diff -r 59d55eb6eecb -r 523b1d92948c old/gecko-lockdown.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/old/gecko-lockdown.patch Sun Nov 29 14:10:26 2009 +0100 @@ -0,0 +1,319 @@ +From: Robert O'Callahan +Subject: Lockdown feature for Gecko +References: + + +Index: extensions/cookie/nsCookiePermission.cpp +=================================================================== +--- extensions/cookie/nsCookiePermission.cpp.orig ++++ extensions/cookie/nsCookiePermission.cpp +@@ -86,6 +86,7 @@ static const char kCookiesPrefsMigrated[ + // obsolete pref names for migration + static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled"; + static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior"; ++static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions"; + static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies"; + + static const char kPermissionType[] = "cookie"; +@@ -125,6 +126,7 @@ nsCookiePermission::Init() + prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE); + prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE); + prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE); ++ prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE); + #ifdef MOZ_MAIL_NEWS + prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE); + #endif +@@ -182,6 +184,10 @@ nsCookiePermission::PrefChanged(nsIPrefB + NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val))) + mCookiesAlwaysAcceptSession = val; + ++ if (PREF_CHANGED(kCookiesHonorExceptions) && ++ NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val))) ++ mCookiesHonorExceptions = val; ++ + #ifdef MOZ_MAIL_NEWS + if (PREF_CHANGED(kCookiesDisabledForMailNews) && + NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesDisabledForMailNews, &val))) +@@ -232,6 +238,11 @@ nsCookiePermission::CanAccess(nsIURI + #endif // MOZ_MAIL_NEWS + + // finally, check with permission manager... ++ if (!mCookiesHonorExceptions) { ++ *aResult = ACCESS_DEFAULT; ++ return NS_OK; ++ } ++ + nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult); + if (NS_SUCCEEDED(rv)) { + switch (*aResult) { +Index: extensions/cookie/nsCookiePermission.h +=================================================================== +--- extensions/cookie/nsCookiePermission.h.orig ++++ extensions/cookie/nsCookiePermission.h +@@ -61,6 +61,7 @@ public: + #ifdef MOZ_MAIL_NEWS + , mCookiesDisabledForMailNews(PR_TRUE) + #endif ++ , mCookiesHonorExceptions(PR_TRUE) + {} + virtual ~nsCookiePermission() {} + +@@ -76,7 +77,7 @@ private: + #ifdef MOZ_MAIL_NEWS + PRPackedBool mCookiesDisabledForMailNews; + #endif +- ++ PRPackedBool mCookiesHonorExceptions; + }; + + // {EF565D0A-AB9A-4A13-9160-0644CDFD859A} +Index: extensions/permissions/nsContentBlocker.cpp +=================================================================== +--- extensions/permissions/nsContentBlocker.cpp.orig ++++ extensions/permissions/nsContentBlocker.cpp +@@ -76,6 +76,7 @@ NS_IMPL_ISUPPORTS3(nsContentBlocker, + nsContentBlocker::nsContentBlocker() + { + memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES); ++ memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES); + } + + nsresult +@@ -92,6 +93,11 @@ nsContentBlocker::Init() + rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch)); + NS_ENSURE_SUCCESS(rv, rv); + ++ nsCOMPtr honorExceptionsPrefBranch; ++ rv = prefService->GetBranch("permissions.honorExceptions.", ++ getter_AddRefs(honorExceptionsPrefBranch)); ++ NS_ENSURE_SUCCESS(rv, rv); ++ + // Migrate old image blocker pref + nsCOMPtr oldPrefBranch; + oldPrefBranch = do_QueryInterface(prefService); +@@ -121,8 +127,15 @@ nsContentBlocker::Init() + mPrefBranchInternal = do_QueryInterface(prefBranch, &rv); + NS_ENSURE_SUCCESS(rv, rv); + ++ mHonorExceptionsPrefBranchInternal = ++ do_QueryInterface(honorExceptionsPrefBranch, &rv); ++ NS_ENSURE_SUCCESS(rv, rv); ++ + rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE); +- PrefChanged(prefBranch, nsnull); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE); ++ PrefChanged(nsnull); + + return rv; + } +@@ -131,19 +144,22 @@ nsContentBlocker::Init() + #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default)) + + void +-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch, +- const char *aPref) ++nsContentBlocker::PrefChanged(const char *aPref) + { +- PRInt32 val; +- +-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P)) +- +- for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { +- if (PREF_CHANGED(kTypeString[i]) && +- NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val))) +- mBehaviorPref[i] = LIMIT(val, 1, 3, 1); ++ for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) { ++ if (!aPref || !strcmp(kTypeString[i], aPref)) { ++ PRInt32 val; ++ PRBool b; ++ if (mPrefBranchInternal && ++ NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) { ++ mBehaviorPref[i] = LIMIT(val, 1, 3, 1); ++ } ++ if (mHonorExceptionsPrefBranchInternal && ++ NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) { ++ mHonorExceptions[i] = b; ++ } ++ } + } +- + } + + // nsIContentPolicy Implementation +@@ -268,11 +284,13 @@ nsContentBlocker::TestPermission(nsIURI + // default prefs. + // Don't forget the aContentType ranges from 1..8, while the + // array is indexed 0..7 +- PRUint32 permission; +- nsresult rv = mPermissionManager->TestPermission(aCurrentURI, +- kTypeString[aContentType - 1], +- &permission); +- NS_ENSURE_SUCCESS(rv, rv); ++ PRUint32 permission = 0; ++ if (mHonorExceptions[aContentType - 1]) { ++ nsresult rv = mPermissionManager->TestPermission(aCurrentURI, ++ kTypeString[aContentType - 1], ++ &permission); ++ NS_ENSURE_SUCCESS(rv, rv); ++ } + + // If there is nothing on the list, use the default. + if (!permission) { +@@ -298,7 +316,7 @@ nsContentBlocker::TestPermission(nsIURI + return NS_OK; + + PRBool trustedSource = PR_FALSE; +- rv = aFirstURI->SchemeIs("chrome", &trustedSource); ++ nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource); + NS_ENSURE_SUCCESS(rv,rv); + if (!trustedSource) { + rv = aFirstURI->SchemeIs("resource", &trustedSource); +@@ -363,8 +381,6 @@ nsContentBlocker::Observe(nsISupports + { + NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic), + "unexpected topic - we only deal with pref changes!"); +- +- if (mPrefBranchInternal) +- PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get()); ++ PrefChanged(NS_LossyConvertUTF16toASCII(aData).get()); + return NS_OK; + } +Index: extensions/permissions/nsContentBlocker.h +=================================================================== +--- extensions/permissions/nsContentBlocker.h.orig ++++ extensions/permissions/nsContentBlocker.h +@@ -66,7 +66,7 @@ public: + private: + ~nsContentBlocker() {} + +- void PrefChanged(nsIPrefBranch *, const char *); ++ void PrefChanged(const char *); + nsresult TestPermission(nsIURI *aCurrentURI, + nsIURI *aFirstURI, + PRInt32 aContentType, +@@ -75,7 +75,9 @@ private: + + nsCOMPtr mPermissionManager; + nsCOMPtr mPrefBranchInternal; ++ nsCOMPtr mHonorExceptionsPrefBranchInternal; + PRUint8 mBehaviorPref[NUMBER_OF_TYPES]; ++ PRPackedBool mHonorExceptions[NUMBER_OF_TYPES]; + }; + + #define NS_CONTENTBLOCKER_CID \ +Index: modules/libpref/src/init/all.js +=================================================================== +--- modules/libpref/src/init/all.js.orig ++++ modules/libpref/src/init/all.js +@@ -798,6 +798,7 @@ pref("network.automatic-ntlm-auth.truste + pref("network.ntlm.send-lm-response", false); + + pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign ++pref("permissions.honorExceptions.image", true); + + #ifndef XP_MACOSX + #ifdef XP_UNIX +@@ -825,6 +826,7 @@ pref("network.proxy.no_proxies_on", + pref("network.proxy.failover_timeout", 1800); // 30 minutes + pref("network.online", true); //online/offline + pref("network.cookie.cookieBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse ++pref("network.cookie.honorExceptions", true); + pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail + pref("network.cookie.lifetimePolicy", 0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays + pref("network.cookie.alwaysAcceptSessionCookies", false); +Index: widget/src/gtk2/nsWindow.cpp +=================================================================== +--- widget/src/gtk2/nsWindow.cpp.orig ++++ widget/src/gtk2/nsWindow.cpp +@@ -81,6 +81,7 @@ + #include "nsIServiceManager.h" + #include "nsIStringBundle.h" + #include "nsGfxCIID.h" ++#include "nsIPrefService.h" + + #ifdef ACCESSIBILITY + #include "nsIAccessibilityService.h" +@@ -91,7 +92,6 @@ + static PRBool sAccessibilityChecked = PR_FALSE; + /* static */ + PRBool nsWindow::sAccessibilityEnabled = PR_FALSE; +-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1"; + static const char sAccEnv [] = "GNOME_ACCESSIBILITY"; + static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility"; + #endif +@@ -3992,18 +3992,18 @@ nsWindow::NativeCreate(nsIWidget + sAccessibilityEnabled = atoi(envValue) != 0; + LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue)); + } +- //check gconf-2 setting ++ //check preference setting + else { +- nsCOMPtr sysPrefService = +- do_GetService(sSysPrefService, &rv); +- if (NS_SUCCEEDED(rv) && sysPrefService) { +- +- // do the work to get gconf setting. +- // will be done soon later. +- sysPrefService->GetBoolPref(sAccessibilityKey, ++ nsCOMPtr prefService = ++ do_GetService(NS_PREFSERVICE_CONTRACTID, &rv); ++ if (NS_SUCCEEDED(rv) && prefService) { ++ nsCOMPtr prefBranch; ++ rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch)); ++ if (NS_SUCCEEDED(rv) && prefBranch) { ++ prefBranch->GetBoolPref(sAccessibilityKey, + &sAccessibilityEnabled); ++ } + } +- + } + } + if (sAccessibilityEnabled) { +Index: xpinstall/src/nsXPInstallManager.cpp +=================================================================== +--- xpinstall/src/nsXPInstallManager.cpp.orig ++++ xpinstall/src/nsXPInstallManager.cpp +@@ -290,6 +290,7 @@ nsXPInstallManager::InitManagerInternal( + //----------------------------------------------------- + // Get permission to install + //----------------------------------------------------- ++ nsCOMPtr pref(do_GetService(NS_PREFSERVICE_CONTRACTID)); + + #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI + if ( mChromeType == CHROME_SKIN ) +@@ -299,17 +300,26 @@ nsXPInstallManager::InitManagerInternal( + + // skins get a simpler/friendlier dialog + // XXX currently not embeddable +- OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList ); ++ PRBool themesDisabled = PR_FALSE; ++ if (pref) ++ pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled); ++ OKtoInstall = !themesDisabled && ++ ConfirmChromeInstall( mParentWindow, packageList ); + } + else + { + #endif +- rv = dlgSvc->ConfirmInstall( mParentWindow, +- packageList, +- numStrings, +- &OKtoInstall ); +- if (NS_FAILED(rv)) +- OKtoInstall = PR_FALSE; ++ PRBool extensionsDisabled = PR_FALSE; ++ if (pref) ++ pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled); ++ if (!extensionsDisabled) { ++ rv = dlgSvc->ConfirmInstall( mParentWindow, ++ packageList, ++ numStrings, ++ &OKtoInstall ); ++ if (NS_FAILED(rv)) ++ OKtoInstall = PR_FALSE; ++ } + #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI + } + #endif