml
@@ -3,14 +3,15 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src chrome: data:; ?>
+
 <!DOCTYPE window>

 <window id="bookmarksPanel"
        class="sidebar-panel"
        xmlns:html="http://www.w3.org/1999/xhtml"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        data-l10n-id="bookmarks-sidebar-content"
-        csp="default-src chrome:; img-src chrome: data:;">
+        data-l10n-id="bookmarks-sidebar-content">

  <script src="chrome://browser/content/places/bookmarksSidebar.js"/>
  <script src="chrome://global/content/globalOverlay.js"/>
--- a/browser/components/places/content/historySidebar.xhtml
+++ b/browser/components/places/content/historySidebar.xhtml
@@ -3,6 +3,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window id="history-panel"
@@ -10,8 +12,7 @@
        orient="vertical"
        xmlns:html="http://www.w3.org/1999/xhtml"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        data-l10n-id="places-history"
-        csp="default-src chrome:; style-src chrome: 'unsafe-inline';">
+        data-l10n-id="places-history">

  <script src="chrome://browser/content/places/historySidebar.js"/>
  <script src="chrome://global/content/globalOverlay.js"/>
--- a/browser/components/places/content/places.xhtml
+++ b/browser/components/places/content/places.xhtml
@@ -4,6 +4,8 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

+<?csp default-src chrome:; img-src chrome: moz-icon: data:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window id="places"
@@ -18,8 +20,7 @@
        customtitlebar="true"
 #endif
        toggletoolbar="true"
-        persist="width height screenX screenY sizemode"
-        csp="default-src chrome:; img-src chrome: moz-icon: data:; style-src 'unsafe-inline';">
+        persist="width height screenX screenY sizemode">

