diff --git a/browser/base/content/aboutNetError.xhtml b/browser/base/content/aboutNetError.xhtml
index 18c85195145d..dfe2754ad523 100644
--- a/browser/base/content/aboutNetError.xhtml
+++ b/browser/base/content/aboutNetError.xhtml
@@ -308,9 +308,10 @@
var event = new CustomEvent("AboutNetErrorLoad", {bubbles: true});
document.dispatchEvent(event);
- if (err == "inadequateSecurityError") {
- // Remove the "Try again" button for HTTP/2 inadequate security as it
- // is useless.
+ if (err == "inadequateSecurityError" || err == "blockedByPolicyTemp") {
+ // Remove the "Try again" button from pages that don't need it.
+ // For HTTP/2 inadequate security or pages blocked by policy, trying
+ // again won't help.
document.getElementById("errorTryAgain").style.display = "none";
var container = document.getElementById("errorLongDesc");
@@ -557,6 +558,7 @@
&corruptedContentErrorv2.title;
&sslv3Used.title;
&inadequateSecurityError.title;
+ &blockedByPolicyTemp.title;
&generic.longDesc;
@@ -586,6 +588,7 @@
&corruptedContentErrorv2.longDesc;
&sslv3Used.longDesc2;
&inadequateSecurityError.longDesc;
+
&blockedByPolicyTemp.longDesc;
diff --git a/browser/components/enterprisepolicies/Policies.jsm b/browser/components/enterprisepolicies/Policies.jsm
index 1716fcca115d..b8afe7924b66 100644
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -29,7 +29,7 @@ XPCOMUtils.defineLazyGetter(this, "log", () => {
this.EXPORTED_SYMBOLS = ["Policies"];
this.Policies = {
- "block_about_config": {
+ "BlockAboutConfig": {
onBeforeUIStartup(manager, param) {
if (param) {
manager.disallowFeature("about:config", true);
diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
index f657ed73c2d8..7f814a60fb63 100644
--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -2,7 +2,7 @@
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
- "block_about_config": {
+ "BlockAboutConfig": {
"description": "Blocks access to the about:config page.",
"first_available": "60.0",
diff --git a/browser/components/enterprisepolicies/tests/browser/browser.ini b/browser/components/enterprisepolicies/tests/browser/browser.ini
index 4e28457aa02a..cec33309409b 100644
--- a/browser/components/enterprisepolicies/tests/browser/browser.ini
+++ b/browser/components/enterprisepolicies/tests/browser/browser.ini
@@ -12,6 +12,7 @@ support-files =
[browser_policies_simple_policies.js]
[browser_policies_validate_and_parse_API.js]
[browser_policy_app_update.js]
+[browser_policy_block_about_config.js]
[browser_policy_block_set_desktop_background.js]
[browser_policy_default_browser_check.js]
[browser_policy_disable_fxscreenshots.js]
diff --git a/browser/components/enterprisepolicies/tests/browser/browser_policy_block_about_config.js b/browser/components/enterprisepolicies/tests/browser/browser_policy_block_about_config.js
new file mode 100644
index 000000000000..fc0292310008
--- /dev/null
+++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_block_about_config.js
@@ -0,0 +1,27 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+add_task(async function test_about_config() {
+ await setupPolicyEngineWithJson({
+ "policies": {
+ "BlockAboutConfig": true
+ }
+ });
+
+ let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, "about:config", false);
+
+ await ContentTask.spawn(tab.linkedBrowser, null, async function() {
+ ok(content.document.documentURI.startsWith("about:neterror"),
+ "about:config should display the net error page");
+
+ // There is currently a testing-specific race condition that causes this test
+ // to fail, but it is not a problem if we test after the first page load.
+ // Until the race condition is fixed, just make sure to test this *after*
+ // testing the page load.
+ is(Services.policies.isAllowed("about:config"), false,
+ "Policy Engine should report about:config as not allowed");
+ });
+
+ await BrowserTestUtils.removeTab(tab);
+});
diff --git a/browser/locales/en-US/chrome/overrides/appstrings.properties b/browser/locales/en-US/chrome/overrides/appstrings.properties
index 30cba3101a48..4e11876a14ed 100644
--- a/browser/locales/en-US/chrome/overrides/appstrings.properties
+++ b/browser/locales/en-US/chrome/overrides/appstrings.properties
@@ -40,3 +40,4 @@ remoteXUL=This page uses an unsupported technology that is no longer available b
## LOCALIZATION NOTE (sslv3Used) - Do not translate "%S".
sslv3Used=Firefox cannot guarantee the safety of your data on %S because it uses SSLv3, a broken security protocol.
inadequateSecurityError=The website tried to negotiate an inadequate level of security.
