Opened 11 months ago

Closed 5 months ago

#31395 closed defect (fixed)

Remove inline <script> in aboutTor.xhtml

Reported by: acat Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff68-esr, BugSmashFund, TorBrowserTeam202001R, 9.5a5
Cc: Actual Points: 0.25
Parent ID: Points: 0.25
Reviewer: brade, mcs Sponsor:

Description

We should move the inline script in aboutTor.xhtml to some .js file so that we can remove the 'unsafe-inline' from about:tor CSP. See #31322.

Child Tickets

Change History (18)

comment:1 Changed 11 months ago by acat

Keywords: ff68-esr added

comment:2 Changed 11 months ago by pili

Sponsor: Sponsor44-can

Tagging with Sponsor 44

comment:3 Changed 10 months ago by pili

Points: 0.25

comment:4 Changed 10 months ago by gk

Keywords: TorBrowserTeam201909 added

comment:5 Changed 9 months ago by pili

Keywords: TorBrowserTeam201910 added

comment:6 Changed 9 months ago by pili

Keywords: TorBrowserTeam201909 removed

comment:7 Changed 8 months ago by pili

Keywords: TorBrowserTeam201911 added; TorBrowserTeam201910 removed

Moving tickets to November 2019

comment:8 Changed 7 months ago by pili

Keywords: TorBrowserTeam201912 added; TorBrowserTeam201911 removed

Moving tickets to December

comment:9 Changed 7 months ago by pili

Keywords: BugSmashFund added

BugSmashFund can be used for the ESR work done so far

comment:10 Changed 7 months ago by pili

Sponsor: Sponsor44-can

Sponsor 44 only covered PM and Team Lead work

comment:11 Changed 6 months ago by sysrqb

Keywords: TorBrowserTeam202001 added; TorBrowserTeam201912 removed

comment:12 Changed 6 months ago by acat

Actual Points: 0.25
Keywords: TorBrowserTeam202001R added; TorBrowserTeam202001 removed
Status: newneeds_review

comment:13 Changed 5 months ago by pili

Reviewer: brade, mcs

comment:14 in reply to:  12 Changed 5 months ago by mcs

Replying to acat:

Patch for review in https://github.com/acatarineu/torbutton/commit/31395.

Overall, the patch looks good. Kathy and I have one question/concern: are we OK with making all of the torbutton code accessible to content via contentaccessible=yes? If not, you could place the new aboutTor.js file in a subdirectory and only apply contentaccessible=yes to that subdirectory.

comment:15 Changed 5 months ago by acat

Thanks for the review, I revised the patch with your suggestion: https://github.com/acatarineu/torbutton/commit/31395+1.

comment:16 Changed 5 months ago by sysrqb

Status: needs_reviewneeds_revision

Thanks! My only request is adding a license header in chrome/content/aboutTor/resources/aboutTor.js.

comment:17 Changed 5 months ago by acat

Status: needs_revisionneeds_review

comment:18 Changed 5 months ago by sysrqb

Keywords: 9.5a5 added
Resolution: fixed
Status: needs_reviewclosed

Thanks! Let's see how this looks. Merged as f87cd0af7462faab1d349e28e7b17c76274624b0 on master.

Note: See TracTickets for help on using tickets.