diff --git a/mozilla/caps/idl/nsIScriptSecurityManager.idl b/mozilla/caps/idl/nsIScriptSecurityManager.idl index 0d6d17efed3..44e9569a34d 100644 --- a/mozilla/caps/idl/nsIScriptSecurityManager.idl +++ b/mozilla/caps/idl/nsIScriptSecurityManager.idl @@ -40,8 +40,7 @@ interface nsIScriptSecurityManager : nsIXPCSecurityManager in nsISupports aObj, in nsIClassInfo aClassInfo, in string aClassName, - in string aProperty, - in boolean skipFrame); + in string aProperty); /** * Check that the script currently running in context "cx" can load "uri". diff --git a/mozilla/caps/include/nsScriptSecurityManager.h b/mozilla/caps/include/nsScriptSecurityManager.h index 9a7194b233e..400d2b03f2b 100644 --- a/mozilla/caps/include/nsScriptSecurityManager.h +++ b/mozilla/caps/include/nsScriptSecurityManager.h @@ -114,11 +114,11 @@ private: JSContext* aJSContext, JSObject* aJSObject, nsISupports* aObj, nsIClassInfo* aClassInfo, jsval aName, const char* aClassName, - const char* aProperty, PRBool skipFrame, void** aPolicy); + const char* aProperty, void** aPolicy); nsresult CheckSameOrigin(JSContext* aCx, nsIPrincipal* aSubject, - nsIPrincipal* aObject, PRUint32 aAction, PRBool aSkipFrame); + nsIPrincipal* aObject, PRUint32 aAction); PRInt32 GetSecurityLevel(JSContext* aCx, nsIPrincipal *principal, @@ -146,28 +146,21 @@ private: nsresult GetScriptPrincipal(JSContext* cx, JSScript* script, nsIPrincipal** result); - nsresult - GetCallingPrincipal(JSContext* cx, nsIPrincipal** result); - nsresult GetFunctionObjectPrincipal(JSContext* cx, JSObject* obj, nsIPrincipal** result); nsresult - GetPrincipalAndFrame(JSContext *cx, PRBool skipInnerFrame, + GetPrincipalAndFrame(JSContext *cx, nsIPrincipal** result, JSStackFrame** frameResult); nsresult SavePrincipal(nsIPrincipal* aToSave); - nsresult IsCapabilityEnabledImpl(const char *capability, - PRBool skipFrame, - PRBool *result); - nsresult CheckXPCPermissions(JSContext* cx, nsISupports* aObj, - const char* aObjectSecurityLevel, PRBool skipFrame, const char* aErrorMsg); + const char* aObjectSecurityLevel, const char* aErrorMsg); nsresult InitPrefs(); diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp index 617806c20b5..ff05d107f72 100644 --- a/mozilla/caps/src/nsScriptSecurityManager.cpp +++ b/mozilla/caps/src/nsScriptSecurityManager.cpp @@ -64,7 +64,7 @@ #include "nsIWindowWatcher.h" #include "nsIConsoleService.h" #include "nsISecurityCheckedComponent.h" -#include "nsIPref.h" +#include "nsIPrefBranchInternal.h" static NS_DEFINE_IID(kIIOServiceIID, NS_IIOSERVICE_IID); static NS_DEFINE_CID(kIOServiceCID, NS_IOSERVICE_CID); @@ -143,12 +143,10 @@ nsScriptSecurityManager::CheckPropertyAccess(PRUint32 aAction, nsISupports* aObj, nsIClassInfo* aClassInfo, const char* aClassName, - const char* aProperty, - PRBool aSkipFrame) + const char* aProperty) { return CheckPropertyAccessImpl(aAction, nsnull, aJSContext, aJSObject, aObj, - aClassInfo, nsnull, aClassName, aProperty, - aSkipFrame, nsnull); + aClassInfo, nsnull, aClassName, aProperty, nsnull); } nsresult @@ -157,13 +155,10 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction, JSContext* aJSContext, JSObject* aJSObject, nsISupports* aObj, nsIClassInfo* aClassInfo, jsval aName, const char* aClassName, - const char* aProperty, - PRBool aSkipFrame, void** aPolicy) + const char* aProperty, void** aPolicy) { nsCOMPtr subjectPrincipal; - JSStackFrame *notused; - if (NS_FAILED(GetPrincipalAndFrame(aJSContext, aSkipFrame, - getter_AddRefs(subjectPrincipal), ¬used))) + if (NS_FAILED(GetSubjectPrincipal(aJSContext, getter_AddRefs(subjectPrincipal)))) return NS_ERROR_FAILURE; PRBool equals; @@ -245,8 +240,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction, getter_AddRefs(objectPrincipal)))) return NS_ERROR_FAILURE; rv = CheckSameOrigin(aJSContext, subjectPrincipal, objectPrincipal, - aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY, - aSkipFrame); + aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY); } else rv = NS_ERROR_DOM_SECURITY_ERR; @@ -318,7 +312,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction, } } } - rv = CheckXPCPermissions(aJSContext, aObj, objectSecurityLevel, aSkipFrame, + rv = CheckXPCPermissions(aJSContext, aObj, objectSecurityLevel, "Permission denied to access property"); #ifdef DEBUG_mstoltz if(NS_SUCCEEDED(rv)) @@ -331,8 +325,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction, nsresult nsScriptSecurityManager::CheckSameOrigin(JSContext *aCx, nsIPrincipal* aSubject, - nsIPrincipal* aObject, PRUint32 aAction, - PRBool aSkipFrame) + nsIPrincipal* aObject, PRUint32 aAction) { /* ** Get origin of subject and object and compare. @@ -366,7 +359,7 @@ nsScriptSecurityManager::CheckSameOrigin(JSContext *aCx, nsIPrincipal* aSubject, PRBool capabilityEnabled = PR_FALSE; const char* cap = aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY ? "UniversalBrowserWrite" : "UniversalBrowserRead"; - if (NS_FAILED(IsCapabilityEnabledImpl(cap, aSkipFrame, &capabilityEnabled))) + if (NS_FAILED(IsCapabilityEnabled(cap, &capabilityEnabled))) return NS_ERROR_FAILURE; if (capabilityEnabled) return NS_OK; @@ -411,7 +404,7 @@ nsScriptSecurityManager::GetSecurityLevel(JSContext* aJSContext, //-- Look up the security policy for this property nsCAutoString prefName; if (NS_FAILED(GetPrefName(principal, aClassName, aPropertyName, - classPolicy, prefName))) + classPolicy, prefName))) return SCRIPT_SECURITY_NO_ACCESS; char *secLevelString; rv = mSecurityPrefs->SecurityGetCharPref(prefName, &secLevelString); @@ -420,6 +413,18 @@ nsScriptSecurityManager::GetSecurityLevel(JSContext* aJSContext, prefName += (aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY ? ".set" : ".get"); rv = mSecurityPrefs->SecurityGetCharPref(prefName, &secLevelString); } + if (NS_FAILED(rv)) //-- No site policy for this property; look for a default policy + { + if (NS_FAILED(GetPrefName(principal, aClassName, aPropertyName, + nsnull, prefName))) + return SCRIPT_SECURITY_NO_ACCESS; + rv = mSecurityPrefs->SecurityGetCharPref(prefName, &secLevelString); + if (NS_FAILED(rv)) + { + prefName += (aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY ? ".set" : ".get"); + rv = mSecurityPrefs->SecurityGetCharPref(prefName, &secLevelString); + } + } if (NS_SUCCEEDED(rv) && secLevelString) { if (PL_strcmp(secLevelString, "sameOrigin") == 0) @@ -571,7 +576,7 @@ nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI) // Get principal of currently executing script. nsCOMPtr principal; - if (NS_FAILED(GetCallingPrincipal(cx, getter_AddRefs(principal)))) + if (NS_FAILED(GetSubjectPrincipal(cx, getter_AddRefs(principal)))) return NS_ERROR_FAILURE; // Native code can load all URIs. @@ -689,6 +694,7 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aSourceURI, nsIURI *aTargetURI, }; nsXPIDLCString targetSpec; + const char* targetPage; for (unsigned i=0; i < sizeof(protocolList)/sizeof(protocolList[0]); i++) { if (nsCRT::strcasecmp(targetScheme, protocolList[i].name) == 0) { PRBool doCheck = PR_FALSE; @@ -707,9 +713,11 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aSourceURI, nsIURI *aTargetURI, // Allow