  <linkset>
    <html:link
--- a/browser/components/preferences/dialogs/addEngine.xhtml
+++ b/browser/components/preferences/dialogs/addEngine.xhtml
@@ -3,13 +3,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="add-engine-window2"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    buttons="accept,cancel"
--- a/browser/components/preferences/dialogs/applicationManager.xhtml
+++ b/browser/components/preferences/dialogs/applicationManager.xhtml
@@ -3,12 +3,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src chrome: moz-icon: http: https:; style-src
+chrome: 'unsafe-inline'; ?>
+
 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="app-manager-window2"
  data-l10n-attrs="title, style"
-  csp="default-src chrome:; img-src chrome: moz-icon: http: https:; style-src chrome: 'unsafe-inline';"
 >
  <dialog id="appManager" buttons="accept,cancel">
    <linkset>
--- a/browser/components/preferences/dialogs/browserLanguages.xhtml
+++ b/browser/components/preferences/dialogs/browserLanguages.xhtml
@@ -4,13 +4,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="browser-languages-window2"
  data-l10n-attrs="title, style"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="BrowserLanguagesDialog"
--- a/browser/components/preferences/dialogs/clearSiteData.xhtml
+++ b/browser/components/preferences/dialogs/clearSiteData.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="ClearSiteDataDialog"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +13,6 @@
  data-l10n-id="clear-site-data-window2"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    buttons="accept,cancel"
--- a/browser/components/preferences/dialogs/colors.xhtml
+++ b/browser/components/preferences/dialogs/colors.xhtml
@@ -5,6 +5,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -12,7 +14,6 @@
  data-l10n-id="colors-dialog2"
  data-l10n-attrs="title, style"
  persist="lastSelected"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="ColorsDialog"
--- a/browser/components/preferences/dialogs/connection.xhtml
+++ b/browser/components/preferences/dialogs/connection.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +13,6 @@
  data-l10n-id="connection-window2"
  data-l10n-attrs="title, style"
  persist="lastSelected"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="ConnectionsDialog"
--- a/browser/components/preferences/dialogs/containers.xhtml
+++ b/browser/components/preferences/dialogs/containers.xhtml
@@ -4,13 +4,15 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src resource: chrome:; style-src chrome:
+'unsafe-inline'; ?>
+
 <window
  id="ContainersDialog"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; img-src resource: chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    buttons="accept"
--- a/browser/components/preferences/dialogs/dohExceptions.xhtml
+++ b/browser/components/preferences/dialogs/dohExceptions.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="DoHExceptionsDialog"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +13,6 @@
  data-l10n-id="permissions-exceptions-doh-window"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="exceptionDialog"
--- a/browser/components/preferences/dialogs/fonts.xhtml
+++ b/browser/components/preferences/dialogs/fonts.xhtml
@@ -5,6 +5,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -12,7 +14,6 @@
  data-l10n-id="fonts-window"
  data-l10n-attrs="title"
  persist="lastSelected"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="FontsDialog"
--- a/browser/components/preferences/dialogs/languages.xhtml
+++ b/browser/components/preferences/dialogs/languages.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +13,6 @@
  data-l10n-id="webpage-languages-window2"
  data-l10n-attrs="title, style"
  persist="lastSelected"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="LanguagesDialog"
--- a/browser/components/preferences/dialogs/permissions.xhtml
+++ b/browser/components/preferences/dialogs/permissions.xhtml
@@ -4,6 +4,9 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome: resource:; img-src chrome: resource: data:; object-src
+'none'; script-src-attr 'none'; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="PermissionsDialog"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +14,6 @@
  data-l10n-id="permissions-window2"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'; script-src-attr 'none'; style-src 'unsafe-inline';"
 >
  <dialog
    buttons="accept,cancel"
--- a/browser/components/preferences/dialogs/selectBookmark.xhtml
+++ b/browser/components/preferences/dialogs/selectBookmark.xhtml
@@ -3,13 +3,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="select-bookmark-window2"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog id="selectBookmarkDialog">
    <linkset>
--- a/browser/components/preferences/dialogs/siteDataRemoveSelected.xhtml
+++ b/browser/components/preferences/dialogs/siteDataRemoveSelected.xhtml
@@ -4,13 +4,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src moz-icon: chrome:; ?>
+
 <window id="SiteDataRemoveSelectedDialog"
        width="500"
        data-l10n-id="site-data-removing-dialog"
        data-l10n-attrs="title"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        xmlns:html="http://www.w3.org/1999/xhtml"
-        csp="default-src chrome:; img-src moz-icon: chrome:;">
+        xmlns:html="http://www.w3.org/1999/xhtml">
 <dialog data-l10n-id="site-data-removing-dialog"
        data-l10n-attrs="buttonlabelaccept">

--- a/browser/components/preferences/dialogs/siteDataSettings.xhtml
+++ b/browser/components/preferences/dialogs/siteDataSettings.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="SiteDataSettingsDialog"
  data-l10n-id="site-data-settings-window"
@@ -12,7 +14,6 @@
  xmlns:html="http://www.w3.org/1999/xhtml"
  style="min-width: 45em"
  persist="width height"
-  csp="default-src chrome:; style-src 'unsafe-inline';"
 >
  <dialog
    buttons="accept,cancel"
--- a/browser/components/preferences/dialogs/sitePermissions.xhtml
+++ b/browser/components/preferences/dialogs/sitePermissions.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="SitePermissionsDialog"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
@@ -11,7 +13,6 @@
  data-l10n-id="permissions-window2"
  data-l10n-attrs="title, style"
  persist="width height"
-  csp="default-src chrome:; style-src 'unsafe-inline';"
 >
  <dialog
    buttons="accept,cancel"
--- a/browser/components/preferences/dialogs/syncChooseWhatToSync.xhtml
+++ b/browser/components/preferences/dialogs/syncChooseWhatToSync.xhtml
@@ -5,13 +5,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  type="child"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="sync-choose-what-to-sync-dialog4"
  data-l10n-attrs="title, style"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    id="syncChooseOptions"
--- a/browser/components/preferences/dialogs/translations.xhtml
+++ b/browser/components/preferences/dialogs/translations.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window
  id="TranslationsDialog"
  data-l10n-id="translations-settings-title"
@@ -11,7 +13,6 @@
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  persist="width height"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog
    buttons="accept"
--- a/browser/components/preferences/fxaPairDevice.xhtml
+++ b/browser/components/preferences/fxaPairDevice.xhtml
@@ -5,6 +5,9 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src chrome: data:; style-src chrome:
+'unsafe-inline'; ?>
+
 <window
  id="fxaPairDeviceDialog"
  type="child"
@@ -12,7 +15,6 @@
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="fxa-pair-device-dialog-sync2"
  data-l10n-attrs="style"
-  csp="default-src chrome:; img-src chrome: data:; style-src chrome: 'unsafe-inline';"
 >
  <dialog id="fxaPairDeviceDialog1" buttons="accept">
    <linkset>
--- a/browser/components/shell/content/setDesktopBackground.xhtml
+++ b/browser/components/shell/content/setDesktopBackground.xhtml
@@ -4,12 +4,13 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
        xmlns:html="http://www.w3.org/1999/xhtml"
        windowtype="Shell:SetDesktopBackground"
        data-l10n-id="set-desktop-background-window"
-        style="min-width: 30em;"
-        csp="default-src chrome:; style-src chrome: 'unsafe-inline';">
+        style="min-width: 30em;">

