File gecko-lockdown.patch of Package MozillaFirefox

File gecko-lockdown.patch of Package MozillaFirefox (Revision 7c458b0c944a0d81b4eb8bad6bbf0c7d)

Currently displaying revision 7c458b0c944a0d81b4eb8bad6bbf0c7d, show latest

Index: extensions/cookie/nsCookiePermission.cpp
================================================================================
--- extensions/cookie/nsCookiePermission.cpp
+++ extensions/cookie/nsCookiePermission.cpp
@@ -83,6 +83,7 @@
 // obsolete pref names for migration
 static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled";
 static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior";
+static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions";
 static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies";
 
 static const char kPermissionType[] = "cookie";
@@ -126,6 +127,7 @@
     prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE);
+    prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE);
 #ifdef MOZ_MAIL_NEWS
     prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE);
 #endif
@@ -182,6 +184,10 @@
   if (PREF_CHANGED(kCookiesAlwaysAcceptSession) &&
       NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val)))
     mCookiesAlwaysAcceptSession = val;
+    
+  if (PREF_CHANGED(kCookiesHonorExceptions) &&
+      NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val)))
+    mCookiesHonorExceptions = val;
 
 #ifdef MOZ_MAIL_NEWS
   if (PREF_CHANGED(kCookiesDisabledForMailNews) &&
@@ -249,6 +255,11 @@
 #endif // MOZ_MAIL_NEWS
   
   // finally, check with permission manager...
+  if (!mCookiesHonorExceptions) {
+    *aResult = ACCESS_DEFAULT;
+    return NS_OK;
+  }
+  
   nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult);
   if (NS_SUCCEEDED(rv)) {
     switch (*aResult) {
--- extensions/cookie/nsCookiePermission.h
+++ extensions/cookie/nsCookiePermission.h
@@ -58,10 +58,11 @@
   nsCookiePermission() 
     : mCookiesLifetimeSec(LL_MAXINT)
     , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY
-    , mCookiesAlwaysAcceptSession(PR_FALSE)
+    , mCookiesAlwaysAcceptSession(PR_FALSE),
 #ifdef MOZ_MAIL_NEWS
-    , mCookiesDisabledForMailNews(PR_TRUE)
+    , mCookiesDisabledForMailNews(PR_TRUE),
 #endif
+      mCookiesHonorExceptions(PR_TRUE)
     {}
   virtual ~nsCookiePermission() {}
 
@@ -77,7 +78,7 @@
 #ifdef MOZ_MAIL_NEWS
   PRPackedBool mCookiesDisabledForMailNews;
 #endif
-
+  PRPackedBool mCookiesHonorExceptions;
 };
 
 // {CE002B28-92B7-4701-8621-CC925866FB87}
--- extensions/permissions/nsContentBlocker.cpp
+++ extensions/permissions/nsContentBlocker.cpp
@@ -74,6 +74,7 @@
 nsContentBlocker::nsContentBlocker()
 {
   memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES);
+  memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES);
 }
 
 nsresult
@@ -90,6 +91,11 @@
   rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch));
   NS_ENSURE_SUCCESS(rv, rv);
 
+  nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch;
+  rv = prefService->GetBranch("permissions.honorExceptions.",
+                              getter_AddRefs(honorExceptionsPrefBranch));
+  NS_ENSURE_SUCCESS(rv, rv);
+
   // Migrate old image blocker pref
   nsCOMPtr<nsIPrefBranch> oldPrefBranch;
   oldPrefBranch = do_QueryInterface(prefService);
@@ -119,8 +125,15 @@
   mPrefBranchInternal = do_QueryInterface(prefBranch, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
+  mHonorExceptionsPrefBranchInternal =
+    do_QueryInterface(honorExceptionsPrefBranch, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
   rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE);
-  PrefChanged(prefBranch, nsnull);
+  NS_ENSURE_SUCCESS(rv, rv);
+  
+  rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE);
+  PrefChanged(nsnull);
 