loading about:blank, otherwise deny if(NS_FAILED(targetUri->GetSpec(getter_Copies(targetSpec)))) return NS_ERROR_FAILURE; - return (PL_strcmp(targetSpec, "about:blank") == 0) || - (PL_strcmp(targetSpec, "about:") == 0) || - (PL_strcmp(targetSpec, "about:mozilla") == 0) ? + targetPage = targetSpec.get() + sizeof("about:") - 1; + return (PL_strcmp(targetPage, "blank") == 0) || + (PL_strcmp(targetPage, "") == 0) || + (PL_strcmp(targetPage, "mozilla") == 0) || + (PL_strcmp(targetPage, "credits") == 0) ? NS_OK : ReportErrorToConsole(aTargetURI); case DenyProtocol: // Deny access @@ -1069,10 +1077,16 @@ nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext *cx, nsIPrincipal **result) { JSFunction *fun = (JSFunction *) JS_GetPrivate(cx, obj); - if (JS_GetFunctionObject(fun) != obj) - // Function has been cloned; get principals from scope - return GetObjectPrincipal(cx, obj, result); + JSScript *script = JS_GetFunctionScript(cx, fun); + if (script && JS_GetFunctionObject(fun) != obj) + { + // Scripted function has been cloned; get principals from obj's + // parent-linked scope chain. We do not get object principals for a + // cloned *native* function, because the subject in that case is a + // script or function further down the stack who is calling us. + return GetObjectPrincipal(cx, obj, result); + } return GetScriptPrincipal(cx, script, result); } @@ -1093,20 +1107,11 @@ nsScriptSecurityManager::GetFramePrincipal(JSContext *cx, nsresult nsScriptSecurityManager::GetPrincipalAndFrame(JSContext *cx, - PRBool skipInnerFrame, nsIPrincipal **result, JSStackFrame **frameResult) { // Get principals from innermost frame of JavaScript or Java. JSStackFrame *fp = nsnull; // tell JS_FrameIterator to start at innermost - if (skipInnerFrame) // Skip the innermost frame - { - fp = JS_FrameIterator(cx, &fp); -#ifdef DEBUG_mstoltz - if(!fp) - printf("####### JS stack weirdness in GetPrincipalAndFrame.\n"); -#endif - } for (fp = JS_FrameIterator(cx, &fp); fp; fp = JS_FrameIterator(cx, &fp)) { if (NS_FAILED(GetFramePrincipal(cx, fp, result))) @@ -1149,15 +1154,7 @@ nsScriptSecurityManager::GetSubjectPrincipal(JSContext *cx, nsIPrincipal **result) { JSStackFrame *fp; - return GetPrincipalAndFrame(cx, PR_FALSE, result, &fp); -} - -nsresult -nsScriptSecurityManager::GetCallingPrincipal(JSContext *cx, - nsIPrincipal **result) -{ - JSStackFrame *fp; - return GetPrincipalAndFrame(cx, PR_TRUE, result, &fp); + return GetPrincipalAndFrame(cx, result, &fp); } nsresult @@ -1262,14 +1259,6 @@ nsScriptSecurityManager::SavePrincipal(nsIPrincipal* aToSave) NS_IMETHODIMP nsScriptSecurityManager::IsCapabilityEnabled(const char *capability, PRBool *result) -{ - return IsCapabilityEnabledImpl(capability, PR_FALSE, result); -} - -nsresult -nsScriptSecurityManager::IsCapabilityEnabledImpl(const char *capability, - PRBool aSkipFrame, - PRBool *result) { nsresult rv; JSStackFrame *fp = nsnull; @@ -1280,9 +1269,6 @@ nsScriptSecurityManager::IsCapabilityEnabledImpl(const char *capability, *result = PR_TRUE; return NS_OK; } - if (aSkipFrame) - fp = JS_FrameIterator(cx, &fp); - do { nsCOMPtr principal; @@ -1494,8 +1480,7 @@ nsScriptSecurityManager::EnableCapability(const char *capability) } nsCOMPtr principal; - if (NS_FAILED(GetPrincipalAndFrame(cx, PR_FALSE, getter_AddRefs(principal), - &fp))) + if (NS_FAILED(GetPrincipalAndFrame(cx, getter_AddRefs(principal), &fp))) return NS_ERROR_FAILURE; void *annotation = JS_GetFrameAnnotation(cx, fp); PRBool enabled; @@ -1527,8 +1512,7 @@ nsScriptSecurityManager::RevertCapability(const