[tbb-commits] [torbutton/master] Bug 31395: Remove inline script in aboutTor.xhtml

sysrqb at torproject.org sysrqb at torproject.org
Thu Feb 6 03:53:04 UTC 2020


commit f87cd0af7462faab1d349e28e7b17c76274624b0
Author: Alex Catarineu <acat at torproject.org>
Date:   Tue Jan 14 13:14:06 2020 +0100

    Bug 31395: Remove inline script in aboutTor.xhtml
---
 chrome.manifest                               |  1 +
 chrome/content/aboutTor/aboutTor.xhtml        | 11 ++---------
 chrome/content/aboutTor/resources/aboutTor.js | 11 +++++++++++
 jar.mn                                        |  1 +
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/chrome.manifest b/chrome.manifest
index d1ffe6d6..6d9d12d4 100644
--- a/chrome.manifest
+++ b/chrome.manifest
@@ -1,5 +1,6 @@
 content torbutton chrome/content/
 resource torbutton ./
+resource torbutton-abouttor resource://torbutton/content/aboutTor/resources/ contentaccessible=yes
 resource torbutton-assets resource://torbutton/chrome/skin/ contentaccessible=yes
 
 # browser branding
diff --git a/chrome/content/aboutTor/aboutTor.xhtml b/chrome/content/aboutTor/aboutTor.xhtml
index 56777ba3..db313c3d 100644
--- a/chrome/content/aboutTor/aboutTor.xhtml
+++ b/chrome/content/aboutTor/aboutTor.xhtml
@@ -20,19 +20,12 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:; script-src chrome: resource: 'unsafe-inline';" />
+  <meta http-equiv="Content-Security-Policy" content="default-src resource:;" />
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
   <title>&aboutTor.title;</title>
   <link rel="stylesheet" type="text/css" media="all"
         href="resource://torbutton-assets/aboutTor.css"/>
-<script type="text/javascript">
- <![CDATA[
-window.addEventListener("pageshow", function() {
-  let evt = new CustomEvent("AboutTorLoad", { bubbles: true });
-  document.dispatchEvent(evt);
-});
-]]>
-</script>
+  <script type="text/javascript" src="resource://torbutton-abouttor/aboutTor.js"></script>
 </head>
 <body dir="&locale.dir;">
   <div class="torcontent-container">
diff --git a/chrome/content/aboutTor/resources/aboutTor.js b/chrome/content/aboutTor/resources/aboutTor.js
new file mode 100644
index 00000000..6687390b
--- /dev/null
+++ b/chrome/content/aboutTor/resources/aboutTor.js
@@ -0,0 +1,11 @@
+/*************************************************************************
+ * Copyright (c) 2020, The Tor Project, Inc.
+ * See LICENSE for licensing information.
+ *
+ * vim: set sw=2 sts=2 ts=8 et syntax=javascript:
+ *************************************************************************/
+
+window.addEventListener("pageshow", function() {
+  let evt = new CustomEvent("AboutTorLoad", { bubbles: true });
+  document.dispatchEvent(evt);
+});
diff --git a/jar.mn b/jar.mn
index 45c8c9b8..3838bc9b 100644
--- a/jar.mn
+++ b/jar.mn
@@ -10,6 +10,7 @@ torbutton.jar:
  skin/          (chrome/skin/*)
 
 % resource torbutton %
+% resource torbutton-abouttor resource://torbutton/content/aboutTor/resources/ contentaccessible=yes
 % resource torbutton-assets resource://torbutton/skin/ contentaccessible=yes
 
 # browser branding



More information about the tbb-commits mailing list