Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
desktop
>
mozilla-xulrunner192
> gecko-lockdown.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File gecko-lockdown.patch of Package mozilla-xulrunner192
From: various contributors Subject: lockdown hooks for Gecko diff --git a/extensions/cookie/nsCookiePermission.cpp b/extensions/cookie/nsCookiePermission.cpp --- a/extensions/cookie/nsCookiePermission.cpp +++ b/extensions/cookie/nsCookiePermission.cpp @@ -1,10 +1,10 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim:ts=2:sw=2:et: */ +/* vim: set ts=2 sw=2 et: */ /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * @@ -81,16 +81,17 @@ static const PRBool kDefaultPolicy = PR_ static const char kCookiesLifetimePolicy[] = "network.cookie.lifetimePolicy"; static const char kCookiesLifetimeDays[] = "network.cookie.lifetime.days"; static const char kCookiesAlwaysAcceptSession[] = "network.cookie.alwaysAcceptSessionCookies"; static const char kCookiesPrefsMigrated[] = "network.cookie.prefsMigrated"; // obsolete pref names for migration static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled"; static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior"; +static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions"; static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies"; static const char kPermissionType[] = "cookie"; #ifdef MOZ_MAIL_NEWS // returns PR_TRUE if URI appears to be the URI of a mailnews protocol // XXXbz this should be a protocol flag, not a scheme list, dammit! static PRBool @@ -120,16 +121,17 @@ nsCookiePermission::Init() // failure to access the pref service is non-fatal... nsCOMPtr<nsIPrefBranch2> prefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID); if (prefBranch) { prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE); prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE); prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE); + prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE); PrefChanged(prefBranch, nsnull); // migration code for original cookie prefs PRBool migrated; rv = prefBranch->GetBoolPref(kCookiesPrefsMigrated, &migrated); if (NS_FAILED(rv) || !migrated) { PRBool warnAboutCookies = PR_FALSE; prefBranch->GetBoolPref(kCookiesAskPermission, &warnAboutCookies); @@ -173,16 +175,20 @@ nsCookiePermission::PrefChanged(nsIPrefB if (PREF_CHANGED(kCookiesLifetimeDays) && NS_SUCCEEDED(aPrefBranch->GetIntPref(kCookiesLifetimeDays, &val))) // save cookie lifetime in seconds instead of days mCookiesLifetimeSec = val * 24 * 60 * 60; if (PREF_CHANGED(kCookiesAlwaysAcceptSession) && NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val))) mCookiesAlwaysAcceptSession = val; + + if (PREF_CHANGED(kCookiesHonorExceptions) && + NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val))) + mCookiesHonorExceptions = val; } NS_IMETHODIMP nsCookiePermission::SetAccess(nsIURI *aURI, nsCookieAccess aAccess) { // // NOTE: nsCookieAccess values conveniently match up with @@ -202,16 +208,21 @@ nsCookiePermission::CanAccess(nsIURI // it. if (IsFromMailNews(aURI)) { *aResult = ACCESS_DENY; return NS_OK; } #endif // MOZ_MAIL_NEWS // finally, check with permission manager... + if (!mCookiesHonorExceptions) { + *aResult = ACCESS_DEFAULT; + return NS_OK; + } + nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult); if (NS_SUCCEEDED(rv)) { switch (*aResult) { // if we have one of the publicly-available values, just return it case nsIPermissionManager::UNKNOWN_ACTION: // ACCESS_DEFAULT case nsIPermissionManager::ALLOW_ACTION: // ACCESS_ALLOW case nsIPermissionManager::DENY_ACTION: // ACCESS_DENY break; diff --git a/extensions/cookie/nsCookiePermission.h b/extensions/cookie/nsCookiePermission.h --- a/extensions/cookie/nsCookiePermission.h +++ b/extensions/cookie/nsCookiePermission.h @@ -54,30 +54,32 @@ public: NS_DECL_ISUPPORTS NS_DECL_NSICOOKIEPERMISSION NS_DECL_NSIOBSERVER nsCookiePermission() : mCookiesLifetimeSec(LL_MAXINT) , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY , mCookiesAlwaysAcceptSession(PR_FALSE) + , mCookiesHonorExceptions(PR_TRUE) {} virtual ~nsCookiePermission() {} nsresult Init(); void PrefChanged(nsIPrefBranch *, const char *); private: PRBool InPrivateBrowsing(); nsCOMPtr<nsIPermissionManager> mPermMgr; nsCOMPtr<nsIPrivateBrowsingService> mPBService; PRInt64 mCookiesLifetimeSec; // lifetime limit specified in seconds PRUint8 mCookiesLifetimePolicy; // pref for how long cookies are stored PRPackedBool mCookiesAlwaysAcceptSession; // don't prompt for session cookies + PRPackedBool mCookiesHonorExceptions; }; // {EF565D0A-AB9A-4A13-9160-0644CDFD859A} #define NS_COOKIEPERMISSION_CID \ {0xEF565D0A, 0xAB9A, 0x4A13, {0x91, 0x60, 0x06, 0x44, 0xcd, 