   return rv;
 }
@@ -129,19 +142,22 @@
 #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
 
 void
-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch,
-                              const char    *aPref)
+nsContentBlocker::PrefChanged(const char *aPref)
 {
-  PRInt32 val;
-
-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P))
-
-  for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
-    if (PREF_CHANGED(kTypeString[i]) &&
-        NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
-      mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+  for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+    if (!aPref || !strcmp(kTypeString[i], aPref)) {
+      PRInt32 val;
+      PRBool b;
+      if (mPrefBranchInternal &&
+          NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) {
+        mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+      }
+      if (mHonorExceptionsPrefBranchInternal &&
+          NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) {
+        mHonorExceptions[i] = b;
+      }
+    }
   }
-
 }
 
 // nsIContentPolicy Implementation
@@ -234,11 +250,13 @@
   // default prefs.
   // Don't forget the aContentType ranges from 1..8, while the
   // array is indexed 0..7
-  PRUint32 permission;
-  nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
-                                                   kTypeString[aContentType - 1],
-                                                   &permission);
-  NS_ENSURE_SUCCESS(rv, rv);
+  PRUint32 permission = 0;
+  if (mHonorExceptions[aContentType - 1]) {
+    nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
+                                                     kTypeString[aContentType - 1],
+                                                     &permission);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
 
   // If there is nothing on the list, use the default.
   if (!permission) {
@@ -264,7 +282,7 @@
       return NS_OK;
 
     PRBool trustedSource = PR_FALSE;
-    rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+    nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource);
     NS_ENSURE_SUCCESS(rv,rv);
     if (!trustedSource) {
       rv = aFirstURI->SchemeIs("resource", &trustedSource);
@@ -329,8 +347,6 @@
 {
   NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic),
                "unexpected topic - we only deal with pref changes!");
-
-  if (mPrefBranchInternal)
-    PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get());
+  PrefChanged(NS_LossyConvertUTF16toASCII(aData).get());
   return NS_OK;
 }
--- extensions/permissions/nsContentBlocker.h
+++ extensions/permissions/nsContentBlocker.h
@@ -66,7 +66,7 @@
 private:
   ~nsContentBlocker() {}
 
-  void PrefChanged(nsIPrefBranch *, const char *);
+  void PrefChanged(const char *);
   nsresult TestPermission(nsIURI *aCurrentURI,
                           nsIURI *aFirstURI,
                           PRInt32 aContentType,
@@ -75,7 +75,9 @@
 
   nsCOMPtr<nsIPermissionManager> mPermissionManager;
   nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal;
+  nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal;
   PRUint8 mBehaviorPref[NUMBER_OF_TYPES];
+  PRPackedBool mHonorExceptions[NUMBER_OF_TYPES];
 };
 
 #define NS_CONTENTBLOCKER_CID \
--- modules/libpref/src/init/all.js
+++ modules/libpref/src/init/all.js
@@ -716,6 +716,7 @@
 pref("network.hosts.nntp_server",           "news.mozilla.org");
 
 pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
+pref("permissions.honorExceptions.image",   true);
 pref("network.image.warnAboutImages",       false);
 pref("network.proxy.type",                  0);
 pref("network.proxy.ftp",                   "");
@@ -734,6 +735,7 @@
 pref("network.proxy.failover_timeout",      1800); // 30 minutes
 pref("network.online",                      true); //online/offline
 pref("network.cookie.cookieBehavior",       0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
+pref("network.cookie.honorExceptions",      true);
 pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail
 pref("network.cookie.lifetimePolicy",       0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays
 pref("network.cookie.alwaysAcceptSessionCookies", false);
--- netwerk/base/src/nsIOService.cpp
+++ netwerk/base/src/nsIOService.cpp
@@ -371,6 +371,16 @@
     nsCOMPtr<nsIPrefBranch2> prefBranch;
     GetPrefBranch(getter_AddRefs(prefBranch));
     if (prefBranch) {
+        nsCAutoString protocolBlockedPref("network.protocol-handler.blocked.");
+        protocolBlockedPref += scheme;
+        PRBool blockedProtocol = PR_FALSE;
+        rv = prefBranch->GetBoolPref(protocolBlockedPref.get(), &blockedProtocol);
+        if (NS_FAILED(rv)) {
+            rv = prefBranch->GetBoolPref("network.protocol-handler.blocked-default", &blockedProtocol);
+        }
+        if (NS_SUCCEEDED(rv) && blockedProtocol)
+            return NS_ERROR_UNKNOWN_PROTOCOL;
+        
         nsCAutoString externalProtocolPref("network.protocol-handler.external.");
         externalProtocolPref += scheme;
         rv = prefBranch->GetBoolPref(externalProtocolPref.get(), &externalProtocol);
--- widget/src/gtk2/nsWindow.cpp
+++ widget/src/gtk2/nsWindow.cpp
@@ -64,6 +64,7 @@
 #include "nsIPrefBranch.h"
 #include "nsIServiceManager.h"
 #include "nsGfxCIID.h"
+#include "nsIPrefService.h"
 
 #ifdef ACCESSIBILITY
 #include "nsPIAccessNode.h"
@@ -73,7 +74,6 @@
 #include "stdlib.h"
 static PRBool sAccessibilityChecked = PR_FALSE;
 static PRBool sAccessibilityEnabled = PR_FALSE;
-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1";
 static const char sAccEnv [] = "GNOME_ACCESSIBILITY";
 static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility";
 #endif
@@ -2644,18 +2644,18 @@
             sAccessibilityEnabled = atoi(envValue);
             LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue));
         }
-        //check gconf-2 setting
+        //check preference setting
         else {
-            nsCOMPtr<nsIPrefBranch> sysPrefService =
-                do_GetService(sSysPrefService, &rv);
-            if (NS_SUCCEEDED(rv) && sysPrefService) {
-
-                // do the work to get gconf setting.
-                // will be done soon later.
-                sysPrefService->GetBoolPref(sAccessibilityKey,
+            nsCOMPtr<nsIPrefService> prefService = 
+               do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+            if (NS_SUCCEEDED(rv) && prefService) {
+                nsCOMPtr<nsIPrefBranch> prefBranch;
+                rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch));
+                if (NS_SUCCEEDED(rv) && prefBranch) {
+                    prefBranch->GetBoolPref(sAccessibilityKey,
                                             &sAccessibilityEnabled);
+                }
             }
-
         }
     }
     if (sAccessibilityEnabled) {
--- xpinstall/src/nsXPInstallManager.cpp
+++ xpinstall/src/nsXPInstallManager.cpp
@@ -285,6 +285,7 @@
         //-----------------------------------------------------
         // Get permission to install
         //-----------------------------------------------------
+        nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID));
 
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         if ( mChromeType == CHROME_SKIN )
@@ -294,7 +295,11 @@
 
             // skins get a simpler/friendlier dialog
             // XXX currently not embeddable
-            OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList );
+            PRBool themesDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled);
+            OKtoInstall = !themesDisabled &&
+               ConfirmChromeInstall( mParentWindow, packageList );
         }
         else
         {
@@ -304,12 +304,17 @@ nsXPInstallManager::InitManagerInternal(
         else
         {
 #endif
-            rv = dlgSvc->ConfirmInstall( mParentWindow,
-                                         packageList,
-                                         numStrings,
-                                         &OKtoInstall );
-            if (NS_FAILED(rv))
-                OKtoInstall = PR_FALSE;
+            PRBool extensionsDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled);
+            if (!extensionsDisabled) {
+                rv = dlgSvc->ConfirmInstall( mParentWindow,
+                                             packageList,
+                                             numStrings,
+                                             &OKtoInstall );
+                if (NS_FAILED(rv))
+                    OKtoInstall = PR_FALSE;
+            }
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         }
 #endif

