1 From: Robert O'Callahan |
|
2 Subject: Lockdown feature for Gecko |
|
3 References: |
|
4 |
|
5 |
|
6 Index: extensions/cookie/nsCookiePermission.cpp |
|
7 =================================================================== |
|
8 --- extensions/cookie/nsCookiePermission.cpp.orig |
|
9 +++ extensions/cookie/nsCookiePermission.cpp |
|
10 @@ -86,6 +86,7 @@ static const char kCookiesPrefsMigrated[ |
|
11 // obsolete pref names for migration |
|
12 static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled"; |
|
13 static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior"; |
|
14 +static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions"; |
|
15 static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies"; |
|
16 |
|
17 static const char kPermissionType[] = "cookie"; |
|
18 @@ -125,6 +126,7 @@ nsCookiePermission::Init() |
|
19 prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE); |
|
20 prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE); |
|
21 prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE); |
|
22 + prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE); |
|
23 #ifdef MOZ_MAIL_NEWS |
|
24 prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE); |
|
25 #endif |
|
26 @@ -182,6 +184,10 @@ nsCookiePermission::PrefChanged(nsIPrefB |
|
27 NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val))) |
|
28 mCookiesAlwaysAcceptSession = val; |
|
29 |
|
30 + if (PREF_CHANGED(kCookiesHonorExceptions) && |
|
31 + NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val))) |
|
32 + mCookiesHonorExceptions = val; |
|
33 + |
|
34 #ifdef MOZ_MAIL_NEWS |
|
35 if (PREF_CHANGED(kCookiesDisabledForMailNews) && |
|
36 NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesDisabledForMailNews, &val))) |
|
37 @@ -232,6 +238,11 @@ nsCookiePermission::CanAccess(nsIURI |
|
38 #endif // MOZ_MAIL_NEWS |
|
39 |
|
40 // finally, check with permission manager... |
|
41 + if (!mCookiesHonorExceptions) { |
|
42 + *aResult = ACCESS_DEFAULT; |
|
43 + return NS_OK; |
|
44 + } |
|
45 + |
|
46 nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult); |
|
47 if (NS_SUCCEEDED(rv)) { |
|
48 switch (*aResult) { |
|
49 Index: extensions/cookie/nsCookiePermission.h |
|
50 =================================================================== |
|
51 --- extensions/cookie/nsCookiePermission.h.orig |
|
52 +++ extensions/cookie/nsCookiePermission.h |
|
53 @@ -61,6 +61,7 @@ public: |
|
54 #ifdef MOZ_MAIL_NEWS |
|
55 , mCookiesDisabledForMailNews(PR_TRUE) |
|
56 #endif |
|
57 + , mCookiesHonorExceptions(PR_TRUE) |
|
58 {} |
|
59 virtual ~nsCookiePermission() {} |
|
60 |
|
61 @@ -76,7 +77,7 @@ private: |
|
62 #ifdef MOZ_MAIL_NEWS |
|
63 PRPackedBool mCookiesDisabledForMailNews; |
|
64 #endif |
|
65 - |
|
66 + PRPackedBool mCookiesHonorExceptions; |
|
67 }; |
|
68 |
|
69 // {EF565D0A-AB9A-4A13-9160-0644CDFD859A} |
|
70 Index: extensions/permissions/nsContentBlocker.cpp |
|
71 =================================================================== |
|
72 --- extensions/permissions/nsContentBlocker.cpp.orig |
|
73 +++ extensions/permissions/nsContentBlocker.cpp |
|
74 @@ -76,6 +76,7 @@ NS_IMPL_ISUPPORTS3(nsContentBlocker, |
|
75 nsContentBlocker::nsContentBlocker() |
|
76 { |
|
77 memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES); |
|
78 + memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES); |
|
79 } |
|
80 |
|
81 nsresult |
|
82 @@ -92,6 +93,11 @@ nsContentBlocker::Init() |
|
83 rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch)); |
|
84 NS_ENSURE_SUCCESS(rv, rv); |
|
85 |
|
86 + nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch; |
|
87 + rv = prefService->GetBranch("permissions.honorExceptions.", |
|
88 + getter_AddRefs(honorExceptionsPrefBranch)); |
|
89 + NS_ENSURE_SUCCESS(rv, rv); |
|
90 + |
|
91 // Migrate old image blocker pref |
|
92 nsCOMPtr<nsIPrefBranch> oldPrefBranch; |
|
93 oldPrefBranch = do_QueryInterface(prefService); |
|
94 @@ -121,8 +127,15 @@ nsContentBlocker::Init() |
|
95 mPrefBranchInternal = do_QueryInterface(prefBranch, &rv); |
|
96 NS_ENSURE_SUCCESS(rv, rv); |
|
97 |
|
98 + mHonorExceptionsPrefBranchInternal = |
|
99 + do_QueryInterface(honorExceptionsPrefBranch, &rv); |
|
100 + NS_ENSURE_SUCCESS(rv, rv); |
|
101 + |
|
102 rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE); |
|
103 - PrefChanged(prefBranch, nsnull); |
|
104 + NS_ENSURE_SUCCESS(rv, rv); |
|
