diff --git a/mozilla/browser/base/content/browser.js b/mozilla/browser/base/content/browser.js
index c6317125be9..519893674fd 100644
--- a/mozilla/browser/base/content/browser.js
+++ b/mozilla/browser/base/content/browser.js
@@ -2451,7 +2451,7 @@ var urlbarObserver = {
gURLBar.value = url;
const nsIScriptSecMan = Components.interfaces.nsIScriptSecurityManager;
urlSecurityCheck(gURLBar.value, gBrowser.currentURI.spec,
- nsIScriptSecMan.DISALLOW_SCRIPT_OR_DATA);
+ nsIScriptSecMan.DISALLOW_INHERIT_PRINCIPAL);
handleURLBarCommand();
} catch (ex) {}
}
@@ -2869,7 +2869,7 @@ var goButtonObserver = {
const nsIScriptSecMan = Components.interfaces.nsIScriptSecurityManager;
urlSecurityCheck(url, gBrowser.currentURI.spec,
- nsIScriptSecMan.DISALLOW_SCRIPT_OR_DATA);
+ nsIScriptSecMan.DISALLOW_INHERIT_PRINCIPAL);
loadURI(url, null, postData.value, true);
} catch (ex) {}
},
diff --git a/mozilla/browser/components/bookmarks/src/nsBookmarksFeedHandler.cpp b/mozilla/browser/components/bookmarks/src/nsBookmarksFeedHandler.cpp
index 774e94b5d29..2ad5526a376 100644
--- a/mozilla/browser/components/bookmarks/src/nsBookmarksFeedHandler.cpp
+++ b/mozilla/browser/components/bookmarks/src/nsBookmarksFeedHandler.cpp
@@ -911,8 +911,7 @@ nsFeedLoadListener::IsLinkValid(const PRUnichar *aURI)
return PR_FALSE;
rv = mSecMan->CheckLoadURI(mURI, linkuri,
- nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
- nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
+ nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
if (NS_FAILED(rv))
return PR_FALSE;
diff --git a/mozilla/browser/components/feeds/src/FeedWriter.js b/mozilla/browser/components/feeds/src/FeedWriter.js
index fae554f654c..c23349950ec 100755
--- a/mozilla/browser/components/feeds/src/FeedWriter.js
+++ b/mozilla/browser/components/feeds/src/FeedWriter.js
@@ -135,7 +135,7 @@ FeedWriter.prototype = {
var secman =
Cc["@mozilla.org/scriptsecuritymanager;1"].
getService(Ci.nsIScriptSecurityManager);
- const flags = Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT_OR_DATA;
+ const flags = Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL;
try {
secman.checkLoadURIStr(this._window.location.href, uri, flags);
// checkLoadURIStr will throw if the link URI should not be loaded per
diff --git a/mozilla/calendar/lightning/components/calItipProtocolHandler.js b/mozilla/calendar/lightning/components/calItipProtocolHandler.js
index 14bd29477c6..eec5e378aa4 100644
--- a/mozilla/calendar/lightning/components/calItipProtocolHandler.js
+++ b/mozilla/calendar/lightning/components/calItipProtocolHandler.js
@@ -127,7 +127,7 @@ ItipProtocolHandler.prototype = {
return this;
},
- protocolFlags: CI.nsIProtocolHandler.URI_NORELATIVE,
+ protocolFlags: CI.nsIProtocolHandler.URI_NORELATIVE | CI.nsIProtocolHandler.URI_DANGEROUS_TO_LOAD,
allowPort: function () { return false; },
isSecure: false,
newURI: function (spec, charSet, baseURI)
diff --git a/mozilla/caps/idl/nsIScriptSecurityManager.idl b/mozilla/caps/idl/nsIScriptSecurityManager.idl
index 4930593fdb3..51126dc7702 100644
--- a/mozilla/caps/idl/nsIScriptSecurityManager.idl
+++ b/mozilla/caps/idl/nsIScriptSecurityManager.idl
@@ -41,7 +41,7 @@
interface nsIURI;
-[scriptable, uuid(5a46e611-cf4a-4407-a5b4-002fcf051120)]
+[scriptable, uuid(5ed0b9b8-e7f4-4b55-9805-7ab857b335a1)]
interface nsIScriptSecurityManager : nsIXPCSecurityManager
{
///////////////// Security Checks //////////////////
@@ -79,18 +79,35 @@ interface nsIScriptSecurityManager : nsIXPCSecurityManager
// Default permissions
const unsigned long STANDARD = 0;
- // If the source is mail, disallow the load
- const unsigned long DISALLOW_FROM_MAIL = 1 << 0;
+ // Indicate that the load is a load of a new document that is not
+ // user-triggered. Here "user-triggered" could be broadly interpreted --
+ // for example, scripted sets of window.location.href might be treated as
+ // "user-triggered" in some circumstances. A typical example of a load
+ // that is not user-triggered is a refresh load. If this flag is
+ // set, the load will be denied if the originating principal's URI has the
+ // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
+ const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;
- // Allow the loading of chrome URLs by non-chrome URLs
+ // Allow the loading of chrome URLs by non-chrome URLs. Use with great
+ // care! This will actually allow the loading of any URI which has the
+ // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set. Ths
+ // probably means at least chrome: and resource:.
const unsigned long ALLOW_CHROME = 1 << 1;
- // Don't allow javascript: and data: URLs to load
- const unsigned long DISALLOW_SCRIPT_OR_DATA = 1 << 2;
+ // Don't allow URLs which would inherit the caller's principal (such as
+ // javascript: or data:) to load. See
+ // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
+ const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;
+
+ // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
+ // JS-implemented extensions.
+ const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;
// Don't allow javascript: URLs to load
// WARNING: Support for this value was added in Mozilla 1.7.8 and
// Firefox 1.0.4. Use in prior versions WILL BE IGNORED.
+ // When using this, make sure that you actually want DISALLOW_SCRIPT, not
+ // DISALLOW_INHERIT_PRINCIPAL
const unsigned long DISALLOW_SCRIPT = 1 << 3;
/**
diff --git a/mozilla/caps/include/nsScriptSecurityManager.h b/mozilla/caps/include/nsScriptSecurityManager.h
index 7f3c7736f58..ea89e196106 100644
--- a/mozilla/caps/include/nsScriptSecurityManager.h
+++ b/mozilla/caps/include/nsScriptSecurityManager.h
@@ -424,9 +424,6 @@ private:
nsIPrincipal*
doGetSubjectPrincipal(nsresult* rv);
- static nsresult
- GetBaseURIScheme(nsIURI* aURI, nsCString& aScheme);
-
static nsresult
ReportError(JSContext* cx, const nsAString& messageTag,
nsIURI* aSource, nsIURI* aTarget);
diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp
index bc2994e0712..e714be1a8a4 100644
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -1164,26 +1164,6 @@ nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
return NS_ERROR_DOM_BAD_URI;
}
-// static
-nsresult
-nsScriptSecurityManager::GetBaseURIScheme(nsIURI* aURI,
- nsCString& aScheme)
-{
- if (!aURI)
- return NS_ERROR_FAILURE;
-
- nsresult rv;
-
- // Get the innermost URI
- nsCOMPtr uri = NS_GetInnermostURI(aURI);
-
- //-- get the source scheme
- rv = uri->GetScheme(aScheme);
- if (NS_FAILED(rv)) return rv;
-
- return NS_OK;
-}
-
NS_IMETHODIMP
nsScriptSecurityManager::CheckLoadURI(nsIURI *aSourceURI, nsIURI *aTargetURI,
PRUint32 aFlags)
@@ -1203,6 +1183,29 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aSourceURI, nsIURI *aTargetURI,
return CheckLoadURIWithPrincipal(sourcePrincipal, aTargetURI, aFlags);
}
+/**
+ * Helper method to handle cases where a flag passed to
+ * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
+ * nsIProtocolHandler flags set.
+ * @return if success, access is allowed. Otherwise, deny access
+ */
+static nsresult
+DenyAccessIfURIHasFlags(nsIURI* aURI, PRUint32 aURIFlags)
+{
+ NS_PRECONDITION(aURI, "Must have URI!");
+
+ PRBool uriHasFlags;
+ nsresult rv =
+ NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (uriHasFlags) {
+ return NS_ERROR_DOM_BAD_URI;
+ }
+
+ return NS_OK;
+}
+
NS_IMETHODIMP
nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
nsIURI *aTargetURI,
@@ -1212,10 +1215,10 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
// If someone passes a flag that we don't understand, we should
// fail, because they may need a security check that we don't
// provide.
- NS_ENSURE_FALSE(aFlags & ~(nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
+ NS_ENSURE_FALSE(aFlags & ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
nsIScriptSecurityManager::ALLOW_CHROME |
nsIScriptSecurityManager::DISALLOW_SCRIPT |
- nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA),
+ nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL),
NS_ERROR_UNEXPECTED);
NS_ENSURE_ARG_POINTER(aPrincipal);
@@ -1229,35 +1232,45 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
NS_ASSERTION(sourceURI, "Non-system principals passed to CheckLoadURIWithPrincipal must have a URI!");
- //-- get the source scheme
- nsCAutoString sourceScheme;
- nsresult rv = GetBaseURIScheme(sourceURI, sourceScheme);
- if (NS_FAILED(rv)) return rv;
-
- // Some loads are not allowed from mail/news messages
- if ((aFlags & nsIScriptSecurityManager::DISALLOW_FROM_MAIL) &&
- (sourceScheme.LowerCaseEqualsLiteral("mailbox") ||
- sourceScheme.LowerCaseEqualsLiteral("imap") ||
- sourceScheme.LowerCaseEqualsLiteral("news")))
- {
- return NS_ERROR_DOM_BAD_URI;
+ // Automatic loads are not allowed from certain protocols.
+ if (aFlags & nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
+ nsresult rv =
+ DenyAccessIfURIHasFlags(sourceURI,
+ nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
+ NS_ENSURE_SUCCESS(rv, rv);
}
+ // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
+ // would do such inheriting. That would be URIs that do not have their own
+ // security context.
+ if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
+ nsresult rv =
+ DenyAccessIfURIHasFlags(aTargetURI,
+ nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // If either URI is a nested URI, get the base URI
+ nsCOMPtr sourceBaseURI = NS_GetInnermostURI(sourceURI);
+ nsCOMPtr targetBaseURI = NS_GetInnermostURI(aTargetURI);
+
//-- get the target scheme
nsCAutoString targetScheme;
- rv = GetBaseURIScheme(aTargetURI, targetScheme);
+ nsresult rv = targetBaseURI->GetScheme(targetScheme);
if (NS_FAILED(rv)) return rv;
- //-- Some callers do not allow loading javascript: or data: URLs
- if (((aFlags & (nsIScriptSecurityManager::DISALLOW_SCRIPT |
- nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA)) &&
- targetScheme.Equals("javascript")) ||
- ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA) &&
- targetScheme.Equals("data")))
+ //-- Some callers do not allow loading javascript:
+ if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
+ targetScheme.EqualsLiteral("javascript"))
{
return NS_ERROR_DOM_BAD_URI;
}
+ //-- get the source scheme
+ nsCAutoString sourceScheme;
+ rv = sourceURI->GetScheme(sourceScheme);
+ if (NS_FAILED(rv)) return rv;
+
if (targetScheme.Equals(sourceScheme,
nsCaseInsensitiveCStringComparator()) &&
!sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME))
@@ -1267,107 +1280,115 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
return NS_OK;
}
- //-- If the schemes don't match, the policy is specified in this table.
- enum Action { AllowProtocol, DenyProtocol, PrefControlled, ChromeProtocol};
- static const struct
- {
- const char *name;
- Action action;
- } protocolList[] =
- {
- //-- Keep the most commonly used protocols at the top of the list
- // to increase performance
- { "http", AllowProtocol },
- { "chrome", ChromeProtocol },
- { "file", PrefControlled },
- { "https", AllowProtocol },
- { "moz-anno", DenyProtocol },
- { "mailbox", DenyProtocol },
- { "pop", AllowProtocol },
- { "imap", DenyProtocol },
- { "pop3", DenyProtocol },
- { "news", AllowProtocol },
- { "javascript", AllowProtocol },
- { "ftp", AllowProtocol },
- { "moz-safe-about", AllowProtocol },
- { "about", DenyProtocol },
- { "mailto", AllowProtocol },
- { "aim", AllowProtocol },
- { "data", AllowProtocol },
- { "keyword", DenyProtocol },
- { "resource", ChromeProtocol },
- { "gopher", AllowProtocol },
- { "datetime", DenyProtocol },
- { "finger", AllowProtocol },
- { "res", DenyProtocol },
- { "x-jsd", ChromeProtocol },
-
- // Don't allow random people to load null-principal URIs. Not like it
- // matters _that_ much, since we won't have a useful handler for them,
- // but...
- { NS_NULLPRINCIPAL_SCHEME, DenyProtocol }
- };
-
NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError");
- for (unsigned i=0; i < sizeof(protocolList)/sizeof(protocolList[0]); i++)
- {
- if (targetScheme.LowerCaseEqualsASCII(protocolList[i].name))
- {
- switch (protocolList[i].action)
- {
- case AllowProtocol:
- // everyone can access these schemes.
- return NS_OK;
- case PrefControlled:
- {
- // resource: and chrome: are equivalent, securitywise
- // That's bogus!! Fix this. But watch out for
- // the view-source stylesheet?
- if (sourceScheme.EqualsLiteral("chrome") ||
- sourceScheme.EqualsLiteral("resource"))
- return NS_OK;
+
+ // If the schemes don't match, the policy is specified by the protocol
+ // flags on the target URI. Note that the order of policy checks here is
+ // very important! We start from most restrictive and work our way down.