+blockedByPolicyTemp=This page has been blocked by the enterprise policy manager.
diff --git a/browser/locales/en-US/chrome/overrides/netError.dtd b/browser/locales/en-US/chrome/overrides/netError.dtd
index fe36c2fd81dc..56e56c4df2de 100644
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@@ -200,5 +200,8 @@ certificate.">
"NS_ERROR_NET_INADEQUATE_SECURITY". -->
uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.Error code: NS_ERROR_NET_INADEQUATE_SECURITY
">
+
+Access has been disabled by your administrator.">
+
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 64a9df1f8cf9..a76b387ce324 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4822,6 +4822,10 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
error = "inadequateSecurityError";
addHostPort = true;
break;
+ case NS_ERROR_BLOCKED_BY_POLICY:
+ // Page blocked by policy
+ error = "blockedByPolicyTemp";
+ break;
default:
break;
}
@@ -7546,7 +7550,8 @@ nsDocShell::EndPageLoad(nsIWebProgress* aProgress,
if ((aStatus == NS_ERROR_UNKNOWN_HOST ||
aStatus == NS_ERROR_CONNECTION_REFUSED ||
aStatus == NS_ERROR_UNKNOWN_PROXY_HOST ||
- aStatus == NS_ERROR_PROXY_CONNECTION_REFUSED) &&
+ aStatus == NS_ERROR_PROXY_CONNECTION_REFUSED ||
+ aStatus == NS_ERROR_BLOCKED_BY_POLICY) &&
(isTopFrame || UseErrorPages())) {
DisplayLoadError(aStatus, url, nullptr, aChannel);
} else if (aStatus == NS_ERROR_NET_TIMEOUT ||
diff --git a/docshell/resources/content/netError.xhtml b/docshell/resources/content/netError.xhtml
index 51fd48aa429a..6c9f1d6d1683 100644
--- a/docshell/resources/content/netError.xhtml
+++ b/docshell/resources/content/netError.xhtml
@@ -178,9 +178,10 @@
secOverride.remove();
}
- if (err == "inadequateSecurityError") {
- // Remove the "Try again" button for HTTP/2 inadequate security as it
- // is useless.
+ if (err == "inadequateSecurityError" || err == "blockedByPolicyTemp") {
+ // Remove the "Try again" button from pages that don't need it.
+ // For HTTP/2 inadequate security or pages blocked by policy, trying
+ // again won't help.
document.getElementById("errorTryAgain").style.display = "none";
var container = document.getElementById("errorLongDesc");
@@ -309,6 +310,7 @@
&remoteXUL.title;
&corruptedContentErrorv2.title;
&inadequateSecurityError.title;
+ &blockedByPolicyTemp.title;
&generic.longDesc;
@@ -336,6 +338,7 @@
&remoteXUL.longDesc;
&corruptedContentErrorv2.longDesc;
&inadequateSecurityError.longDesc;
+
&blockedByPolicyTemp.longDesc;
diff --git a/dom/browser-element/BrowserElementChildPreload.js b/dom/browser-element/BrowserElementChildPreload.js
index a23bd10de796..8495c5d3ed42 100644
--- a/dom/browser-element/BrowserElementChildPreload.js
+++ b/dom/browser-element/BrowserElementChildPreload.js
@@ -1512,6 +1512,9 @@ BrowserElementChild.prototype = {
case Cr.NS_ERROR_CORRUPTED_CONTENT :
sendAsyncMsg('error', { type: 'corruptedContentErrorv2' });
return;
+ case Cr.NS_ERROR_BLOCKED_BY_POLICY :
+ sendAsyncMsg('error', { type: 'blockedByPolicyTemp' });
+ return;
default:
// getErrorClass() will throw if the error code passed in is not a NSS
diff --git a/dom/locales/en-US/chrome/appstrings.properties b/dom/locales/en-US/chrome/appstrings.properties
index 66608c77a20e..cca36335f9b0 100644
--- a/dom/locales/en-US/chrome/appstrings.properties
+++ b/dom/locales/en-US/chrome/appstrings.properties
@@ -38,3 +38,4 @@ remoteXUL=This page uses an unsupported technology that is no longer available b
sslv3Used=The safety of your data on %S could not be guaranteed because it uses SSLv3, a broken security protocol.
weakCryptoUsed=The owner of %S has configured their website improperly. To protect your information from being stolen, the connection to this website has not been established.
inadequateSecurityError=The website tried to negotiate an inadequate level of security.
