diff options
author | Moonchild <moonchild@palemoon.org> | 2022-02-10 15:31:28 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2022-02-10 15:31:28 +0000 |
commit | 3c32487efff48f2bd777bb73fdacca9c05d5b213 (patch) | |
tree | ffcf9ea991d0022e230fbd4eb624a8e0d3c617f2 /components | |
parent | 6a57234b7fa8153ff8cf7006a9b33038b0b6933b (diff) | |
download | aura-central-3c32487efff48f2bd777bb73fdacca9c05d5b213.tar.gz |
[places] add Content-Security-Policy to bookmarks HTML export
This commit adds a Content-Security-Policy to HTML documents for exported
bookmarks. The change will stop active content (like bookmarklets) from being
directly runnable in the exported local file, which is *not* breaking the
normal use case in which a bookmarklet is intended to modify an existing page.
It *will* affect the use case where you have a full website/application stored
in a bookmarklet that was supposed to replace the current web page. In this
case, users can right-click copy the link and drop it in the address bar.
Note: The CSP does not mean that this is a severe attack vector. It merely
provides a basic protection measure for users who use the exported bookmarks in
a non-standard way as a local file.
Diffstat (limited to 'components')
-rw-r--r-- | components/places/src/BookmarkHTMLUtils.jsm | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/components/places/src/BookmarkHTMLUtils.jsm b/components/places/src/BookmarkHTMLUtils.jsm index 6b4ea7934..8a54135a7 100644 --- a/components/places/src/BookmarkHTMLUtils.jsm +++ b/components/places/src/BookmarkHTMLUtils.jsm @@ -1052,8 +1052,9 @@ BookmarkExporter.prototype = { this._writeLine("<!-- This is an automatically generated file."); this._writeLine(" It will be read and overwritten."); this._writeLine(" DO NOT EDIT! -->"); - this._writeLine('<META HTTP-EQUIV="Content-Type" CONTENT="text/html; ' + - 'charset=UTF-8">'); + this._writeLine('<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">'); + this._writeLine(`<META HTTP-EQUIV="Content-Security-Policy" + CONTENT="default-src 'self'; script-src 'none'; img-src data: *; object-src 'none'"></META>`); this._writeLine("<TITLE>Bookmarks</TITLE>"); }, |