+ // Note that since we're working with the innermost URI, we can just use
+ // the methods that work on chains of nested URIs and they will only look
+ // at the flags for our one URI.
- // Now check capability policies
- static const char loadURIPrefGroup[] = "checkloaduri";
- ClassInfoData nameData(nsnull, loadURIPrefGroup);
-
- SecurityLevel secLevel;
- rv = LookupPolicy(aPrincipal, nameData, sEnabledID,
- nsIXPCSecurityManager::ACCESS_GET_PROPERTY,
- nsnull, &secLevel);
- if (NS_SUCCEEDED(rv) && secLevel.level == SCRIPT_SECURITY_ALL_ACCESS)
- {
- // OK for this site!
- return NS_OK;
- }
-
- ReportError(nsnull, errorTag, sourceURI, aTargetURI);
- return NS_ERROR_DOM_BAD_URI;
- }
- case ChromeProtocol:
- if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME)
- return NS_OK;
- // resource: and chrome: are equivalent, securitywise
- // That's bogus!! Fix this. But watch out for
- // the view-source stylesheet?
- if (sourceScheme.EqualsLiteral("chrome") ||
- sourceScheme.EqualsLiteral("resource"))
- return NS_OK;
- ReportError(nsnull, errorTag, sourceURI, aTargetURI);
- return NS_ERROR_DOM_BAD_URI;
- case DenyProtocol:
- // Deny access
- ReportError(nsnull, errorTag, sourceURI, aTargetURI);
- return NS_ERROR_DOM_BAD_URI;
- }
- }
+ // Check for system target URI
+ rv = DenyAccessIfURIHasFlags(targetBaseURI,
+ nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
+ if (NS_FAILED(rv)) {
+ // Deny access, since the origin principal is not system
+ ReportError(nsnull, errorTag, sourceURI, aTargetURI);
+ return rv;
}
- // If we reach here, we have an unknown protocol. Warn, but allow.
- // This is risky from a security standpoint, but allows flexibility
- // in installing new protocol handlers after initial ship.
- NS_WARNING("unknown protocol in nsScriptSecurityManager::CheckLoadURI");
+ // Check for chrome target URI
+ PRBool hasFlags;
+ rv = NS_URIChainHasFlags(targetBaseURI,
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
+ &hasFlags);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (hasFlags) {
+ if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
+ return NS_OK;
+ }
+ // resource: and chrome: are equivalent, securitywise
+ // That's bogus!! Fix this. But watch out for
+ // the view-source stylesheet?
+ PRBool sourceIsChrome;
+ rv = NS_URIChainHasFlags(sourceBaseURI,
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
+ &sourceIsChrome);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (sourceIsChrome) {
+ return NS_OK;
+ }
+ ReportError(nsnull, errorTag, sourceURI, aTargetURI);
+ return NS_ERROR_DOM_BAD_URI;
+ }
+
+ // Check for target URI pointing to a file
+ rv = NS_URIChainHasFlags(targetBaseURI,
+ nsIProtocolHandler::URI_IS_LOCAL_FILE,
+ &hasFlags);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (hasFlags) {
+ // resource: and chrome: are equivalent, securitywise
+ // That's bogus!! Fix this. But watch out for
+ // the view-source stylesheet?
+ PRBool sourceIsChrome;
+ rv = NS_URIChainHasFlags(sourceURI,
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
+ &sourceIsChrome);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (sourceIsChrome) {
+ return NS_OK;
+ }
+
+ // Now check capability policies
+ static const char loadURIPrefGroup[] = "checkloaduri";
+ ClassInfoData nameData(nsnull, loadURIPrefGroup);
+
+ SecurityLevel secLevel;
+ rv = LookupPolicy(aPrincipal, nameData, sEnabledID,
+ nsIXPCSecurityManager::ACCESS_GET_PROPERTY,
+ nsnull, &secLevel);
+ if (NS_SUCCEEDED(rv) && secLevel.level == SCRIPT_SECURITY_ALL_ACCESS)
+ {
+ // OK for this site!
+ return NS_OK;
+ }
+
+ ReportError(nsnull, errorTag, sourceURI, aTargetURI);
+ return NS_ERROR_DOM_BAD_URI;
+ }
+
+ // OK, everyone is allowed to load this, since unflagged handlers are
+ // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
+ // need to warn. At some point we'll want to make this warning into an
+ // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
+ rv = NS_URIChainHasFlags(targetBaseURI,
+ nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
+ &hasFlags);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!hasFlags) {
+ nsXPIDLString message;
+ NS_ConvertASCIItoUTF16 ucsTargetScheme(targetScheme);
+ const PRUnichar* formatStrings[] = { ucsTargetScheme.get() };
+ rv = sStrBundle->
+ FormatStringFromName(NS_LITERAL_STRING("ProtocolFlagError").get(),
+ formatStrings,
+ NS_ARRAY_LENGTH(formatStrings),
+ getter_Copies(message));
+ if (NS_SUCCEEDED(rv)) {
+ nsCOMPtr console(
+ do_GetService("@mozilla.org/consoleservice;1"));
+ NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
+
+ console->LogStringMessage(message.get());
+#ifdef DEBUG
+ fprintf(stderr, "%s\n", NS_ConvertUTF16toUTF8(message).get());
+#endif
+ }
+ }
+
return NS_OK;
}
@@ -1873,12 +1894,12 @@ NS_IMETHODIMP
nsScriptSecurityManager::GetCodebasePrincipal(nsIURI *aURI,
nsIPrincipal **result)
{
- PRBool noContext;
+ PRBool inheritsPrincipal;
nsresult rv =
NS_URIChainHasFlags(aURI,
- nsIProtocolHandler::URI_HAS_NO_SECURITY_CONTEXT,
- &noContext);
- if (NS_FAILED(rv) || noContext) {
+ nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
+ &inheritsPrincipal);
+ if (NS_FAILED(rv) || inheritsPrincipal) {
return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
}
@@ -2951,8 +2972,9 @@ nsScriptSecurityManager::OnChannelRedirect(nsIChannel* oldChannel,
NS_ENSURE_STATE(oldURI && newURI);
- const PRUint32 flags = nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
- nsIScriptSecurityManager::DISALLOW_SCRIPT;
+ const PRUint32 flags =
+ nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
+ nsIScriptSecurityManager::DISALLOW_SCRIPT;
return CheckLoadURI(oldURI, newURI, flags);
}
diff --git a/mozilla/chrome/src/nsChromeProtocolHandler.cpp b/mozilla/chrome/src/nsChromeProtocolHandler.cpp
index 477ff22c7e0..d3691bd5e2b 100644
--- a/mozilla/chrome/src/nsChromeProtocolHandler.cpp
+++ b/mozilla/chrome/src/nsChromeProtocolHandler.cpp
@@ -406,7 +406,7 @@ nsChromeProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_re
NS_IMETHODIMP
nsChromeProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD;
+ *result = URI_STD | URI_IS_UI_RESOURCE;
return NS_OK;
}
diff --git a/mozilla/content/base/src/nsGenericElement.cpp b/mozilla/content/base/src/nsGenericElement.cpp
index a9e2f21b23e..062a9a1eb51 100644
--- a/mozilla/content/base/src/nsGenericElement.cpp
+++ b/mozilla/content/base/src/nsGenericElement.cpp
@@ -3009,9 +3009,10 @@ nsGenericElement::TriggerLink(nsPresContext* aPresContext,
nsCOMPtr securityManager =
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
if (NS_SUCCEEDED(rv)) {
- PRUint32 flag = aIsUserTriggered ?
