From a77ffe584efb242a2c7e6570026914b39e5ce8dc Mon Sep 17 00:00:00 2001 From: "florian%queze.net" Date: Fri, 8 Feb 2008 23:04:30 +0000 Subject: [PATCH] Bug 402287 - register{Protocol,Content}Handler should only be allowed from same host as handler. r=gavin, a=blocking1.9+ --- browser/app/profile/firefox.js | 3 +++ .../components/feeds/src/WebContentConverter.js | 17 +++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 6e15cf0fddc..8611fa45c3a 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -542,6 +542,9 @@ pref("gecko.handlerService.defaultHandlersVersion", "0"); pref("gecko.handlerService.schemes.webcal.0.name", "WebCal Test Handler"); pref("gecko.handlerService.schemes.webcal.0.uriTemplate", "http://handler-test.mozilla.org/webcal?url=%s"); +// By default, we don't want protocol/content handlers to be registered from a different host, see bug 402287 +pref("gecko.handlerService.allowRegisterFromDifferentHost", false); + #ifdef MOZ_SAFE_BROWSING // Safe browsing does nothing unless both these prefs are set. pref("browser.safebrowsing.enabled", true); diff --git a/browser/components/feeds/src/WebContentConverter.js b/browser/components/feeds/src/WebContentConverter.js index fa518e1d746..641c2275585 100644 --- a/browser/components/feeds/src/WebContentConverter.js +++ b/browser/components/feeds/src/WebContentConverter.js @@ -62,6 +62,7 @@ const PREF_CONTENTHANDLERS_BRANCH = "browser.contentHandlers.types."; const PREF_SELECTED_WEB = "browser.feeds.handlers.webservice"; const PREF_SELECTED_ACTION = "browser.feeds.handler"; const PREF_SELECTED_READER = "browser.feeds.handler.default"; +const PREF_ALLOW_DIFFERENT_HOST = "gecko.handlerService.allowRegisterFromDifferentHost"; const STRING_BUNDLE_URI = "chrome://browser/locale/feeds/subscribe.properties"; @@ -346,7 +347,7 @@ WebContentConverterRegistrar.prototype = { }, _checkAndGetURI: - function WCCR_checkAndGetURI(aURIString) + function WCCR_checkAndGetURI(aURIString, aContentWindow) { try { var uri = this._makeURI(aURIString); @@ -355,13 +356,21 @@ WebContentConverterRegistrar.prototype = { return; } - // For security reasons we reject non-http(s) urls (see bug Bug 354316), + // For security reasons we reject non-http(s) urls (see bug 354316), // we may need to revise this once we support more content types // XXX this should be a "security exception" according to spec, but that // isn't defined yet. if (uri.scheme != "http" && uri.scheme != "https") throw("Permission denied to add " + uri.spec + " as a content or protocol handler"); + // We also reject handlers registered from a different host (see bug 402287) + // The pref allows us to test the feature + var pb = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch); + if ((!pb.prefHasUserValue(PREF_ALLOW_DIFFERENT_HOST) || + !pb.getBoolPref(PREF_ALLOW_DIFFERENT_HOST)) && + aContentWindow.location.hostname != uri.host) + throw("Permision denied to add " + uri.spec + " as a content or protocol handler"); + // If the uri doesn't contain '%s', it won't be a good handler if (uri.spec.indexOf("%s") < 0) throw NS_ERROR_DOM_SYNTAX_ERR; @@ -413,7 +422,7 @@ WebContentConverterRegistrar.prototype = { throw("Permission denied to add " + aURIString + "as a protocol handler"); } - var uri = this._checkAndGetURI(aURIString); + var uri = this._checkAndGetURI(aURIString, aContentWindow); var buttons, message; if (this._protocolHandlerRegistered(aProtocol, uri.spec)) @@ -489,7 +498,7 @@ WebContentConverterRegistrar.prototype = { if (contentType != TYPE_MAYBE_FEED) return; - var uri = this._checkAndGetURI(aURIString); + var uri = this._checkAndGetURI(aURIString, aContentWindow); var browserWindow = this._getBrowserWindowForContentWindow(aContentWindow); var browserElement = this._getBrowserForContentWindow(browserWindow, aContentWindow);