+blockedByPolicyTemp=This page has been blocked by the enterprise policy manager.
diff --git a/dom/locales/en-US/chrome/netError.dtd b/dom/locales/en-US/chrome/netError.dtd
index b141af1cb6ca..08b3657f116d 100644
--- a/dom/locales/en-US/chrome/netError.dtd
+++ b/dom/locales/en-US/chrome/netError.dtd
@@ -97,3 +97,6 @@
uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.Error code: NS_ERROR_NET_INADEQUATE_SECURITY
">
+
+
+Access has been disabled by your administrator.">
diff --git a/netwerk/protocol/about/nsAboutProtocolHandler.cpp b/netwerk/protocol/about/nsAboutProtocolHandler.cpp
index e4116ecbe73f..00b6da701ffc 100644
--- a/netwerk/protocol/about/nsAboutProtocolHandler.cpp
+++ b/netwerk/protocol/about/nsAboutProtocolHandler.cpp
@@ -20,6 +20,7 @@
#include "nsIWritablePropertyBag2.h"
#include "nsIChannel.h"
#include "nsIScriptError.h"
+#include "nsIEnterprisePolicies.h"
namespace mozilla {
namespace net {
@@ -175,14 +176,29 @@ nsAboutProtocolHandler::NewChannel2(nsIURI* uri,
nsCOMPtr aboutMod;
nsresult rv = NS_GetAboutModule(uri, getter_AddRefs(aboutMod));
+ bool aboutPageAllowed = true;
nsAutoCString path;
nsresult rv2 = NS_GetAboutModuleName(uri, path);
- if (NS_SUCCEEDED(rv2) && path.EqualsLiteral("srcdoc")) {
- // about:srcdoc is meant to be unresolvable, yet is included in the
- // about lookup tables so that it can pass security checks when used in
- // a srcdoc iframe. To ensure that it stays unresolvable, we pretend
- // that it doesn't exist.
- rv = NS_ERROR_FACTORY_NOT_REGISTERED;
+ if (NS_SUCCEEDED(rv2)) {
+ if (path.EqualsLiteral("srcdoc")) {
+ // about:srcdoc is meant to be unresolvable, yet is included in the
+ // about lookup tables so that it can pass security checks when used in
+ // a srcdoc iframe. To ensure that it stays unresolvable, we pretend
+ // that it doesn't exist.
+ rv = NS_ERROR_FACTORY_NOT_REGISTERED;
+ } else {
+ nsCOMPtr policyManager =
+ do_GetService("@mozilla.org/browser/enterprisepolicies;1", &rv2);
+ if (NS_SUCCEEDED(rv2)) {
+ nsAutoCString normalizedURL;
+ normalizedURL.AssignLiteral("about:");
+ normalizedURL.Append(path);
+ rv2 = policyManager->IsAllowed(normalizedURL, &aboutPageAllowed);
+ if (NS_FAILED(rv2)) {
+ aboutPageAllowed = false;
+ }
+ }
+ }
}
if (NS_SUCCEEDED(rv)) {
@@ -234,6 +250,9 @@ nsAboutProtocolHandler::NewChannel2(nsIURI* uri,
aboutURI->GetBaseURI());
}
}
+ if (!aboutPageAllowed) {
+ (*result)->Cancel(NS_ERROR_BLOCKED_BY_POLICY);
+ }
}
return rv;
}
diff --git a/xpcom/base/ErrorList.py b/xpcom/base/ErrorList.py
index 40a301a232cd..991e5a0f82b9 100644
--- a/xpcom/base/ErrorList.py
+++ b/xpcom/base/ErrorList.py
@@ -1158,6 +1158,10 @@ with modules["GENERAL"]:
# see nsTextEquivUtils
errors["NS_OK_NO_NAME_CLAUSE_HANDLED"] = SUCCESS(34)
+ # Error code used to indicate that functionality has been blocked by the
+ # Policy Manager
+ errors["NS_ERROR_BLOCKED_BY_POLICY"] = FAILURE(3)
+
# ============================================================================
# Write out the resulting module declarations to C++ and rust files