Remove the security.checkloaduri preference. Please to be using the

checkloaduri CAPS policy instead, since that's less likely to let you shoot yourself in the foot. Bug 307382, r=caillon, sr=dveditz, a=asa git-svn-id: svn://10.0.0.236/branches/MOZILLA_1_8_BRANCH@180085 18797224-902f-48f8-a5cc-f745e15eee43
2005-09-13 01:34:10 +00:00
parent 53726abd0f
commit 77e3a90e2c
1 changed files with 20 additions and 28 deletions
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -1311,43 +1311,35 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
    {
        if (targetScheme.LowerCaseEqualsASCII(protocolList[i].name))
        {
-            PRBool doCheck = PR_FALSE;
            switch (protocolList[i].action)
            {
            case AllowProtocol:
                // everyone can access these schemes.
                return NS_OK;
            case PrefControlled:
-                // Allow access if pref is false
                {
-                    mSecurityPref->SecurityGetBoolPref("security.checkloaduri",
-                                                       &doCheck);
-                    if (doCheck)
+                    // resource: and chrome: are equivalent, securitywise
+                    if (sourceScheme.EqualsLiteral("chrome") ||
+                        sourceScheme.EqualsLiteral("resource"))
+                        return NS_OK;
+
+                    // Now check capability policies
+                    static const char loadURIPrefGroup[] = "checkloaduri";
+
+                    SecurityLevel secLevel;
+                    rv = LookupPolicy(aPrincipal,
+                                      (char*)loadURIPrefGroup,
+                                      sEnabledID,
+                                      nsIXPCSecurityManager::ACCESS_GET_PROPERTY, 
+                                      nsnull, &secLevel);
+                    if (NS_SUCCEEDED(rv) && secLevel.level == SCRIPT_SECURITY_ALL_ACCESS)
                    {
-                        // resource: and chrome: are equivalent, securitywise
-                        if (sourceScheme.EqualsLiteral("chrome") ||
-                            sourceScheme.EqualsLiteral("resource"))
-                            return NS_OK;
-
-                        // Now check capability policies
-                        static const char loadURIPrefGroup[] = "checkloaduri";
-
-                        SecurityLevel secLevel;
-                        rv = LookupPolicy(aPrincipal,
-                                          (char*)loadURIPrefGroup,
-                                          sEnabledID,
-                                          nsIXPCSecurityManager::ACCESS_GET_PROPERTY, 
-                                          nsnull, &secLevel);
-                        if (NS_SUCCEEDED(rv) && secLevel.level == SCRIPT_SECURITY_ALL_ACCESS)
-                        {
-                            // OK for this site!
-                            return NS_OK;
-                        }
-
-                        ReportError(nsnull, errorTag, sourceURI, aTargetURI);
-                        return NS_ERROR_DOM_BAD_URI;
+                        // OK for this site!
+                        return NS_OK;
                    }
-                    return NS_OK;
+
+                    ReportError(nsnull, errorTag, sourceURI, aTargetURI);
+                    return NS_ERROR_DOM_BAD_URI;
                }
            case ChromeProtocol:
                if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME)