Add a Content Security Policy and load the chrome:// JS in an alternate way #77
Description
We've worked around this for now in a pretty safe way; so resolving this is not urgent, but I want to have a bug on file to reference.
As described in https://bugzilla.mozilla.org/show_bug.cgi?id=1727803; about:sync triggers a Debug Assertion because it lacks a sufficiently tight CSP.
It also loads Javascript via a data: url; and it would be ideal if it could somehow load it via a chrome:// or resource:// URI.