Bug 1868677 - Re-enable HTML fragment sanitization on about:newtab and about:home r=Gijs

In bug 1600941, HTML fragment sanitization was enabled in about: pages.
Sadly, it had to be disabled on about:newtab and about:home in bug 1609635
because remote snippets could contain arbitrarily placed anchor tags in
their content. Now that remote snippets are gone (bug 1715158), we can
re-enable HTML fragment sanitization on about:newtab and about:home!

Differential Revision: https://phabricator.services.mozilla.com/D195736

Author: gregorypappas

browser/components/about/AboutRedirector.cpp

@@ -24,8 +24,7 @@ static const uint32_t ACTIVITY_STREAM_FLAGS =
     nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::ENABLE_INDEXED_DB |
     nsIAboutModule::URI_MUST_LOAD_IN_CHILD |
     nsIAboutModule::URI_CAN_LOAD_IN_PRIVILEGEDABOUT_PROCESS |
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::ALLOW_UNSANITIZED_CONTENT;
+    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT;
 
 struct RedirEntry {
   const char* id;

dom/base/nsContentUtils.cpp

@@ -5435,17 +5435,6 @@ uint32_t computeSanitizationFlags(nsIPrincipal* aPrincipal, int32_t aFlags) {
   return sanitizationFlags;
 }
 
-/* static */
-bool AllowsUnsanitizedContentForAboutNewTab(nsIPrincipal* aPrincipal) {
-  if (StaticPrefs::dom_about_newtab_sanitization_enabled() ||
-      !aPrincipal->SchemeIs("about")) {
-    return false;
-  }
-  uint32_t aboutModuleFlags = 0;
-  aPrincipal->GetAboutModuleFlags(&aboutModuleFlags);
-  return aboutModuleFlags & nsIAboutModule::ALLOW_UNSANITIZED_CONTENT;
-}
-
 /* static */
 void nsContentUtils::SetHTMLUnsafe(FragmentOrElement* aTarget,
                                    Element* aContext,
@@ -5514,8 +5503,7 @@ nsresult nsContentUtils::ParseFragmentHTML(
   // an about: scheme principal.
   bool shouldSanitize = nodePrincipal->IsSystemPrincipal() ||
                         nodePrincipal->SchemeIs("about") || aFlags >= 0;
-  if (shouldSanitize &&
-      !AllowsUnsanitizedContentForAboutNewTab(nodePrincipal)) {
+  if (shouldSanitize) {
     if (!doc->IsLoadedAsData()) {
       doc = nsContentUtils::CreateInertHTMLDocument(doc);
       if (!doc) {

modules/libpref/init/StaticPrefList.yaml

@@ -4730,14 +4730,6 @@
   value: true
   mirror: always
 
-# about:home and about:newtab include remote snippets that contain arbitrarily
-# placed anchor tags in their content; we want sanitization to be turned off
-# in order to render them correctly
-- name: dom.about_newtab_sanitization.enabled
-  type: bool
-  value: false
-  mirror: always
-
 # Hide the confirm dialog when a POST request is reloaded.
 - name: dom.confirm_repost.testing.always_accept
   type: bool

netwerk/protocol/about/nsIAboutModule.idl

@@ -86,16 +86,10 @@ interface nsIAboutModule : nsISupports
      */
     const unsigned long URI_MUST_LOAD_IN_EXTENSION_PROCESS = (1 << 9);
 
-    /**
-     * A flag that indicates that this about: URI needs to allow unsanitized content.
-     * Only to be used by about:home and about:newtab.
-     */
-    const unsigned long ALLOW_UNSANITIZED_CONTENT = (1 << 10);
-
     /**
      * A flag that indicates that this about: URI is a secure chrome UI
      */
-    const unsigned long IS_SECURE_CHROME_UI = (1 << 11);
+    const unsigned long IS_SECURE_CHROME_UI = (1 << 10);
 
     /**
      * A method to get the flags that apply to a given about: URI.  The URI