- (PRUint32) nsIScriptSecurityManager::STANDARD :
- (PRUint32) nsIScriptSecurityManager::DISALLOW_FROM_MAIL;
+ PRUint32 flag =
+ aIsUserTriggered ?
+ (PRUint32) nsIScriptSecurityManager::STANDARD :
+ (PRUint32) nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT;
proceed =
securityManager->CheckLoadURIWithPrincipal(NodePrincipal(), aLinkURI,
flag);
diff --git a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
index 7906a287187..0d9e7516292 100644
--- a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
+++ b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
@@ -1041,9 +1041,10 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
nsCOMPtr attrURI;
rv = NS_NewURI(getter_AddRefs(attrURI), v, nsnull, baseURI);
if (NS_SUCCEEDED(rv)) {
- rv = secMan->CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
- attrURI,
- nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
+ rv = secMan->
+ CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
+ attrURI,
+ nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
}
}
diff --git a/mozilla/content/html/document/src/nsWyciwygProtocolHandler.cpp b/mozilla/content/html/document/src/nsWyciwygProtocolHandler.cpp
index fbfcfa9d958..20c79774045 100644
--- a/mozilla/content/html/document/src/nsWyciwygProtocolHandler.cpp
+++ b/mozilla/content/html/document/src/nsWyciwygProtocolHandler.cpp
@@ -127,6 +127,8 @@ nsWyciwygProtocolHandler::NewChannel(nsIURI* url, nsIChannel* *result)
NS_IMETHODIMP
nsWyciwygProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ // Should this be an an nsINestedURI? We don't really want random
+ // webpages loading these URIs...
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
diff --git a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
index 46d039213bf..20eca606983 100644
--- a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
+++ b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
@@ -574,7 +574,7 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
// use this to check for safe URIs in the few attributes that allow them
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
nsCOMPtr baseURI;
- PRUint32 flags = nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA;
+ PRUint32 flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
// scrub URI attributes that point at dangerous content
// We have to do this here, because this is where we have a base URI,
diff --git a/mozilla/directory/xpcom/base/src/nsLDAPProtocolHandler.cpp b/mozilla/directory/xpcom/base/src/nsLDAPProtocolHandler.cpp
index 7c7981df971..4b7c3e59c37 100644
--- a/mozilla/directory/xpcom/base/src/nsLDAPProtocolHandler.cpp
+++ b/mozilla/directory/xpcom/base/src/nsLDAPProtocolHandler.cpp
@@ -83,7 +83,7 @@ nsLDAPProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsLDAPProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE;
+ *result = URI_NORELATIVE | URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
diff --git a/mozilla/docshell/base/nsDocShell.cpp b/mozilla/docshell/base/nsDocShell.cpp
index 36e99dad741..12fbcb696c1 100644
--- a/mozilla/docshell/base/nsDocShell.cpp
+++ b/mozilla/docshell/base/nsDocShell.cpp
@@ -4359,9 +4359,10 @@ nsDocShell::SetupRefreshURIFromHeader(nsIURI * aBaseURI,
securityManager(do_GetService
(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv));
if (NS_SUCCEEDED(rv)) {
- rv = securityManager->CheckLoadURI(aBaseURI, uri,
- nsIScriptSecurityManager::
- DISALLOW_FROM_MAIL);
+ rv = securityManager->
+ CheckLoadURI(aBaseURI, uri,
+ nsIScriptSecurityManager::
+ LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT);
if (NS_SUCCEEDED(rv)) {
// Since we can't travel back in time yet, just pretend
// negative numbers do nothing at all.
@@ -8824,7 +8825,7 @@ nsDocShell::URIInheritsSecurityContext(nsIURI* aURI, PRBool* aResult)
// Note: about:blank URIs do NOT inherit the security context from the
// current document, which is what this function tests for...
return NS_URIChainHasFlags(aURI,
- nsIProtocolHandler::URI_HAS_NO_SECURITY_CONTEXT,
+ nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
aResult);
}
diff --git a/mozilla/dom/locales/en-US/chrome/security/caps.properties b/mozilla/dom/locales/en-US/chrome/security/caps.properties
index c1f00d90c0e..884bfce5c28 100644
--- a/mozilla/dom/locales/en-US/chrome/security/caps.properties
+++ b/mozilla/dom/locales/en-US/chrome/security/caps.properties
@@ -48,6 +48,7 @@ SetPropertyDenied = Permission denied to set property %S.%S
CallMethodDenied = Permission denied to call method %S.%S
CreateWrapperDenied = Permission denied to create wrapper for object of class %S
ExtensionCapability = Unknown: %S
+ProtocolFlagError = Warning: Protocol handler for '%S' doesn't advertise a security policy. While loads of such protocols are allowed for now, this is deprecated. Please see the documentation in nsIProtocolHandler.idl.
#
# The following descriptions are shown in the EnableCapabilityQuery dialog
#
diff --git a/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp b/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp
index 985cd4342ac..19e5062ff45 100644
--- a/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp
+++ b/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp
@@ -962,7 +962,8 @@ nsJSProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsJSProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH | URI_HAS_NO_SECURITY_CONTEXT;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_INHERITS_SECURITY_CONTEXT |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/embedding/minimo/chromelite/nsSimpleChromeHandler.cpp b/mozilla/embedding/minimo/chromelite/nsSimpleChromeHandler.cpp
index 7dc18449963..f5a19471ee8 100644
--- a/mozilla/embedding/minimo/chromelite/nsSimpleChromeHandler.cpp
+++ b/mozilla/embedding/minimo/chromelite/nsSimpleChromeHandler.cpp
@@ -167,7 +167,7 @@ nsSimpleChromeHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsSimpleChromeHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD;
+ *result = URI_STD | URI_IS_UI_RESOURCE;
return NS_OK;
}
diff --git a/mozilla/embedding/tests/wxEmbed/GeckoProtocolHandler.cpp b/mozilla/embedding/tests/wxEmbed/GeckoProtocolHandler.cpp
index b24f76009d3..af4cbe76957 100644
--- a/mozilla/embedding/tests/wxEmbed/GeckoProtocolHandler.cpp
+++ b/mozilla/embedding/tests/wxEmbed/GeckoProtocolHandler.cpp
@@ -218,6 +218,9 @@ NS_IMETHODIMP GeckoProtocolHandlerImpl::GetDefaultPort(PRInt32 *aDefaultPort)
/* readonly attribute unsigned long protocolFlags; */
NS_IMETHODIMP GeckoProtocolHandlerImpl::GetProtocolFlags(PRUint32 *aProtocolFlags)
{
+ // XXXbz Not setting any of the protocol security flags for now, because I
+ // have no idea what this is used for. Whoever uses it should set the
+ // flags.
