Add back security.csp.enable

dom/base/Document.cpp

@@ -3813,6 +3813,11 @@ void Document::ApplySettingsFromCSP(bool aSpeculative) {
 nsresult Document::InitCSP(nsIChannel* aChannel) {
   MOZ_ASSERT(!mScriptGlobalObject,
              "CSP must be initialized before mScriptGlobalObject is set!");
+  if (!StaticPrefs::security_csp_enable()) {
+    MOZ_LOG(gCspPRLog, LogLevel::Debug,
+            ("CSP is disabled, skipping CSP init for document %p", this));
+    return NS_OK;
+  }
 
   // If this is a data document - no need to set CSP.
   if (mLoadedAsData) {

dom/security/nsCSPService.cpp

@@ -130,7 +130,8 @@ bool subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
   // Please note, the correct way to opt-out of CSP using a custom
   // protocolHandler is to set one of the nsIProtocolHandler flags
   // that are allowlistet in subjectToCSP()
-  if (!subjectToCSP(aContentLocation, contentType)) {
+  if (!StaticPrefs::security_csp_enable() ||
+      !subjectToCSP(aContentLocation, contentType)) {
     return NS_OK;
   }
 
@@ -314,7 +315,8 @@ nsresult CSPService::ConsultCSPForRedirect(nsIURI* aOriginalURI,
   // protocolHandler is to set one of the nsIProtocolHandler flags
   // that are allowlistet in subjectToCSP()
   nsContentPolicyType policyType = aLoadInfo->InternalContentPolicyType();
-  if (!subjectToCSP(aNewURI, policyType)) {
+  if (!StaticPrefs::security_csp_enable() ||
+      !subjectToCSP(aNewURI, policyType)) {
     return NS_OK;
   }
 

dom/security/nsCSPUtils.cpp

@@ -130,7 +130,7 @@ bool CSP_ShouldResponseInheritCSP(nsIChannel* aChannel) {
 
 void CSP_ApplyMetaCSPToDoc(mozilla::dom::Document& aDoc,
                            const nsAString& aPolicyStr) {
-  if (aDoc.IsLoadedAsData()) {
+  if (!mozilla::StaticPrefs::security_csp_enable() || aDoc.IsLoadedAsData()) {
     return;
   }
 

dom/workers/loader/NetworkLoadHandler.cpp

@@ -16,6 +16,7 @@
 #include "nsNetUtil.h"
 
 #include "mozilla/Encoding.h"
+#include "mozilla/StaticPrefs_security.h"
 #include "mozilla/dom/BlobURLProtocolHandler.h"
 #include "mozilla/dom/InternalResponse.h"
 #include "mozilla/dom/ServiceWorkerBinding.h"
@@ -238,12 +239,14 @@ nsresult NetworkLoadHandler::DataReceivedFromNetwork(nsIStreamLoader* aLoader,
     nsCOMPtr<nsIContentSecurityPolicy> csp = mWorkerRef->Private()->GetCsp();
     // We did inherit CSP in bug 1223647. If we do not already have a CSP, we
     // should get it from the HTTP headers on the worker script.
-    if (!csp) {
-      rv = mWorkerRef->Private()->SetCSPFromHeaderValues(tCspHeaderValue,
-                                                         tCspROHeaderValue);
-      NS_ENSURE_SUCCESS(rv, rv);
-    } else {
-      csp->EnsureEventTarget(mWorkerRef->Private()->MainThreadEventTarget());
+      if (StaticPrefs::security_csp_enable()) {
+        if (!csp) {
+            rv = mWorkerRef->Private()->SetCSPFromHeaderValues(tCspHeaderValue,
+                                                               tCspROHeaderValue);
+            NS_ENSURE_SUCCESS(rv, rv);
+          } else {
+            csp->EnsureEventTarget(mWorkerRef->Private()->MainThreadEventTarget());
+        }
     }
 
     mWorkerRef->Private()->UpdateReferrerInfoFromHeader(tRPHeaderCValue);

modules/libpref/init/StaticPrefList.yaml

@@ -15281,6 +15281,11 @@
   value: 100
   mirror: always
 
+- name: security.csp.enable
+  type: bool
+  value: true
+  mirror: always
+
 # Time span in seconds for reporting limit.
 - name: security.csp.reporting.limit.timespan
   type: uint32_t

parser/html/nsHtml5TreeOpExecutor.cpp

@@ -1332,6 +1332,10 @@ void nsHtml5TreeOpExecutor::UpdateReferrerInfoFromMeta(
 }
 
 void nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP) {
+  if (!StaticPrefs::security_csp_enable()) {
+    return;
+  }
+
   NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
 
   nsresult rv = NS_OK;