[places] add Content-Security-Policy to bookmarks HTML export

This commit adds a Content-Security-Policy to HTML documents for exported
bookmarks. The change will stop active content (like bookmarklets) from being
directly runnable in the exported local file, which is *not* breaking the
normal use case in which a bookmarklet is intended to modify an existing page.
It *will* affect the use case where you have a full website/application stored
in a bookmarklet that was supposed to replace the current web page. In this
case, users can right-click copy the link and drop it in the address bar.

Note: The CSP does not mean that this is a severe attack vector. It merely
provides a basic protection measure for users who use the exported bookmarks in
a non-standard way as a local file.

1 files changed, 3 insertions, 2 deletions

diff --git a/toolkit/components/places/BookmarkHTMLUtils.jsm b/toolkit/components/places/BookmarkHTMLUtils.jsm
index 6b4ea79340..8a54135a7d 100644
--- a/toolkit/components/places/BookmarkHTMLUtils.jsm
+++ b/toolkit/components/places/BookmarkHTMLUtils.jsm
@@ -1052,8 +1052,9 @@ BookmarkExporter.prototype = {
     this._writeLine("<!-- This is an automatically generated file.");
     this._writeLine("     It will be read and overwritten.");
     this._writeLine("     DO NOT EDIT! -->");
-    this._writeLine('<META HTTP-EQUIV="Content-Type" CONTENT="text/html; ' +
-                    'charset=UTF-8">');
+    this._writeLine('<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">');
+    this._writeLine(`<META HTTP-EQUIV="Content-Security-Policy"
+    CONTENT="default-src 'self'; script-src 'none'; img-src data: *; object-src 'none'"></META>`);
     this._writeLine("<TITLE>Bookmarks</TITLE>");
   },