*aProtocolFlags = URI_NORELATIVE | URI_NOAUTH;
return NS_OK;
}
diff --git a/mozilla/extensions/datetime/nsDateTimeHandler.cpp b/mozilla/extensions/datetime/nsDateTimeHandler.cpp
index 0a527dcd589..45769f8a324 100644
--- a/mozilla/extensions/datetime/nsDateTimeHandler.cpp
+++ b/mozilla/extensions/datetime/nsDateTimeHandler.cpp
@@ -88,7 +88,7 @@ nsDateTimeHandler::GetDefaultPort(PRInt32 *result) {
NS_IMETHODIMP
nsDateTimeHandler::GetProtocolFlags(PRUint32 *result) {
- *result = URI_NORELATIVE | URI_NOAUTH | ALLOWS_PROXY;
+ *result = URI_NORELATIVE | URI_NOAUTH | ALLOWS_PROXY | URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
diff --git a/mozilla/extensions/finger/nsFingerHandler.cpp b/mozilla/extensions/finger/nsFingerHandler.cpp
index 483fd6efb7f..7bb3fe228d3 100644
--- a/mozilla/extensions/finger/nsFingerHandler.cpp
+++ b/mozilla/extensions/finger/nsFingerHandler.cpp
@@ -90,7 +90,8 @@ nsFingerHandler::GetDefaultPort(PRInt32 *result) {
NS_IMETHODIMP
nsFingerHandler::GetProtocolFlags(PRUint32 *result) {
- *result = URI_NORELATIVE | URI_NOAUTH | ALLOWS_PROXY;
+ *result = URI_NORELATIVE | URI_NOAUTH | ALLOWS_PROXY |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/extensions/gnomevfs/nsGnomeVFSProtocolHandler.cpp b/mozilla/extensions/gnomevfs/nsGnomeVFSProtocolHandler.cpp
index deeaa49f3bb..ac8e103367e 100644
--- a/mozilla/extensions/gnomevfs/nsGnomeVFSProtocolHandler.cpp
+++ b/mozilla/extensions/gnomevfs/nsGnomeVFSProtocolHandler.cpp
@@ -860,8 +860,8 @@ nsGnomeVFSProtocolHandler::GetDefaultPort(PRInt32 *aDefaultPort)
NS_IMETHODIMP
nsGnomeVFSProtocolHandler::GetProtocolFlags(PRUint32 *aProtocolFlags)
{
- // Is this true of all GnomeVFS URI types?
- *aProtocolFlags = URI_STD;
+ // Is URI_STD true of all GnomeVFS URI types?
+ *aProtocolFlags = URI_STD | URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
diff --git a/mozilla/extensions/irc/js/lib/chatzilla-service.js b/mozilla/extensions/irc/js/lib/chatzilla-service.js
index b551008751d..5a800782a6c 100644
--- a/mozilla/extensions/irc/js/lib/chatzilla-service.js
+++ b/mozilla/extensions/irc/js/lib/chatzilla-service.js
@@ -255,6 +255,10 @@ function IRCProtocolHandler(isSecure)
IRCProtocolHandler.prototype.protocolFlags =
nsIProtocolHandler.URI_NORELATIVE |
nsIProtocolHandler.ALLOWS_PROXY;
+if ("URI_DANGEROUS_TO_LOAD" in nsIProtocolHandler) {
+ IRCProtocolHandler.prototype.protocolFlags |=
+ nsIProtocolHandler.URI_LOADABLE_BY_ANYONE;
+}
IRCProtocolHandler.prototype.allowPort =
function ircph_allowPort(port, scheme)
diff --git a/mozilla/extensions/venkman/js/venkman-service.js b/mozilla/extensions/venkman/js/venkman-service.js
index 032817a0176..c633d04148d 100644
--- a/mozilla/extensions/venkman/js/venkman-service.js
+++ b/mozilla/extensions/venkman/js/venkman-service.js
@@ -277,8 +277,12 @@ function JSDProtocolHandler()
JSDProtocolHandler.prototype.scheme = "x-jsd";
JSDProtocolHandler.prototype.defaultPort = JSD_DEFAULT_PORT;
-JSDProtocolHandler.prototype.protocolFlags = nsIProtocolHandler.URI_NORELATIVE ||
+JSDProtocolHandler.prototype.protocolFlags = nsIProtocolHandler.URI_NORELATIVE |
nsIProtocolHandler.URI_NOAUTH;
+if ("URI_DANGEROUS_TO_LOAD" in nsIProtocolHandler) {
+ JSDProtocolHandler.prototype.protocolFlags |=
+ nsIProtocolHandler.URI_DANGEROUS_TO_LOAD;
+}
JSDProtocolHandler.prototype.allowPort =
function jsdph_allowport (aPort, aScheme)
diff --git a/mozilla/mailnews/addrbook/src/nsAddbookProtocolHandler.cpp b/mozilla/mailnews/addrbook/src/nsAddbookProtocolHandler.cpp
index 2a60bfdb12a..db7aab392c5 100644
--- a/mozilla/mailnews/addrbook/src/nsAddbookProtocolHandler.cpp
+++ b/mozilla/mailnews/addrbook/src/nsAddbookProtocolHandler.cpp
@@ -85,7 +85,7 @@ NS_IMETHODIMP nsAddbookProtocolHandler::GetDefaultPort(PRInt32 *aDefaultPort)
NS_IMETHODIMP nsAddbookProtocolHandler::GetProtocolFlags(PRUint32 *aUritype)
{
- *aUritype = URI_STD;
+ *aUritype = URI_STD | URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/mailnews/base/src/nsCidProtocolHandler.cpp b/mozilla/mailnews/base/src/nsCidProtocolHandler.cpp
index 784e1b651a7..0d406b28ca2 100644
--- a/mozilla/mailnews/base/src/nsCidProtocolHandler.cpp
+++ b/mozilla/mailnews/base/src/nsCidProtocolHandler.cpp
@@ -64,6 +64,7 @@ NS_IMETHODIMP nsCidProtocolHandler::GetDefaultPort(PRInt32 *aDefaultPort)
NS_IMETHODIMP nsCidProtocolHandler::GetProtocolFlags(PRUint32 *aProtocolFlags)
{
+ // XXXbz so why does this protocol handler exist, exactly?