0xfd, 0x85, 0x9a }} #endif diff --git a/extensions/permissions/nsContentBlocker.cpp b/extensions/permissions/nsContentBlocker.cpp --- a/extensions/permissions/nsContentBlocker.cpp +++ b/extensions/permissions/nsContentBlocker.cpp @@ -71,32 +71,38 @@ static const char *kTypeString[NUMBER_OF NS_IMPL_ISUPPORTS3(nsContentBlocker, nsIContentPolicy, nsIObserver, nsSupportsWeakReference) nsContentBlocker::nsContentBlocker() { memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES); + memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES); } nsresult nsContentBlocker::Init() { nsresult rv; mPermissionManager = do_GetService(NS_PERMISSIONMANAGER_CONTRACTID, &rv); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIPrefService> prefService = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIPrefBranch> prefBranch; rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch)); NS_ENSURE_SUCCESS(rv, rv); + nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch; + rv = prefService->GetBranch("permissions.honorExceptions.", + getter_AddRefs(honorExceptionsPrefBranch)); + NS_ENSURE_SUCCESS(rv, rv); + // Migrate old image blocker pref nsCOMPtr<nsIPrefBranch> oldPrefBranch; oldPrefBranch = do_QueryInterface(prefService); PRInt32 oldPref; rv = oldPrefBranch->GetIntPref("network.image.imageBehavior", &oldPref); if (NS_SUCCEEDED(rv) && oldPref) { PRInt32 newPref; switch (oldPref) { @@ -116,39 +122,49 @@ nsContentBlocker::Init() // The branch is not a copy of the prefservice, but a new object, because // it is a non-default branch. Adding obeservers to it will only work if // we make sure that the object doesn't die. So, keep a reference to it. mPrefBranchInternal = do_QueryInterface(prefBranch, &rv); NS_ENSURE_SUCCESS(rv, rv); + mHonorExceptionsPrefBranchInternal = + do_QueryInterface(honorExceptionsPrefBranch, &rv); + NS_ENSURE_SUCCESS(rv, rv); + rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE); - PrefChanged(prefBranch, nsnull); + NS_ENSURE_SUCCESS(rv, rv); + + rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE); + PrefChanged(nsnull); return rv; } #undef LIMIT #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default)) void -nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch, - const char *aPref) +nsContentBlocker::PrefChanged(const char *aPref) { - PRInt32 val; - -#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P)) - - for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { - if (PREF_CHANGED(kTypeString[i]) && - NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val))) - mBehaviorPref[i] = LIMIT(val, 1, 3, 1); + for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { + if (!aPref || !strcmp(kTypeString[i], aPref)) { + PRInt32 val; + PRBool b; + if (mPrefBranchInternal && + NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) { + mBehaviorPref[i] = LIMIT(val, 1, 3, 1); + } + if (mHonorExceptionsPrefBranchInternal && + NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) { + mHonorExceptions[i] = b; + } + } } - } // nsIContentPolicy Implementation NS_IMETHODIMP nsContentBlocker::ShouldLoad(PRUint32 aContentType, nsIURI *aContentLocation, nsIURI *aRequestingLocation, nsISupports *aRequestingContext, @@ -264,21 +280,23 @@ nsContentBlocker::TestPermission(nsIURI // This default will also get used if there is an unknown value in the // permission list, or if the permission manager returns unknown values. *aPermission = PR_TRUE; // check the permission list first; if we find an entry, it overrides // default prefs. // Don't forget the aContentType ranges from 1..8, while the // array is indexed 0..7 - PRUint32 permission; - nsresult rv = mPermissionManager->TestPermission(aCurrentURI, - kTypeString[aContentType - 1], - &permission); - NS_ENSURE_SUCCESS(rv, rv); + PRUint32 permission = 0; + if (mHonorExceptions[aContentType - 1]) { + nsresult rv = mPermissionManager->TestPermission(aCurrentURI, + kTypeString[aContentType - 1], + &permission); + NS_ENSURE_SUCCESS(rv, rv); + } // If there is nothing on the list, use the default. if (!permission) { permission = mBehaviorPref[aContentType - 1]; *aFromPrefs = PR_TRUE; } // Use the fact that the nsIPermissionManager values map to @@ -294,17 +312,17 @@ nsContentBlocker::TestPermission(nsIURI case BEHAVIOR_NOFOREIGN: // Third party checking // Need a requesting uri for third party checks to work. if (!aFirstURI) return NS_OK; PRBool trustedSource = PR_FALSE; - rv = aFirstURI->SchemeIs("chrome", &trustedSource); + nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource); NS_ENSURE_SUCCESS(rv,rv); if (!trustedSource) { rv = aFirstURI->SchemeIs("resource", &trustedSource); NS_ENSURE_SUCCESS(rv,rv); } if (trustedSource) return NS_OK; @@ -360,12 +378,11 @@ nsContentBlocker::TestPermission(nsIURI NS_IMETHODIMP nsContentBlocker::Observe(nsISupports *aSubject, const char *aTopic, const PRUnichar *aData) { NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic), "unexpected topic - we only deal with pref changes!"); - if (mPrefBranchInternal) - PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get()); + PrefChanged(NS_LossyConvertUTF16toASCII(aData).get()); return NS_OK; } diff --git a/extensions/permissions/nsContentBlocker.h b/extensions/permissions/nsContentBlocker.h --- a/extensions/permissions/nsContentBlocker.h +++ b/extensions/permissions/nsContentBlocker.h @@ -61,26 +61,28 @@ public: NS_DECL_NSIOBSERVER nsContentBlocker(); nsresult Init(); private: ~nsContentBlocker() {} - void PrefChanged(nsIPrefBranch *, const char *); + void PrefChanged(const char *); nsresult TestPermission(nsIURI *aCurrentURI, nsIURI *aFirstURI, PRInt32 aContentType, PRBool *aPermission, PRBool *aFromPrefs); nsCOMPtr<nsIPermissionManager> mPermissionManager; nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal; + nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal; PRUint8 mBehaviorPref[NUMBER_OF_TYPES]; + PRPackedBool mHonorExceptions[NUMBER_OF_TYPES]; }; #define NS_CONTENTBLOCKER_CID \ { 0x4ca6b67b, 0x5cc7, 0x4e71, \ { 0xa9, 0x8a, 0x97, 0xaf, 0x1c, 0x13, 0x48, 0x62 } } #define NS_CONTENTBLOCKER_CONTRACTID "@mozilla.org/permissions/contentblocker;1" diff --git a/modules/libpref/src/init/all.js b/modules/libpref/src/init/all.js --- a/modules/libpref/src/init/all.js +++ b/modules/libpref/src/init/all.js @@ -853,16 +853,17 @@ pref("network.automatic-ntlm-auth.truste // response to a NTLM challenge. By default, this is disabled since servers // should almost never need the LM hash, and the LM hash is what makes NTLM // authentication less secure. See bug 250691 for further details. // NOTE: automatic-ntlm-auth which leverages the OS-provided NTLM // implementation will not be affected by this preference. pref("network.ntlm.send-lm-response", false); pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign +pref("permissions.honorExceptions.image", true); pref("network.proxy.type", 5); pref("network.proxy.ftp", ""); pref("network.proxy.ftp_port", 0); pref("network.proxy.gopher", ""); pref("network.proxy.gopher_port", 0); pref("network.proxy.http", ""); @@ -872,16 +873,17 @@ pref("network.proxy.ssl_port", pref("network.proxy.socks", ""); pref("network.proxy.socks_port", 0); pref("network.proxy.socks_version", 5); pref("network.proxy.socks_remote_dns", false); pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1"); pref("network.proxy.failover_timeout", 1800); // 30 minutes pref("network.online", true); //online/offline pref("network.cookie.cookieBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse +pref("network.cookie.honorExceptions", true); pref("network.cookie.lifetimePolicy", 0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays pref("network.cookie.alwaysAcceptSessionCookies", false); pref("network.cookie.prefsMigrated", false); pref("network.cookie.lifetime.days", 90); // The PAC file to load. Ignored unless network.proxy.type is 2. pref("network.proxy.autoconfig_url", ""); diff --git a/xpinstall/src/nsXPInstallManager.cpp b/xpinstall/src/nsXPInstallManager.cpp --- a/xpinstall/src/nsXPInstallManager.cpp +++ b/xpinstall/src/nsXPInstallManager.cpp @@ -300,36 +300,46 @@ nsXPInstallManager::InitManagerInternal( packageList[j++] = item->GetSafeURLString(); packageList[j++] = item->mIconURL.get(); packageList[j++] = item->mCertName.get(); } //----------------------------------------------------- // Get permission to install //----------------------------------------------------- + nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID)); #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI if ( mChromeType == CHROME_SKIN ) { // We may want to enable the simple installation UI once // bug 343037 is fixed // skins get a simpler/friendlier dialog // XXX currently not embeddable - OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList ); + PRBool themesDisabled = PR_FALSE; + if (pref) + pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled); + OKtoInstall = !themesDisabled && + ConfirmChromeInstall( mParentWindow, packageList ); } else { #endif + PRBool extensionsDisabled = PR_FALSE; + if (pref) + pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled); + if (!extensionsDisabled) { rv = dlgSvc->ConfirmInstall( mParentWindow, packageList, numStrings, &OKtoInstall ); if (NS_FAILED(rv)) OKtoInstall = PR_FALSE; + } #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI } #endif if (OKtoInstall) { //----------------------------------------------------- // Open the progress dialog