​x
 
Index: extensions/cookie/nsCookiePermission.cpp
================================================================================
--- extensions/cookie/nsCookiePermission.cpp
+++ extensions/cookie/nsCookiePermission.cpp
@@ -83,6 +83,7 @@
 // obsolete pref names for migration
 static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled";
 static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior";
+static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions";
 static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies";
 
 static const char kPermissionType[] = "cookie";
@@ -126,6 +127,7 @@
     prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE);
+    prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE);
 #ifdef MOZ_MAIL_NEWS
     prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE);
 #endif
@@ -182,6 +184,10 @@
   if (PREF_CHANGED(kCookiesAlwaysAcceptSession) &&
       NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val)))
     mCookiesAlwaysAcceptSession = val;
+    
+  if (PREF_CHANGED(kCookiesHonorExceptions) &&
+      NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val)))
+    mCookiesHonorExceptions = val;
 
 #ifdef MOZ_MAIL_NEWS
   if (PREF_CHANGED(kCookiesDisabledForMailNews) &&
@@ -249,6 +255,11 @@
 #endif // MOZ_MAIL_NEWS
   
   // finally, check with permission manager...
+  if (!mCookiesHonorExceptions) {
+    *aResult = ACCESS_DEFAULT;
+    return NS_OK;
+  }
+  
   nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult);
   if (NS_SUCCEEDED(rv)) {
     switch (*aResult) {
--- extensions/cookie/nsCookiePermission.h
+++ extensions/cookie/nsCookiePermission.h
@@ -58,10 +58,11 @@
   nsCookiePermission() 
     : mCookiesLifetimeSec(LL_MAXINT)
     , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY
-    , mCookiesAlwaysAcceptSession(PR_FALSE)
+    , mCookiesAlwaysAcceptSession(PR_FALSE),
 #ifdef MOZ_MAIL_NEWS
-    , mCookiesDisabledForMailNews(PR_TRUE)
+    , mCookiesDisabledForMailNews(PR_TRUE),
 #endif
+      mCookiesHonorExceptions(PR_TRUE)
     {}
   virtual ~nsCookiePermission() {}
 
@@ -77,7 +78,7 @@
 #ifdef MOZ_MAIL_NEWS
   PRPackedBool mCookiesDisabledForMailNews;
 #endif
-
+  PRPackedBool mCookiesHonorExceptions;
 };
 
 // {CE002B28-92B7-4701-8621-CC925866FB87}
--- extensions/permissions/nsContentBlocker.cpp
+++ extensions/permissions/nsContentBlocker.cpp
@@ -74,6 +74,7 @@
 nsContentBlocker::nsContentBlocker()
 {
   memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES);
+  memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES);
 }
 
 nsresult
@@ -90,6 +91,11 @@
   rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch));
   NS_ENSURE_SUCCESS(rv, rv);
 
+  nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch;
+  rv = prefService->GetBranch("permissions.honorExceptions.",
+                              getter_AddRefs(honorExceptionsPrefBranch));
+  NS_ENSURE_SUCCESS(rv, rv);
+
   // Migrate old image blocker pref
   nsCOMPtr<nsIPrefBranch> oldPrefBranch;
   oldPrefBranch = do_QueryInterface(prefService);
@@ -119,8 +125,15 @@
   mPrefBranchInternal = do_QueryInterface(prefBranch, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
+  mHonorExceptionsPrefBranchInternal =
+    do_QueryInterface(honorExceptionsPrefBranch, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
   rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE);
-  PrefChanged(prefBranch, nsnull);
+  NS_ENSURE_SUCCESS(rv, rv);
+  
+  rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE);
+  PrefChanged(nsnull);
 
   return rv;
 }
@@ -129,19 +142,22 @@
 #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
 