105 + |
|
106 + rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE); |
|
107 + PrefChanged(nsnull); |
|
108 |
|
109 return rv; |
|
110 } |
|
111 @@ -131,19 +144,22 @@ nsContentBlocker::Init() |
|
112 #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default)) |
|
113 |
|
114 void |
|
115 -nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch, |
|
116 - const char *aPref) |
|
117 +nsContentBlocker::PrefChanged(const char *aPref) |
|
118 { |
|
119 - PRInt32 val; |
|
120 - |
|
121 -#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P)) |
|
122 - |
|
123 - for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { |
|
124 - if (PREF_CHANGED(kTypeString[i]) && |
|
125 - NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val))) |
|
126 - mBehaviorPref[i] = LIMIT(val, 1, 3, 1); |
|
127 + for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { |
|
128 + if (!aPref || !strcmp(kTypeString[i], aPref)) { |
|
129 + PRInt32 val; |
|
130 + PRBool b; |
|
131 + if (mPrefBranchInternal && |
|
132 + NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) { |
|
133 + mBehaviorPref[i] = LIMIT(val, 1, 3, 1); |
|
134 + } |
|
135 + if (mHonorExceptionsPrefBranchInternal && |
|
136 + NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) { |
|
137 + mHonorExceptions[i] = b; |
|
138 + } |
|
139 + } |
|
140 } |
|
141 - |
|
142 } |
|
143 |
|
144 // nsIContentPolicy Implementation |
|
145 @@ -268,11 +284,13 @@ nsContentBlocker::TestPermission(nsIURI |
|
146 // default prefs. |
|
147 // Don't forget the aContentType ranges from 1..8, while the |
|
148 // array is indexed 0..7 |
|
149 - PRUint32 permission; |
|
150 - nsresult rv = mPermissionManager->TestPermission(aCurrentURI, |
|
151 - kTypeString[aContentType - 1], |
|
152 - &permission); |
|
153 - NS_ENSURE_SUCCESS(rv, rv); |
|
154 + PRUint32 permission = 0; |
|
155 + if (mHonorExceptions[aContentType - 1]) { |
|
156 + nsresult rv = mPermissionManager->TestPermission(aCurrentURI, |
|
157 + kTypeString[aContentType - 1], |
|
158 + &permission); |
|
159 + NS_ENSURE_SUCCESS(rv, rv); |
|
160 + } |
|
161 |
|
162 // If there is nothing on the list, use the default. |
|
163 if (!permission) { |
|
164 @@ -298,7 +316,7 @@ nsContentBlocker::TestPermission(nsIURI |
|
165 return NS_OK; |
|
166 |
|
167 PRBool trustedSource = PR_FALSE; |
|
168 - rv = aFirstURI->SchemeIs("chrome", &trustedSource); |
|
169 + nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource); |
|
170 NS_ENSURE_SUCCESS(rv,rv); |
|
171 if (!trustedSource) { |
|
172 rv = aFirstURI->SchemeIs("resource", &trustedSource); |
|
173 @@ -363,8 +381,6 @@ nsContentBlocker::Observe(nsISupports |
|
174 { |
|
175 NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic), |
|
176 "unexpected topic - we only deal with pref changes!"); |
|
177 - |
|
178 - if (mPrefBranchInternal) |
|
179 - PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get()); |
|
180 + PrefChanged(NS_LossyConvertUTF16toASCII(aData).get()); |
|
181 return NS_OK; |
|
182 } |
|
183 Index: extensions/permissions/nsContentBlocker.h |
|
184 =================================================================== |
|
185 --- extensions/permissions/nsContentBlocker.h.orig |
|
186 +++ extensions/permissions/nsContentBlocker.h |
|
187 @@ -66,7 +66,7 @@ public: |
|
188 private: |
|
189 ~nsContentBlocker() {} |
|
190 |
|
191 - void PrefChanged(nsIPrefBranch *, const char *); |
|
192 + void PrefChanged(const char *); |
|
193 nsresult TestPermission(nsIURI *aCurrentURI, |
|
194 nsIURI *aFirstURI, |
|
195 PRInt32 aContentType, |
|
196 @@ -75,7 +75,9 @@ private: |
|
197 |
|
198 nsCOMPtr<nsIPermissionManager> mPermissionManager; |
|
199 nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal; |
|
200 + nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal; |
|
201 PRUint8 mBehaviorPref[NUMBER_OF_TYPES]; |
|
202 + PRPackedBool mHonorExceptions[NUMBER_OF_TYPES]; |
|
203 }; |
|
204 |
|
205 #define NS_CONTENTBLOCKER_CID \ |
|
206 Index: modules/libpref/src/init/all.js |
|
207 =================================================================== |
|
208 --- modules/libpref/src/init/all.js.orig |
|
209 +++ modules/libpref/src/init/all.js |
|
210 @@ -798,6 +798,7 @@ pref("network.automatic-ntlm-auth.truste |
|
211 pref("network.ntlm.send-lm-response", false); |
|
212 |
|
213 pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign |
|
214 +pref("permissions.honorExceptions.image", true); |
