зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1498526 - add in user pref to prevent loading implied triggeringPrincipal loads for dev and nightly builds. r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D8546 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
d01569b0be
Коммит
63ff18762d
|
@ -358,6 +358,7 @@ nsDocShell::nsDocShell()
|
||||||
, mAllowContentRetargeting(true)
|
, mAllowContentRetargeting(true)
|
||||||
, mAllowContentRetargetingOnChildren(true)
|
, mAllowContentRetargetingOnChildren(true)
|
||||||
, mUseErrorPages(false)
|
, mUseErrorPages(false)
|
||||||
|
, mUseStrictSecurityChecks(false)
|
||||||
, mObserveErrorPages(true)
|
, mObserveErrorPages(true)
|
||||||
, mCSSErrorReportingEnabled(false)
|
, mCSSErrorReportingEnabled(false)
|
||||||
, mAllowAuth(true)
|
, mAllowAuth(true)
|
||||||
|
@ -4162,6 +4163,9 @@ nsDocShell::LoadURIWithOptions(const nsAString& aURI,
|
||||||
MOZ_ASSERT(aTriggeringPrincipal, "LoadURIWithOptions: Need a valid triggeringPrincipal");
|
MOZ_ASSERT(aTriggeringPrincipal, "LoadURIWithOptions: Need a valid triggeringPrincipal");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
rv = NS_NewURI(getter_AddRefs(uri), uriString);
|
rv = NS_NewURI(getter_AddRefs(uri), uriString);
|
||||||
if (uri) {
|
if (uri) {
|
||||||
|
@ -4919,6 +4923,9 @@ nsDocShell::Reload(uint32_t aReloadFlags)
|
||||||
}
|
}
|
||||||
|
|
||||||
MOZ_ASSERT(triggeringPrincipal, "Need a valid triggeringPrincipal");
|
MOZ_ASSERT(triggeringPrincipal, "Need a valid triggeringPrincipal");
|
||||||
|
if (mUseStrictSecurityChecks && !triggeringPrincipal) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
// Stack variables to ensure changes to the member variables don't affect to
|
// Stack variables to ensure changes to the member variables don't affect to
|
||||||
// the call.
|
// the call.
|
||||||
|
@ -5189,6 +5196,9 @@ nsDocShell::Create()
|
||||||
Preferences::GetBool("browser.frame.validate_origin", true);
|
Preferences::GetBool("browser.frame.validate_origin", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mUseStrictSecurityChecks = Preferences::GetBool("security.strict_security_checks.enabled",
|
||||||
|
mUseStrictSecurityChecks);
|
||||||
|
|
||||||
// Should we use XUL error pages instead of alerts if possible?
|
// Should we use XUL error pages instead of alerts if possible?
|
||||||
mUseErrorPages =
|
mUseErrorPages =
|
||||||
Preferences::GetBool("browser.xul.error_pages.enabled", mUseErrorPages);
|
Preferences::GetBool("browser.xul.error_pages.enabled", mUseErrorPages);
|
||||||
|
@ -10382,6 +10392,10 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||||
// the triggeringPrincipal for TYPE_DOCUMENT loads.
|
// the triggeringPrincipal for TYPE_DOCUMENT loads.
|
||||||
MOZ_ASSERT(aTriggeringPrincipal, "Need a valid triggeringPrincipal");
|
MOZ_ASSERT(aTriggeringPrincipal, "Need a valid triggeringPrincipal");
|
||||||
|
|
||||||
|
if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
bool isSandBoxed = mSandboxFlags & SANDBOXED_ORIGIN;
|
bool isSandBoxed = mSandboxFlags & SANDBOXED_ORIGIN;
|
||||||
|
|
||||||
// We want to inherit aPrincipalToInherit when:
|
// We want to inherit aPrincipalToInherit when:
|
||||||
|
@ -13214,6 +13228,9 @@ nsDocShell::OnLinkClickSync(nsIContent* aContent,
|
||||||
bool aIsUserTriggered,
|
bool aIsUserTriggered,
|
||||||
nsIPrincipal* aTriggeringPrincipal)
|
nsIPrincipal* aTriggeringPrincipal)
|
||||||
{
|
{
|
||||||
|
if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
// Initialize the DocShell / Request
|
// Initialize the DocShell / Request
|
||||||
if (aDocShell) {
|
if (aDocShell) {
|
||||||
*aDocShell = nullptr;
|
*aDocShell = nullptr;
|
||||||
|
|
|
@ -1138,6 +1138,7 @@ private: // data members
|
||||||
bool mAllowContentRetargeting : 1;
|
bool mAllowContentRetargeting : 1;
|
||||||
bool mAllowContentRetargetingOnChildren : 1;
|
bool mAllowContentRetargetingOnChildren : 1;
|
||||||
bool mUseErrorPages : 1;
|
bool mUseErrorPages : 1;
|
||||||
|
bool mUseStrictSecurityChecks : 1;
|
||||||
bool mObserveErrorPages : 1;
|
bool mObserveErrorPages : 1;
|
||||||
bool mCSSErrorReportingEnabled : 1;
|
bool mCSSErrorReportingEnabled : 1;
|
||||||
bool mAllowAuth : 1;
|
bool mAllowAuth : 1;
|
||||||
|
|
|
@ -2663,6 +2663,14 @@ pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
|
||||||
// their protocol with the inner URI of the view-source URI
|
// their protocol with the inner URI of the view-source URI
|
||||||
pref("security.view-source.reachable-from-inner-protocol", false);
|
pref("security.view-source.reachable-from-inner-protocol", false);
|
||||||
|
|
||||||
|
// If set to true strict checks will happen on the triggering principal for loads.
|
||||||
|
// Android is disabled at the moment pending Bug 1504968
|
||||||
|
#if !defined(RELEASE_OR_BETA) && !defined(ANDROID)
|
||||||
|
pref("security.strict_security_checks.enabled", true);
|
||||||
|
#else
|
||||||
|
pref("security.strict_security_checks.enabled", false);
|
||||||
|
#endif
|
||||||
|
|
||||||
// Remote settings preferences
|
// Remote settings preferences
|
||||||
pref("services.settings.poll_interval", 86400); // 24H
|
pref("services.settings.poll_interval", 86400); // 24H
|
||||||
pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
|
pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
|
||||||
|
|
Загрузка…
Ссылка в новой задаче