char *capability) JSContext *cx = GetCurrentContextQuick(); JSStackFrame *fp; nsCOMPtr principal; - if (NS_FAILED(GetPrincipalAndFrame(cx, PR_FALSE, getter_AddRefs(principal), - &fp))) + if (NS_FAILED(GetPrincipalAndFrame(cx, getter_AddRefs(principal), &fp))) return NS_ERROR_FAILURE; void *annotation = JS_GetFrameAnnotation(cx, fp); principal->RevertCapability(capability, &annotation); @@ -1542,8 +1526,7 @@ nsScriptSecurityManager::DisableCapability(const char *capability) JSContext *cx = GetCurrentContextQuick(); JSStackFrame *fp; nsCOMPtr principal; - if (NS_FAILED(GetPrincipalAndFrame(cx, PR_FALSE, getter_AddRefs(principal), - &fp))) + if (NS_FAILED(GetPrincipalAndFrame(cx, getter_AddRefs(principal), &fp))) return NS_ERROR_FAILURE; void *annotation = JS_GetFrameAnnotation(cx, fp); principal->DisableCapability(capability, &annotation); @@ -1656,8 +1639,7 @@ nsScriptSecurityManager::CanCreateWrapper(JSContext *aJSContext, if (checkedComponent) checkedComponent->CanCreateWrapper((nsIID *)&aIID, getter_Copies(objectSecurityLevel)); - // XXX Do we skip a frame here or not? Need to find out - return CheckXPCPermissions(aJSContext, aObj, objectSecurityLevel, PR_TRUE, + return CheckXPCPermissions(aJSContext, aObj, objectSecurityLevel, "Permission denied to create wrapper for object"); } @@ -1672,7 +1654,7 @@ nsScriptSecurityManager::CanCreateInstance(JSContext *aJSContext, PR_FREEIF(cidStr); #endif - return CheckXPCPermissions(aJSContext, nsnull, nsnull, PR_FALSE, + return CheckXPCPermissions(aJSContext, nsnull, nsnull, "Permission denied to create instance of class"); } @@ -1686,7 +1668,7 @@ nsScriptSecurityManager::CanGetService(JSContext *aJSContext, PR_FREEIF(cidStr); #endif - return CheckXPCPermissions(aJSContext, nsnull, nsnull, PR_FALSE, + return CheckXPCPermissions(aJSContext, nsnull, nsnull, "Permission denied to get service"); } @@ -1702,19 +1684,18 @@ nsScriptSecurityManager::CanAccess(PRUint32 aAction, void** aPolicy) { return CheckPropertyAccessImpl(aAction, aCallContext, aJSContext, aJSObject, - aObj, aClassInfo, aName, nsnull, nsnull, PR_TRUE, aPolicy); + aObj, aClassInfo, aName, nsnull, nsnull, aPolicy); } nsresult nsScriptSecurityManager::CheckXPCPermissions(JSContext *aJSContext, nsISupports* aObj, const char* aObjectSecurityLevel, - PRBool aSkipFrame, const char* aErrorMsg) { //-- Check for the all-powerful UniversalXPConnect privilege PRBool ok = PR_FALSE; - if (NS_SUCCEEDED(IsCapabilityEnabledImpl("UniversalXPConnect", aSkipFrame, &ok)) && ok) + if (NS_SUCCEEDED(IsCapabilityEnabled("UniversalXPConnect", &ok)) && ok) return NS_OK; //-- If the object implements nsISecurityCheckedComponent, it has a non-default policy. @@ -2135,14 +2116,14 @@ nsScriptSecurityManager::InitPrefs() NS_ENSURE_SUCCESS(rv, rv); mSecurityPrefs = do_QueryInterface(mPrefs, &rv); NS_ENSURE_SUCCESS(rv, rv); - nsCOMPtr oldPrefService = do_GetService(NS_PREF_CONTRACTID, &rv); + nsCOMPtr prefBranchInternal = do_QueryInterface(mPrefs, &rv); NS_ENSURE_SUCCESS(rv, rv); // Set the initial value of the "javascript.enabled" prefs JSEnabledPrefChanged(); // set observer callbacks in case the value of the pref changes - oldPrefService->AddObserver(sJSEnabledPrefName, this); - oldPrefService->AddObserver(sJSMailEnabledPrefName, this); + prefBranchInternal->AddObserver(sJSEnabledPrefName, this); + prefBranchInternal->AddObserver(sJSMailEnabledPrefName, this); PRUint32 prefCount; char** prefNames; @@ -2162,7 +2143,7 @@ nsScriptSecurityManager::InitPrefs() NS_FREE_XPCOM_ALLOCATED_POINTER_ARRAY(prefCount, prefNames); //-- Set