Fix for 16858 w/o breaking directory browser. r=waterson a=beard

2000-06-01 23:57:48 +00:00 · 2000-06-01 23:57:48 +00:00 · ab8668d6b4
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@ -522,23 +522,23 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI, nsIURI *aURI,
        return NS_OK;
    }

-    enum Action { AllowProtocol, DenyProtocol };
+    enum Action { AllowProtocol, DenyProtocol, LocalProtocol, PrefAccess };
    struct { 
        const char *name;
        Action action;
    } protocolList[] = {
        { "about",           AllowProtocol },
        { "data",            AllowProtocol },
-        { "file",            DenyProtocol  },
+        { "file",            PrefAccess    },
        { "ftp",             AllowProtocol },
        { "http",            AllowProtocol },
        { "https",           AllowProtocol },
        { "keyword",         DenyProtocol  },
        { "res",             DenyProtocol  },
-        { "resource",        DenyProtocol  },
+        { "resource",        LocalProtocol },
        { "datetime",        DenyProtocol  },
        { "finger",          AllowProtocol },
-        { "chrome",          DenyProtocol  },
+        { "chrome",          LocalProtocol },
        { "javascript",      AllowProtocol },
        { "mailto",          AllowProtocol },
        { "imap",            DenyProtocol  },
@ -550,13 +550,31 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI, nsIURI *aURI,

    for (unsigned i=0; i < sizeof(protocolList)/sizeof(protocolList[0]); i++) {
        if (nsCRT::strcasecmp(scheme, protocolList[i].name) == 0) {
+            PRBool doCheck = PR_FALSE;
            switch (protocolList[i].action) {
            case AllowProtocol:
                // everyone can access these schemes.
                return NS_OK;
+            case PrefAccess:
+                // Allow access if pref is set
+                NS_ASSERTION(mPrefs,"nsScriptSecurityManager::mPrefs not initialized");
+                mIsAccessingPrefs = PR_TRUE;
+                mPrefs->GetBoolPref("security.checkloaduri", &doCheck);
+                mIsAccessingPrefs = PR_FALSE;
+                if (!doCheck)
+                    return NS_OK;
+                // Otherwise fall through to Deny.
            case DenyProtocol:
                // Deny access
                return NS_ERROR_DOM_BAD_URI;
+            case LocalProtocol:
+                // Other local protocols can access these schemes
+                for (unsigned j=0; j < sizeof(protocolList)/sizeof(protocolList[0]); j++)
+                    if (nsCRT::strcasecmp(fromScheme, protocolList[j].name) == 0)
+                        if (protocolList[j].action == LocalProtocol)
+                            return NS_OK;
+                        else
+                            return NS_ERROR_DOM_BAD_URI;
            }
        }
    }
--- a/content/html/style/src/nsCSSLoader.cpp
+++ b/content/html/style/src/nsCSSLoader.cpp
@ -1283,7 +1283,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
    return NS_ERROR_NOT_INITIALIZED;
  }

-#if 0  
  //-- Make sure this page is allowed to load this URL
  nsresult rv;
  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
@ -1294,7 +1293,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
  NS_IF_RELEASE(docURI);
  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
-#endif

  // XXX need to add code to cancel any pending sheets for element
  nsresult result = NS_ERROR_NULL_POINTER;
--- a/layout/html/style/src/nsCSSLoader.cpp
+++ b/layout/html/style/src/nsCSSLoader.cpp
@ -1283,7 +1283,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
    return NS_ERROR_NOT_INITIALIZED;
  }

-#if 0  
  //-- Make sure this page is allowed to load this URL
  nsresult rv;
  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
@ -1294,7 +1293,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
  NS_IF_RELEASE(docURI);
  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
-#endif

  // XXX need to add code to cancel any pending sheets for element
  nsresult result = NS_ERROR_NULL_POINTER;
--- a/layout/style/nsCSSLoader.cpp
+++ b/layout/style/nsCSSLoader.cpp
@ -1283,7 +1283,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
    return NS_ERROR_NOT_INITIALIZED;
  }

-#if 0  
  //-- Make sure this page is allowed to load this URL
  nsresult rv;
  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
@ -1294,7 +1293,6 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
  NS_IF_RELEASE(docURI);
  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
-#endif

  // XXX need to add code to cancel any pending sheets for element
  nsresult result = NS_ERROR_NULL_POINTER;