return NS_ERROR_NOT_IMPLEMENTED;
}
diff --git a/mozilla/mailnews/compose/src/nsSmtpService.cpp b/mozilla/mailnews/compose/src/nsSmtpService.cpp
index f92ed230264..bf0466ddc60 100644
--- a/mozilla/mailnews/compose/src/nsSmtpService.cpp
+++ b/mozilla/mailnews/compose/src/nsSmtpService.cpp
@@ -306,7 +306,7 @@ nsSmtpService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
NS_IMETHODIMP nsSmtpService::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | ALLOWS_PROXY;
+ *result = URI_NORELATIVE | ALLOWS_PROXY | URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/mailnews/imap/src/nsImapService.cpp b/mozilla/mailnews/imap/src/nsImapService.cpp
index f4c9c13feeb..ef0277e4048 100644
--- a/mozilla/mailnews/imap/src/nsImapService.cpp
+++ b/mozilla/mailnews/imap/src/nsImapService.cpp
@@ -2386,7 +2386,8 @@ NS_IMETHODIMP nsImapService::GetDefaultPort(PRInt32 *aDefaultPort)
NS_IMETHODIMP nsImapService::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD | ALLOWS_PROXY;
+ *result = URI_STD | URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT |
+ URI_DANGEROUS_TO_LOAD | ALLOWS_PROXY;
return NS_OK;
}
diff --git a/mozilla/mailnews/local/src/nsMailboxService.cpp b/mozilla/mailnews/local/src/nsMailboxService.cpp
index 406f6e4906b..cc88051761d 100644
--- a/mozilla/mailnews/local/src/nsMailboxService.cpp
+++ b/mozilla/mailnews/local/src/nsMailboxService.cpp
@@ -516,7 +516,8 @@ NS_IMETHODIMP nsMailboxService::AllowPort(PRInt32 port, const char *scheme, PRBo
NS_IMETHODIMP nsMailboxService::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD;
+ *result = URI_STD | URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT |
+ URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
diff --git a/mozilla/mailnews/local/src/nsPop3Service.cpp b/mozilla/mailnews/local/src/nsPop3Service.cpp
index 6aead288c88..90ba9f7c814 100644
--- a/mozilla/mailnews/local/src/nsPop3Service.cpp
+++ b/mozilla/mailnews/local/src/nsPop3Service.cpp
@@ -287,7 +287,7 @@ NS_IMETHODIMP nsPop3Service::GetDefaultDoBiff(PRBool *aDoBiff)
NS_IMETHODIMP nsPop3Service::GetProtocolFlags(PRUint32 *result)
{
NS_ENSURE_ARG_POINTER(result);
- *result = URI_NORELATIVE | ALLOWS_PROXY;
+ *result = URI_NORELATIVE | URI_DANGEROUS_TO_LOAD | ALLOWS_PROXY;
return NS_OK;
}
diff --git a/mozilla/mailnews/news/src/nsNntpService.cpp b/mozilla/mailnews/news/src/nsNntpService.cpp
index 01a19e1fa52..e4004d67704 100644
--- a/mozilla/mailnews/news/src/nsNntpService.cpp
+++ b/mozilla/mailnews/news/src/nsNntpService.cpp
@@ -1382,7 +1382,8 @@ nsNntpService::GetDefaultServerPort(PRBool isSecure, PRInt32 *aDefaultPort)
NS_IMETHODIMP nsNntpService::GetProtocolFlags(PRUint32 *aUritype)
{
NS_ENSURE_ARG_POINTER(aUritype);
- *aUritype = URI_NORELATIVE | ALLOWS_PROXY;
+ *aUritype = URI_NORELATIVE | URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT |
+ URI_LOADABLE_BY_ANYONE | ALLOWS_PROXY;
return NS_OK;
}
diff --git a/mozilla/modules/libjar/nsJARProtocolHandler.cpp b/mozilla/modules/libjar/nsJARProtocolHandler.cpp
index 9f268ede496..3cc534be3d6 100644
--- a/mozilla/modules/libjar/nsJARProtocolHandler.cpp
+++ b/mozilla/modules/libjar/nsJARProtocolHandler.cpp
@@ -140,7 +140,9 @@ nsJARProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsJARProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ // URI_LOADABLE_BY_ANYONE, since it's our inner URI that will matter
+ // anyway.
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE;
/* Although jar uris have their own concept of relative urls
it is very different from the standard behaviour, so we
have to say norelative here! */
diff --git a/mozilla/modules/libpr0n/decoders/icon/nsIconProtocolHandler.cpp b/mozilla/modules/libpr0n/decoders/icon/nsIconProtocolHandler.cpp
index dde4c55b379..4136c6f78c6 100644
--- a/mozilla/modules/libpr0n/decoders/icon/nsIconProtocolHandler.cpp
+++ b/mozilla/modules/libpr0n/decoders/icon/nsIconProtocolHandler.cpp
@@ -83,7 +83,7 @@ NS_IMETHODIMP nsIconProtocolHandler::AllowPort(PRInt32 port, const char *scheme,
NS_IMETHODIMP nsIconProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_IS_UI_RESOURCE;
return NS_OK;
}
diff --git a/mozilla/netwerk/base/public/nsIProtocolHandler.idl b/mozilla/netwerk/base/public/nsIProtocolHandler.idl
index 72e469aadad..dd4e15d82fc 100644
--- a/mozilla/netwerk/base/public/nsIProtocolHandler.idl
+++ b/mozilla/netwerk/base/public/nsIProtocolHandler.idl
@@ -135,12 +135,80 @@ interface nsIProtocolHandler : nsISupports
const unsigned long URI_NOAUTH = (1<<1);
/**
- * The URIs for this protocol have no inherent security context. That is,
- * it's not possible to decide what a document loaded from one of these
- * URIs should be allowed to do.
+ * The URIs for this protocol have no inherent security context, so
+ * documents loaded via this protocol should inherit the security context
+ * from the document that loads them.
*/
- const unsigned long URI_HAS_NO_SECURITY_CONTEXT = (1<<4);
+ const unsigned long URI_INHERITS_SECURITY_CONTEXT = (1<<4);
+ /**
+ * "Automatic" loads that would replace the document (e.g. refresh,
+ * certain types of XLinks, possibly other loads that the application
+ * decides are not user triggered) are not allowed if the originating (NOT
+ * the target) URI has this protocol flag. Note that the decision as to
+ * what constitutes an "automatic" load is made externally, by the caller
+ * of nsIScriptSecurityManager::CheckLoadURI. See documentation for that
+ * method for more information.
+ *
+ * A typical protocol that might want to set this flag is a protocol that
+ * shows highly untrusted content in a viewing area that the user expects
+ * to have a lot of control over, such as an e-mail reader.
+ */
+ const unsigned long URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT = (1<<5);
+
+ /**
+ * +-------------------------------------------------------------------+
+ * | |
+ * | ALL PROTOCOL HANDLERS MUST SET ONE OF THE FOLLOWING FOUR FLAGS. |
+ * | |
+ * +-------------------------------------------------------------------+
+ *
+ * These flags are used to determine who is allowed to load URIs for this
+ * protocol. Note that if a URI is nested, only the flags for the
+ * innermost URI matter. See nsINestedURI.
