Bug 412862 - Change the 'allow scripts to move or resize existing windows' pref to a whitelist. r=gavin,jst. sr=jst. ur+a=beltzner.

browser/app/profile/firefox.js

@@ -339,8 +339,6 @@ pref("dom.disable_window_open_feature.status",    true);
 // without it there isn't a really good way to prevent chrome spoofing, see bug 337344
 pref("dom.disable_window_open_feature.location",  true);
 pref("dom.disable_window_status_change",          true);
-// allow JS to move and resize existing windows
-pref("dom.disable_window_move_resize",            false);
 // prevent JS from monkeying with window focus, etc
 pref("dom.disable_window_flip",                   true);
 

browser/components/migration/src/nsOperaProfileMigrator.cpp

@@ -317,8 +317,6 @@ nsOperaProfileMigrator::PrefTransform gTransforms[] = {
   { "User Prefs", "Download Directory", _OPM(STRING), "browser.download.dir", _OPM(SetFile), PR_FALSE, -1 },
   { nsnull, "Enable Cookies", _OPM(INT), "network.cookie.cookieBehavior", _OPM(SetCookieBehavior), PR_FALSE, -1 },
   { nsnull, "Accept Cookies Session Only", _OPM(BOOL), "network.cookie.lifetimePolicy", _OPM(SetCookieLifetime), PR_FALSE, -1 },
-  { nsnull, "Allow script to resize window", _OPM(BOOL), "dom.disable_window_move_resize", _OPM(SetBool), PR_FALSE, -1 },
-  { nsnull, "Allow script to move window", _OPM(BOOL), "dom.disable_window_move_resize", _OPM(SetBool), PR_FALSE, -1 },
   { nsnull, "Allow script to raise window", _OPM(BOOL), "dom.disable_window_flip", _OPM(SetBool), PR_FALSE, -1 },
   { nsnull, "Allow script to change status", _OPM(BOOL), "dom.disable_window_status_change", _OPM(SetBool), PR_FALSE, -1 },
   { nsnull, "Ignore Unrequested Popups", _OPM(BOOL), "dom.disable_open_during_load", _OPM(SetBool), PR_FALSE, -1 },

browser/components/migration/src/nsSeamonkeyProfileMigrator.cpp

@@ -363,7 +363,6 @@ nsSeamonkeyProfileMigrator::PrefTransform gTransforms[] = {
   MAKESAMETYPEPREFTRANSFORM("security.OSCP.URL",                        String),
   MAKESAMETYPEPREFTRANSFORM("security.enable_java",                     Bool),
   MAKESAMETYPEPREFTRANSFORM("javascript.enabled",                       Bool),
-  MAKESAMETYPEPREFTRANSFORM("dom.disable_window_move_resize",           Bool),
   MAKESAMETYPEPREFTRANSFORM("dom.disable_window_flip",                  Bool),
   MAKESAMETYPEPREFTRANSFORM("dom.disable_window_open_feature.status",   Bool),
   MAKESAMETYPEPREFTRANSFORM("dom.disable_window_status_change",         Bool),

browser/components/preferences/advanced-scripts.xul

@@ -38,7 +38,12 @@
 #
 # ***** END LICENSE BLOCK *****
 
-<!DOCTYPE prefwindow SYSTEM "chrome://browser/locale/preferences/advanced-scripts.dtd">
+<!DOCTYPE overlay [
+  <!ENTITY % advancedDTD SYSTEM "chrome://browser/locale/preferences/advanced-scripts.dtd">
+  <!ENTITY % contentDTD SYSTEM "chrome://browser/locale/preferences/content.dtd">
+  %advancedDTD;
+  %contentDTD;
+]>
 
 <?xml-stylesheet href="chrome://global/skin/"?>
 
@@ -52,7 +57,6 @@
 
     <preferences>
      <preference id="dom.event.contextmenu.enabled"  name="dom.event.contextmenu.enabled"  type="bool"/>
-     <preference id="dom.disable_window_move_resize" name="dom.disable_window_move_resize" type="bool" inverted="true"/>
      <preference id="dom.disable_window_flip"        name="dom.disable_window_flip"        type="bool" inverted="true"/>
      <preference id="dom.disable_window_open_feature.status" inverted="true"
                  name="dom.disable_window_open_feature.status" type="bool"/>
@@ -66,9 +70,6 @@
 
     <description value="&allowScripts.label;"/>
 
-    <checkbox id="moveResizeWindows" label="&moveResizeWindows.label;" 
-              accesskey="&moveResizeWindows.accesskey;"
-              preference="dom.disable_window_move_resize"/>
     <checkbox id="raiseLowerWindows" label="&raiseLowerWindows.label;" 
               accesskey="&raiseLowerWindows.accesskey;"
               preference="dom.disable_window_flip"/>
@@ -81,6 +82,13 @@
     <checkbox id="changeStatusBar" label="&changeStatusBar.label;" 
               accesskey="&changeStatusBar.accesskey;"
               preference="dom.disable_window_status_change"/>
+
+    <hbox flex="1" align="center">
+      <label id="moveResizeWindows" value="&moveResizeNotAllowed.label;"/>
+      <button label="&exceptions.label;"
+              accesskey="&exceptions.accesskey;"
+              oncommand="gAdvancedJSPane.showRaiseExceptions();"/>
+    </hbox>
+
   </prefpane>
 </prefwindow>
-