 void
-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch,
-                              const char    *aPref)
+nsContentBlocker::PrefChanged(const char *aPref)
 {
-  PRInt32 val;
-
-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P))
-
-  for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
-    if (PREF_CHANGED(kTypeString[i]) &&
-        NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
-      mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+  for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+    if (!aPref || !strcmp(kTypeString[i], aPref)) {
+      PRInt32 val;
+      PRBool b;
+      if (mPrefBranchInternal &&
+          NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) {
+        mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+      }
+      if (mHonorExceptionsPrefBranchInternal &&
+          NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) {
+        mHonorExceptions[i] = b;
+      }
+    }
   }
-
 }
 
 // nsIContentPolicy Implementation
@@ -234,11 +250,13 @@
   // default prefs.
   // Don't forget the aContentType ranges from 1..8, while the
   // array is indexed 0..7
-  PRUint32 permission;
-  nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
-                                                   kTypeString[aContentType - 1],
-                                                   &permission);
-  NS_ENSURE_SUCCESS(rv, rv);
+  PRUint32 permission = 0;
+  if (mHonorExceptions[aContentType - 1]) {
+    nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
+                                                     kTypeString[aContentType - 1],
+                                                     &permission);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
 
   // If there is nothing on the list, use the default.
   if (!permission) {
@@ -264,7 +282,7 @@
       return NS_OK;
 
     PRBool trustedSource = PR_FALSE;
-    rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+    nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource);
     NS_ENSURE_SUCCESS(rv,rv);
     if (!trustedSource) {
       rv = aFirstURI->SchemeIs("resource", &trustedSource);
@@ -329,8 +347,6 @@
 {
   NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic),
                "unexpected topic - we only deal with pref changes!");
-
-  if (mPrefBranchInternal)
-    PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get());
+  PrefChanged(NS_LossyConvertUTF16toASCII(aData).get());
   return NS_OK;
 }
--- extensions/permissions/nsContentBlocker.h
+++ extensions/permissions/nsContentBlocker.h
@@ -66,7 +66,7 @@
 private:
   ~nsContentBlocker() {}
 
-  void PrefChanged(nsIPrefBranch *, const char *);
+  void PrefChanged(const char *);
   nsresult TestPermission(nsIURI *aCurrentURI,
                           nsIURI *aFirstURI,
                           PRInt32 aContentType,
@@ -75,7 +75,9 @@
 
   nsCOMPtr<nsIPermissionManager> mPermissionManager;
   nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal;
+  nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal;
   PRUint8 mBehaviorPref[NUMBER_OF_TYPES];
+  PRPackedBool mHonorExceptions[NUMBER_OF_TYPES];
 };
 
 #define NS_CONTENTBLOCKER_CID \
--- modules/libpref/src/init/all.js
+++ modules/libpref/src/init/all.js
@@ -716,6 +716,7 @@
 pref("network.hosts.nntp_server",           "news.mozilla.org");
 
 pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
+pref("permissions.honorExceptions.image",   true);
 pref("network.image.warnAboutImages",       false);
 pref("network.proxy.type",                  0);
 pref("network.proxy.ftp",                   "");
@@ -734,6 +735,7 @@
 pref("network.proxy.failover_timeout",      1800); // 30 minutes
 pref("network.online",                      true); //online/offline
 pref("network.cookie.cookieBehavior",       0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
+pref("network.cookie.honorExceptions",      true);
 pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail
 pref("network.cookie.lifetimePolicy",       0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays
 pref("network.cookie.alwaysAcceptSessionCookies", false);
--- netwerk/base/src/nsIOService.cpp
+++ netwerk/base/src/nsIOService.cpp
@@ -371,6 +371,16 @@
     nsCOMPtr<nsIPrefBranch2> prefBranch;
     GetPrefBranch(getter_AddRefs(prefBranch));
     if (prefBranch) {
+        nsCAutoString protocolBlockedPref("network.protocol-handler.blocked.");
+        protocolBlockedPref += scheme;
+        PRBool blockedProtocol = PR_FALSE;
+        rv = prefBranch->GetBoolPref(protocolBlockedPref.get(), &blockedProtocol);
+        if (NS_FAILED(rv)) {
+            rv = prefBranch->GetBoolPref("network.protocol-handler.blocked-default", &blockedProtocol);
+        }
+        if (NS_SUCCEEDED(rv) && blockedProtocol)
+            return NS_ERROR_UNKNOWN_PROTOCOL;
+        
         nsCAutoString externalProtocolPref("network.protocol-handler.external.");
         externalProtocolPref += scheme;
         rv = prefBranch->GetBoolPref(externalProtocolPref.get(), &externalProtocol);
--- widget/src/gtk2/nsWindow.cpp
+++ widget/src/gtk2/nsWindow.cpp
@@ -64,6 +64,7 @@
 #include "nsIPrefBranch.h"
 #include "nsIServiceManager.h"
 #include "nsGfxCIID.h"
+#include "nsIPrefService.h"
 
 #ifdef ACCESSIBILITY
 #include "nsPIAccessNode.h"
@@ -73,7 +74,6 @@
 #include "stdlib.h"
 static PRBool sAccessibilityChecked = PR_FALSE;
 static PRBool sAccessibilityEnabled = PR_FALSE;
-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1";
 static const char sAccEnv [] = "GNOME_ACCESSIBILITY";
 static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility";
 #endif
@@ -2644,18 +2644,18 @@
             sAccessibilityEnabled = atoi(envValue);
             LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue));
         }
-        //check gconf-2 setting
+        //check preference setting
         else {
-            nsCOMPtr<nsIPrefBranch> sysPrefService =
-                do_GetService(sSysPrefService, &rv);
-            if (NS_SUCCEEDED(rv) && sysPrefService) {
-
-                // do the work to get gconf setting.
-                // will be done soon later.
-                sysPrefService->GetBoolPref(sAccessibilityKey,
+            nsCOMPtr<nsIPrefService> prefService = 
+               do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+            if (NS_SUCCEEDED(rv) && prefService) {
+                nsCOMPtr<nsIPrefBranch> prefBranch;
+                rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch));
+                if (NS_SUCCEEDED(rv) && prefBranch) {
+                    prefBranch->GetBoolPref(sAccessibilityKey,
                                             &sAccessibilityEnabled);
+                }
             }
-
         }
     }
     if (sAccessibilityEnabled) {
--- xpinstall/src/nsXPInstallManager.cpp
+++ xpinstall/src/nsXPInstallManager.cpp
@@ -285,6 +285,7 @@
         //-----------------------------------------------------
         // Get permission to install
         //-----------------------------------------------------
+        nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID));
 
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         if ( mChromeType == CHROME_SKIN )
@@ -294,7 +295,11 @@
 
             // skins get a simpler/friendlier dialog
             // XXX currently not embeddable
-            OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList );
+            PRBool themesDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled);
+            OKtoInstall = !themesDisabled &&
+               ConfirmChromeInstall( mParentWindow, packageList );
         }
         else
         {
@@ -304,12 +304,17 @@ nsXPInstallManager::InitManagerInternal(
         else
         {
 #endif
-            rv = dlgSvc->ConfirmInstall( mParentWindow,
-                                         packageList,
-                                         numStrings,
-                                         &OKtoInstall );
-            if (NS_FAILED(rv))
-                OKtoInstall = PR_FALSE;
+            PRBool extensionsDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled);
+            if (!extensionsDisabled) {
+                rv = dlgSvc->ConfirmInstall( mParentWindow,
+                                             packageList,
+                                             numStrings,
+                                             &OKtoInstall );
+                if (NS_FAILED(rv))
+                    OKtoInstall = PR_FALSE;
+            }
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         }
 #endif
​