+ *
+ * If none of these four flags are set, the URI must be treated as if it
+ * had the URI_LOADABLE_BY_ANYONE flag set, for compatibility with protocol
+ * handlers written against Gecko 1.8 or earlier. In this case, there may
+ * be run-time warning messages indicating that a "default insecure"
+ * assumption is being made. At some point in the futures (Mozilla 2.0,
+ * most likely), these warnings will become errors.
+ */
+
+ /**
+ * The URIs for this protocol can be loaded by anyone. For example, any
+ * website should be allowed to trigger a load of a URI for this protocol.
+ * Web-safe protocols like "http" should set this flag.
+ */
+ const unsigned long URI_LOADABLE_BY_ANYONE = (1<<6);
+
+ /**
+ * The URIs for this protocol are UNSAFE if loaded by untrusted (web)
+ * content and may only be loaded by privileged code (for example, code
+ * which has the system principal). Various internal protocols should set
+ * this flag.
+ */
+ const unsigned long URI_DANGEROUS_TO_LOAD = (1<<7);
+
+ /**
+ * The URIs for this protocol point to resources that are part of the
+ * application's user interface. There are cases when such resources may
+ * be made accessible to untrusted content such as web pages, so this is
+ * less restrictive than URI_DANGEROUS_TO_LOAD but more restrictive than
+ * URI_LOADABLE_BY_ANYONE. See the documentation for
+ * nsIScriptSecurityManager::CheckLoadURI.
+ */
+ const unsigned long URI_IS_UI_RESOURCE = (1<<8);
+
+ /**
+ * Loading of URIs for this protocol from other origins should only be
+ * allowed if those origins should have access to the local filesystem.
+ * It's up to the application to decide what origins should have such
+ * access. Protocols like "file" that point to local data should set this
+ * flag.
+ */
+ const unsigned long URI_IS_LOCAL_FILE = (1<<9);
+
/**
* This protocol handler can be proxied via a proxy (socks or http)
* (e.g., irc, smtp, http, etc.). If the protocol supports transparent
diff --git a/mozilla/netwerk/protocol/about/src/nsAboutProtocolHandler.cpp b/mozilla/netwerk/protocol/about/src/nsAboutProtocolHandler.cpp
index 52dbbc454e3..594fc9a90ee 100644
--- a/mozilla/netwerk/protocol/about/src/nsAboutProtocolHandler.cpp
+++ b/mozilla/netwerk/protocol/about/src/nsAboutProtocolHandler.cpp
@@ -77,7 +77,7 @@ nsAboutProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsAboutProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_DANGEROUS_TO_LOAD;
return NS_OK;
}
@@ -204,7 +204,7 @@ nsSafeAboutProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsSafeAboutProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/data/src/nsDataHandler.cpp b/mozilla/netwerk/protocol/data/src/nsDataHandler.cpp
index 226e7dbbc31..609e7f10cc6 100644
--- a/mozilla/netwerk/protocol/data/src/nsDataHandler.cpp
+++ b/mozilla/netwerk/protocol/data/src/nsDataHandler.cpp
@@ -89,7 +89,8 @@ nsDataHandler::GetDefaultPort(PRInt32 *result) {
NS_IMETHODIMP
nsDataHandler::GetProtocolFlags(PRUint32 *result) {
- *result = URI_NORELATIVE | URI_NOAUTH | URI_HAS_NO_SECURITY_CONTEXT;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_INHERITS_SECURITY_CONTEXT |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/file/src/nsFileProtocolHandler.cpp b/mozilla/netwerk/protocol/file/src/nsFileProtocolHandler.cpp
index 8cd45a4fed6..5acf26508a3 100644
--- a/mozilla/netwerk/protocol/file/src/nsFileProtocolHandler.cpp
+++ b/mozilla/netwerk/protocol/file/src/nsFileProtocolHandler.cpp
@@ -247,7 +247,7 @@ nsFileProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsFileProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NOAUTH;
+ *result = URI_NOAUTH | URI_IS_LOCAL_FILE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/ftp/src/nsFtpProtocolHandler.cpp b/mozilla/netwerk/protocol/ftp/src/nsFtpProtocolHandler.cpp
index c64b55f8340..a125361631a 100644
--- a/mozilla/netwerk/protocol/ftp/src/nsFtpProtocolHandler.cpp
+++ b/mozilla/netwerk/protocol/ftp/src/nsFtpProtocolHandler.cpp
@@ -170,7 +170,8 @@ nsFtpProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsFtpProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD | ALLOWS_PROXY | ALLOWS_PROXY_HTTP;
+ *result = URI_STD | ALLOWS_PROXY | ALLOWS_PROXY_HTTP |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/gopher/src/nsGopherHandler.cpp b/mozilla/netwerk/protocol/gopher/src/nsGopherHandler.cpp
index 54493dcfa55..f1d0c3292b8 100644
--- a/mozilla/netwerk/protocol/gopher/src/nsGopherHandler.cpp
+++ b/mozilla/netwerk/protocol/gopher/src/nsGopherHandler.cpp
@@ -72,7 +72,8 @@ nsGopherHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsGopherHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | ALLOWS_PROXY | ALLOWS_PROXY_HTTP;
+ *result = URI_NORELATIVE | ALLOWS_PROXY | ALLOWS_PROXY_HTTP |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/http/src/nsHttpHandler.cpp b/mozilla/netwerk/protocol/http/src/nsHttpHandler.cpp
index e309117fbb4..5fd3e58a276 100644
--- a/mozilla/netwerk/protocol/http/src/nsHttpHandler.cpp
+++ b/mozilla/netwerk/protocol/http/src/nsHttpHandler.cpp
@@ -1408,7 +1408,8 @@ nsHttpHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsHttpHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD | ALLOWS_PROXY | ALLOWS_PROXY_HTTP;
+ *result = URI_STD | ALLOWS_PROXY | ALLOWS_PROXY_HTTP |
+ URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp b/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
index 907d775f30d..575eb9665a8 100644
--- a/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
+++ b/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
@@ -208,7 +208,9 @@ nsResProtocolHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsResProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD;
+ // XXXbz Is this really true for all resource: URIs? Could we
+ // somehow give different flags to some of them?