 <linkset>
  <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
--- a/devtools/client/framework/toolbox.xhtml
+++ b/devtools/client/framework/toolbox.xhtml
@@ -3,11 +3,13 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome: resource:; img-src chrome: resource: data:; object-src
+'none'; ?>
+
 <!DOCTYPE window>
 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
-  csp="default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'"
  role="application"
 >
  <linkset>
--- a/devtools/client/storage/index.xhtml
+++ b/devtools/client/storage/index.xhtml
@@ -3,12 +3,13 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome: ?>
+
 <!DOCTYPE window>

 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
-  csp="default-src chrome:"
 >
  <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
  <html:link
--- a/devtools/client/styleeditor/index.xhtml
+++ b/devtools/client/styleeditor/index.xhtml
@@ -2,13 +2,15 @@
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?csp default-src chrome: ?>
+
 <!DOCTYPE window>

 <window
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  id="style-editor-chrome-window"
-  csp="default-src chrome:"
 >
  <linkset>
    <html:link rel="stylesheet" href="chrome://global/skin/global.css" />
--- a/toolkit/components/prompts/content/commonDialog.xhtml
+++ b/toolkit/components/prompts/content/commonDialog.xhtml
@@ -3,6 +3,9 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; img-src moz-icon: chrome:; style-src chrome:
+'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window
@@ -12,7 +15,6 @@
  xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  aria-describedby="infoBody"
  headerparent="dialogGrid"
-  csp="default-src chrome:; img-src moz-icon: chrome:; style-src chrome: 'unsafe-inline';"
 >
  <dialog id="commonDialog" buttonpack="end">
    <linkset>
--- a/toolkit/content/resetProfile.xhtml
+++ b/toolkit/content/resetProfile.xhtml
@@ -4,13 +4,14 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome: ?>
+
 <window
  id="resetProfileDialogWindow"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  xmlns:html="http://www.w3.org/1999/xhtml"
  xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
  aria-describedby="infoBody"
-  csp="default-src chrome:"
 >
  <dialog
    id="resetProfileDialog"
--- a/toolkit/content/resetProfileProgress.xhtml
+++ b/toolkit/content/resetProfileProgress.xhtml
@@ -4,6 +4,8 @@
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

+<?csp default-src chrome:; style-src chrome: 'unsafe-inline'; ?>
+
 <!DOCTYPE window>

 <window
@@ -12,7 +14,6 @@
  xmlns:html="http://www.w3.org/1999/xhtml"
  data-l10n-id="refresh-profile-progress"
  style="min-width: 30em"
-  csp="default-src chrome:; style-src chrome: 'unsafe-inline';"
 >
  <vbox>
    <linkset>