|
215 |
|
216 #ifndef XP_MACOSX |
|
217 #ifdef XP_UNIX |
|
218 @@ -825,6 +826,7 @@ pref("network.proxy.no_proxies_on", |
|
219 pref("network.proxy.failover_timeout", 1800); // 30 minutes |
|
220 pref("network.online", true); //online/offline |
|
221 pref("network.cookie.cookieBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse |
|
222 +pref("network.cookie.honorExceptions", true); |
|
223 pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail |
|
224 pref("network.cookie.lifetimePolicy", 0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays |
|
225 pref("network.cookie.alwaysAcceptSessionCookies", false); |
|
226 Index: widget/src/gtk2/nsWindow.cpp |
|
227 =================================================================== |
|
228 --- widget/src/gtk2/nsWindow.cpp.orig |
|
229 +++ widget/src/gtk2/nsWindow.cpp |
|
230 @@ -81,6 +81,7 @@ |
|
231 #include "nsIServiceManager.h" |
|
232 #include "nsIStringBundle.h" |
|
233 #include "nsGfxCIID.h" |
|
234 +#include "nsIPrefService.h" |
|
235 |
|
236 #ifdef ACCESSIBILITY |
|
237 #include "nsIAccessibilityService.h" |
|
238 @@ -91,7 +92,6 @@ |
|
239 static PRBool sAccessibilityChecked = PR_FALSE; |
|
240 /* static */ |
|
241 PRBool nsWindow::sAccessibilityEnabled = PR_FALSE; |
|
242 -static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1"; |
|
243 static const char sAccEnv [] = "GNOME_ACCESSIBILITY"; |
|
244 static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility"; |
|
245 #endif |
|
246 @@ -3992,18 +3992,18 @@ nsWindow::NativeCreate(nsIWidget |
|
247 sAccessibilityEnabled = atoi(envValue) != 0; |
|
248 LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue)); |
|
249 } |
|
250 - //check gconf-2 setting |
|
251 + //check preference setting |
|
252 else { |
|
253 - nsCOMPtr<nsIPrefBranch> sysPrefService = |
|
254 - do_GetService(sSysPrefService, &rv); |
|
255 - if (NS_SUCCEEDED(rv) && sysPrefService) { |
|
256 - |
|
257 - // do the work to get gconf setting. |
|
258 - // will be done soon later. |
|
259 - sysPrefService->GetBoolPref(sAccessibilityKey, |
|
260 + nsCOMPtr<nsIPrefService> prefService = |
|
261 + do_GetService(NS_PREFSERVICE_CONTRACTID, &rv); |
|
262 + if (NS_SUCCEEDED(rv) && prefService) { |
|
263 + nsCOMPtr<nsIPrefBranch> prefBranch; |
|
264 + rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch)); |
|
265 + if (NS_SUCCEEDED(rv) && prefBranch) { |
|
266 + prefBranch->GetBoolPref(sAccessibilityKey, |
|
267 &sAccessibilityEnabled); |
|
268 + } |
|
269 } |
|
270 - |
|
271 } |
|
272 } |
|
273 if (sAccessibilityEnabled) { |
|
274 Index: xpinstall/src/nsXPInstallManager.cpp |
|
275 =================================================================== |
|
276 --- xpinstall/src/nsXPInstallManager.cpp.orig |
|
277 +++ xpinstall/src/nsXPInstallManager.cpp |
|
278 @@ -290,6 +290,7 @@ nsXPInstallManager::InitManagerInternal( |
|
279 //----------------------------------------------------- |
|
280 // Get permission to install |
|
281 //----------------------------------------------------- |
|
282 + nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID)); |
|
283 |
|
284 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI |
|
285 if ( mChromeType == CHROME_SKIN ) |
|
286 @@ -299,17 +300,26 @@ nsXPInstallManager::InitManagerInternal( |
|
287 |
|
288 // skins get a simpler/friendlier dialog |
|
289 // XXX currently not embeddable |
|
290 - OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList ); |
|
291 + PRBool themesDisabled = PR_FALSE; |
|
292 + if (pref) |
|
293 + pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled); |
|
294 + OKtoInstall = !themesDisabled && |
|
295 + ConfirmChromeInstall( mParentWindow, packageList ); |
|
296 } |
|
297 else |
|
298 { |
|
299 #endif |
|
300 - rv = dlgSvc->ConfirmInstall( mParentWindow, |
|
301 - packageList, |
|
302 - numStrings, |
|
303 - &OKtoInstall ); |
|
304 - if (NS_FAILED(rv)) |
|
305 - OKtoInstall = PR_FALSE; |
|
306 + PRBool extensionsDisabled = PR_FALSE; |
|
307 + if (pref) |
|
308 + pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled); |
|
309 + if (!extensionsDisabled) { |
|
310 + rv = dlgSvc->ConfirmInstall( mParentWindow, |
|
311 + packageList, |
|
312 + numStrings, |
|
313 + &OKtoInstall ); |
|
314 + if (NS_FAILED(rv)) |
|
315 + OKtoInstall = PR_FALSE; |
|
316 + } |
|
317 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI |
|
318 } |
|
319 #endif |
|