+ *result = URI_STD | URI_IS_UI_RESOURCE;
return NS_OK;
}
diff --git a/mozilla/netwerk/protocol/viewsource/src/nsViewSourceHandler.cpp b/mozilla/netwerk/protocol/viewsource/src/nsViewSourceHandler.cpp
index f4550fbd886..6644a8e17f6 100644
--- a/mozilla/netwerk/protocol/viewsource/src/nsViewSourceHandler.cpp
+++ b/mozilla/netwerk/protocol/viewsource/src/nsViewSourceHandler.cpp
@@ -69,7 +69,7 @@ nsViewSourceHandler::GetDefaultPort(PRInt32 *result)
NS_IMETHODIMP
nsViewSourceHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_NORELATIVE | URI_NOAUTH;
+ *result = URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/netwerk/test/unit/test_protocolproxyservice.js b/mozilla/netwerk/test/unit/test_protocolproxyservice.js
index 92d950d0680..44cfcdae33e 100644
--- a/mozilla/netwerk/test/unit/test_protocolproxyservice.js
+++ b/mozilla/netwerk/test/unit/test_protocolproxyservice.js
@@ -60,7 +60,8 @@ TestProtocolHandler.prototype = {
defaultPort: -1,
protocolFlags: Components.interfaces.nsIProtocolHandler.URI_NOAUTH |
Components.interfaces.nsIProtocolHandler.URI_NORELATIVE |
- Components.interfaces.nsIProtocolHandler.ALLOWS_PROXY,
+ Components.interfaces.nsIProtocolHandler.ALLOWS_PROXY |
+ Components.interfaces.nsIProtocolHandler.URI_DANGEROUS_TO_LOAD,
newURI: function(spec, originCharset, baseURI) {
var uri = Components.classes["@mozilla.org/network/simple-uri;1"]
.createInstance(Components.interfaces.nsIURI);
diff --git a/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp b/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp
index bf3efd0baef..44aa8716328 100644
--- a/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp
+++ b/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp
@@ -519,7 +519,10 @@ nsChromeProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_re
NS_IMETHODIMP
nsChromeProtocolHandler::GetProtocolFlags(PRUint32 *result)
{
- *result = URI_STD;
+ // XXXbz we should probably have different flags for different package
+ // types and put the things that ARE OK for random crap to load into a
+ // separate package type!
+ *result = URI_STD | URI_IS_UI_RESOURCE;
return NS_OK;
}
diff --git a/mozilla/toolkit/components/places/src/nsAnnoProtocolHandler.cpp b/mozilla/toolkit/components/places/src/nsAnnoProtocolHandler.cpp
index eac355303f2..7264b391228 100644
--- a/mozilla/toolkit/components/places/src/nsAnnoProtocolHandler.cpp
+++ b/mozilla/toolkit/components/places/src/nsAnnoProtocolHandler.cpp
@@ -83,13 +83,11 @@ nsAnnoProtocolHandler::GetDefaultPort(PRInt32 *aDefaultPort)
// nsAnnoProtocolHandler::GetProtocolFlags
-//
-// No special protocol flags.
NS_IMETHODIMP
nsAnnoProtocolHandler::GetProtocolFlags(PRUint32 *aProtocolFlags)
{
- *aProtocolFlags = (URI_NORELATIVE | URI_NOAUTH);
+ *aProtocolFlags = (URI_NORELATIVE | URI_NOAUTH | URI_DANGEROUS_TO_LOAD);
return NS_OK;
}
diff --git a/mozilla/toolkit/components/places/src/nsLivemarkService.js b/mozilla/toolkit/components/places/src/nsLivemarkService.js
index fbaa4e884bb..84886119fa9 100644
--- a/mozilla/toolkit/components/places/src/nsLivemarkService.js
+++ b/mozilla/toolkit/components/places/src/nsLivemarkService.js
@@ -79,7 +79,7 @@ const FAV_CONTRACTID = "@mozilla.org/browser/favicon-service;1";
const LG_CONTRACTID = "@mozilla.org/network/load-group;1";
const FP_CONTRACTID = "@mozilla.org/feed-processor;1";
const SEC_CONTRACTID = "@mozilla.org/scriptsecuritymanager;1";
-const SEC_FLAGS = Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT_OR_DATA;
+const SEC_FLAGS = Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL;
// Check every hour
const EXPIRATION = 3600000;
diff --git a/mozilla/toolkit/content/widgets/text.xml b/mozilla/toolkit/content/widgets/text.xml
index f9d09f5c4e3..cda957b3650 100644
--- a/mozilla/toolkit/content/widgets/text.xml
+++ b/mozilla/toolkit/content/widgets/text.xml
@@ -316,7 +316,8 @@
var safeURI = ioService.newURI("about:blank", null, null);
try {
- secMan.checkLoadURI(safeURI, uri, nsISSM.DISALLOW_SCRIPT_OR_DATA)
+ secMan.checkLoadURI(safeURI, uri,
+ nsISSM.DISALLOW_INHERIT_PRINCIPAL)
} catch (ex) {
var msg = "Error: Cannot open a " + uri.scheme + ": link using \
the text-link binding.";
diff --git a/mozilla/toolkit/mozapps/plugins/content/pluginInstallerWizard.js b/mozilla/toolkit/mozapps/plugins/content/pluginInstallerWizard.js
index c84d84b4c97..f0fb95942fb 100644
--- a/mozilla/toolkit/mozapps/plugins/content/pluginInstallerWizard.js
+++ b/mozilla/toolkit/mozapps/plugins/content/pluginInstallerWizard.js
@@ -565,7 +565,9 @@ nsPluginInstallerWizard.prototype.showPluginResults = function (){
nsPluginInstallerWizard.prototype.loadURL = function (aUrl){
// Check if the page where the plugin came from can load aUrl before
- // loading it, and do *not* allow loading javascript: or data: URIs.
+ // loading it, and do *not* allow loading URIs that would inherit our
+ // principal.
+
var pluginPage = window.opener.content.location.href;
const nsIScriptSecurityManager =
@@ -575,7 +577,7 @@ nsPluginInstallerWizard.prototype.loadURL = function (aUrl){
.getService(nsIScriptSecurityManager);
secMan.checkLoadURIStr(pluginPage, aUrl,
- nsIScriptSecurityManager.DISALLOW_SCRIPT_OR_DATA);
+ nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
window.opener.open(aUrl);
}
diff --git a/mozilla/uriloader/exthandler/nsExternalProtocolHandler.cpp b/mozilla/uriloader/exthandler/nsExternalProtocolHandler.cpp
index 3340d5d126d..2a26b1a4696 100644
--- a/mozilla/uriloader/exthandler/nsExternalProtocolHandler.cpp
+++ b/mozilla/uriloader/exthandler/nsExternalProtocolHandler.cpp
@@ -355,7 +355,7 @@ PRBool nsExternalProtocolHandler::HaveProtocolHandler(nsIURI * aURI)
NS_IMETHODIMP nsExternalProtocolHandler::GetProtocolFlags(PRUint32 *aUritype)
{
// Make it norelative since it is a simple uri
- *aUritype = URI_NORELATIVE | URI_NOAUTH | URI_HAS_NO_SECURITY_CONTEXT;
+ *aUritype = URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE;
return NS_OK;
}
diff --git a/mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp b/mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp
index 4bb1aca340a..cdafac33df3 100644
--- a/mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp
+++ b/mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp
@@ -171,7 +171,7 @@ InstallTriggerCheckLoadURIFromScript(JSContext *cx, const nsAString& uriStr)
// are we allowed to load this one?
rv = secman->CheckLoadURIWithPrincipal(principal, uri,
- nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
+ nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
return rv;
}