a callback for principal changes - oldPrefService->AddObserver(sPrincipalPrefix, this); + prefBranchInternal->AddObserver(sPrincipalPrefix, this); return NS_OK; } diff --git a/mozilla/content/events/src/nsEventListenerManager.cpp b/mozilla/content/events/src/nsEventListenerManager.cpp index f3d32ed0d83..16e3246521f 100644 --- a/mozilla/content/events/src/nsEventListenerManager.cpp +++ b/mozilla/content/events/src/nsEventListenerManager.cpp @@ -978,7 +978,7 @@ nsEventListenerManager::RegisterScriptEventListener(nsIScriptContext *aContext, if (NS_FAILED(rv = securityManager->CheckPropertyAccess( nsIXPCSecurityManager::ACCESS_SET_PROPERTY, cx, jsobj, aObject, classInfo, - "EventTarget","addEventListener", PR_FALSE))) { + "EventTarget","addEventListener"))) { // XXX set pending exception on the native call context? return rv; } diff --git a/mozilla/dom/src/base/nsDOMClassInfo.cpp b/mozilla/dom/src/base/nsDOMClassInfo.cpp index 0932588ef94..83215c302c5 100644 --- a/mozilla/dom/src/base/nsDOMClassInfo.cpp +++ b/mozilla/dom/src/base/nsDOMClassInfo.cpp @@ -1081,18 +1081,12 @@ nsWindowSH::doCheckWriteAccess(JSContext *cx, JSObject *obj, jsval id, nsresult rv; -#if 1 PRBool isLocation = JSVAL_IS_STRING(id) && JSVAL_TO_STRING(id) == sLocation_id; rv = sSecMan->CheckPropertyAccess(nsIXPCSecurityManager::ACCESS_SET_PROPERTY, cx, obj, native, this, "Window", - isLocation ? "location" : "scriptglobals", - PR_FALSE); -#else - rv = sSecMan->CanAccess(nsIXPCSecurityManager::ACCESS_SET_PROPERTY, nsnull, - cx, obj, native, this, id, nsnull); -#endif + isLocation ? "location" : "scriptglobals"); if (NS_SUCCEEDED(rv)) { return rv; @@ -1102,15 +1096,13 @@ nsWindowSH::doCheckWriteAccess(JSContext *cx, JSObject *obj, jsval id, // following lines ensure that the exception is propagated. nsCOMPtr cnccx; - sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx)); - NS_ENSURE_SUCCESS(rv, rv); - - cnccx->SetExceptionWasThrown(PR_TRUE); + rv = sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx)); + if (cnccx) + cnccx->SetExceptionWasThrown(PR_TRUE); return rv; // rv is from CheckPropertyAccess() } - nsresult nsWindowSH::doCheckReadAccess(JSContext *cx, JSObject *obj, jsval id, nsISupports *native) @@ -1127,18 +1119,12 @@ nsWindowSH::doCheckReadAccess(JSContext *cx, JSObject *obj, jsval id, return NS_OK; } -#if 1 PRBool isLocation = JSVAL_IS_STRING(id) && JSVAL_TO_STRING(id) == sLocation_id; rv = sSecMan->CheckPropertyAccess(nsIXPCSecurityManager::ACCESS_GET_PROPERTY, cx, obj, native, this, "Window", - isLocation ? "location" : "scriptglobals", - PR_FALSE); -#else - rv = sSecMan->CanAccess(nsIXPCSecurityManager::ACCESS_GET_PROPERTY, - nsnull, cx, obj, native, this, id, nsnull); -#endif + isLocation ? "location" : "scriptglobals"); if (NS_SUCCEEDED(rv)) { return rv; @@ -1149,9 +1135,8 @@ nsWindowSH::doCheckReadAccess(JSContext *cx, JSObject *obj, jsval id, nsCOMPtr cnccx; sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx)); - NS_ENSURE_SUCCESS(rv, rv); - - cnccx->SetExceptionWasThrown(PR_TRUE); + if (cnccx) + cnccx->SetExceptionWasThrown(PR_TRUE); return rv; // rv is from CheckPropertyAccess() } diff --git a/mozilla/dom/src/base/nsGlobalWindow.cpp b/mozilla/dom/src/base/nsGlobalWindow.cpp index b9c2bda515c..cddfd8df2bc 100644 --- a/mozilla/dom/src/base/nsGlobalWindow.cpp +++ b/mozilla/dom/src/base/nsGlobalWindow.cpp @@ -4096,9 +4096,8 @@ NavigatorImpl::Preference() action = nsIXPCSecurityManager::ACCESS_GET_PROPERTY; else action = nsIXPCSecurityManager::ACCESS_SET_PROPERTY; - rv = secMan->CheckPropertyAccess(action, - cx, nsnull, nsnull, nsnull, "Navigator", "preferenceinternal", - PR_TRUE); + rv = secMan->CheckPropertyAccess(action, cx, nsnull, nsnull, nsnull, + "Navigator", "preferenceinternal"); if (NS_FAILED(rv)) { //-- XXX doing the right thing here? Does the exception propagate? diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js index dde11f81bed..db50dcedc59 100644 --- a/mozilla/modules/libpref/src/init/all.js +++ b/mozilla/modules/libpref/src/init/all.js @@ -144,10 +144,6 @@ pref("browser.search.defaultenginename", "chrome://navigator/locale/navigator.pr // Default Capability Preferences: Security-Critical! // Editing these may create a security risk - be sure you know what you're doing //pref("capability.policy.default.barprop.visible.set", "UniversalBrowserWrite"); -pref("capability.policy.default.Document.close", "allAccess"); -pref("capability.policy.default.Document.open", "allAccess"); -pref("capability.policy.default.Document.write", "allAccess"); -pref("capability.policy.default.Document.writeln", "allAccess"); pref("capability.policy.default.Domexception.code", "allAccess"); pref("capability.policy.default.Domexception.message", "allAccess"); @@ -159,12 +155,17 @@ pref("capability.policy.default.History.back", "allAccess"); pref("capability.policy.default.History.current", "UniversalBrowserRead"); pref("capability.policy.default.History.forward", "allAccess"); pref("capability.policy.default.History.go", "allAccess"); -pref("capability.policy.default.History.item", "UniversalBrowserRead"); +//pref("capability.policy.default.History.item", "UniversalBrowserRead"); pref("capability.policy.default.History.length", "UniversalBrowserRead"); pref("capability.policy.default.History.next", "UniversalBrowserRead"); pref("capability.policy.default.History.previous", "UniversalBrowserRead"); pref("capability.policy.default.History.toString", "UniversalBrowserRead"); +pref("capability.policy.default.HTMLDocument.close", "allAccess"); +pref("capability.policy.default.HTMLDocument.open", "allAccess"); +pref("capability.policy.default.HTMLDocument.write", "allAccess"); +pref("capability.policy.default.HTMLDocument.writeln", "allAccess"); + pref("capability.policy.default.Location.hash.set", "allAccess"); pref("capability.policy.default.Location.host.set", "allAccess"); pref("capability.policy.default.Location.hostname.set", "allAccess"); @@ -172,6 +173,8 @@ pref("capability.policy.default.Location.href.set", "allAccess"); pref("capability.policy.default.Location.pathname.set", "allAccess"); pref("capability.policy.default.Location.port.set", "allAccess"); pref("capability.policy.default.Location.protocol.set", "allAccess"); +pref("capability.policy.default.Location.reload", "allAccess"); +pref("capability.policy.default.Location.replace", "allAccess"); pref("capability.policy.default.Location.search.set", "allAccess"); pref("capability.policy.default.Navigator.preference", "allAccess"); @@ -188,6 +191,8 @@ pref("capability.policy.default.Window.history", "allAccess"); pref("capability.policy.default.Window.location", "allAccess"); // window.openDialog is insecure and must be made inaccessible from web scripts - see bug 56009 pref("capability.policy.default.Window.opendialog", "noAccess"); +pref("capability.policy.default.Window.self", "allAccess"); +pref("capability.policy.default.Window.window", "allAccess"); pref("capability.policy.mailnews.Domexception.tostring", "noAccess"); pref("capability.policy.mailnews.HTMLDocument.domain", "noAccess");