browser/components/preferences/jar.mn

@@ -2,6 +2,7 @@ browser.jar:
 *   content/browser/preferences/advanced.xul
 *   content/browser/preferences/advanced.js
 *   content/browser/preferences/advanced-scripts.xul
+*   content/browser/preferences/advanced-scripts.js
 *   content/browser/preferences/applications.xul
 *   content/browser/preferences/applications.js
 *   content/browser/preferences/applicationManager.xul

browser/locales/en-US/chrome/browser/preferences/advanced-scripts.dtd

@@ -40,8 +40,7 @@
 
 <!ENTITY allowScripts.label             "Allow scripts to:">
 
-<!ENTITY moveResizeWindows.label        "Move or resize existing windows">
-<!ENTITY moveResizeWindows.accesskey    "M">
+<!ENTITY moveResizeNotAllowed.label      "Scripts may not move or resize existing windows">
 <!ENTITY raiseLowerWindows.label        "Raise or lower windows">
 <!ENTITY raiseLowerWindows.accesskey    "R">
 <!ENTITY disableContextMenus.label      "Disable or replace context menus">

browser/locales/en-US/chrome/browser/preferences/preferences.properties

@@ -21,6 +21,8 @@ imagepermissionstext=You can specify which web sites are allowed to load images.
 imagepermissionstitle=Exceptions - Images
 invalidURI=Please enter a valid hostname
 invalidURITitle=Invalid Hostname Entered
+moveresizepermissionstext=You can specify which web sites are allowed to move or resize windows. Type the exact address of the site you want to permit and then click Allow.
+moveresizepermissionstitle=Exceptions - Moving or Resizing Windows
 
 #### Master Password
 

dom/src/base/nsGlobalWindow.cpp

@@ -193,6 +193,8 @@
 // belonging to the back-end like nsIContentPolicy
 #include "nsIPopupWindowManager.h"
 
+#include "nsIPermissionManager.h"
+
 #ifdef MOZ_LOGGING
 // so we can get logging even in release builds
 #define FORCE_PR_LOG 1
@@ -2980,11 +2982,11 @@ nsGlobalWindow::SetInnerWidth(PRInt32 aInnerWidth)
   NS_ENSURE_STATE(mDocShell);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.innerWidth by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -3053,11 +3055,11 @@ nsGlobalWindow::SetInnerHeight(PRInt32 aInnerHeight)
   NS_ENSURE_STATE(mDocShell);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.innerHeight by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -3117,11 +3119,11 @@ nsGlobalWindow::SetOuterWidth(PRInt32 aOuterWidth)
   FORWARD_TO_OUTER(SetOuterWidth, (aOuterWidth), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.outerWidth by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize")) {
+  if (!CanMoveResizeWindows()) {
     return NS_OK;
   }
 
@@ -3169,11 +3171,11 @@ nsGlobalWindow::SetOuterHeight(PRInt32 aOuterHeight)
   FORWARD_TO_OUTER(SetOuterHeight, (aOuterHeight), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.outerHeight by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize")) {
+  if (!CanMoveResizeWindows()) {
     return NS_OK;
   }
 
@@ -3216,11 +3218,11 @@ nsGlobalWindow::SetScreenX(PRInt32 aScreenX)
   FORWARD_TO_OUTER(SetScreenX, (aScreenX), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.screenX by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize")) {
+  if (!CanMoveResizeWindows()) {
     return NS_OK;
   }
 
@@ -3264,11 +3266,11 @@ nsGlobalWindow::SetScreenY(PRInt32 aScreenY)
   FORWARD_TO_OUTER(SetScreenY, (aScreenY), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent setting window.screenY by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize")) {
+  if (!CanMoveResizeWindows()) {
     return NS_OK;
   }
 
@@ -3841,6 +3843,42 @@ nsGlobalWindow::MakeScriptDialogTitle(nsAString &aOutTitle)
   }
 }
 
+// static
+PRBool
+nsGlobalWindow::CanMoveResizeWindows()
+{
+  // Chrome can do anything it wants.
+  if (nsContentUtils::IsCallerTrustedForWrite())
+    return PR_TRUE;
+
+  nsCOMPtr<nsIPrincipal> principal;
+  nsresult rv = nsContentUtils::GetSecurityManager()->
+    GetSubjectPrincipal(getter_AddRefs(principal));
+  NS_ENSURE_SUCCESS(rv, PR_FALSE);
+
+  // We can't do anything without a principal past this point, just say no.
+  if (!principal)
+    return PR_FALSE;
+
+  nsCOMPtr<nsIURI> uri;
+  rv = principal->GetURI(getter_AddRefs(uri));
+  NS_ENSURE_SUCCESS(rv, PR_FALSE);
+
+  // Can't do anything without a URI...
+  if (!uri)
+    return PR_FALSE;
+
+  nsCOMPtr<nsIPermissionManager> pm =
+    do_GetService(NS_PERMISSIONMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, PR_FALSE);
+  
+  PRUint32 testResult;
+  rv = pm->TestPermission(uri, "moveresize", &testResult);
+  NS_ENSURE_SUCCESS(rv, PR_FALSE);
+  
+  return testResult == nsIPermissionManager::ALLOW_ACTION;
+}
+
 NS_IMETHODIMP
 nsGlobalWindow::Alert(const nsAString& aString)
 {
@@ -4277,11 +4315,11 @@ nsGlobalWindow::MoveTo(PRInt32 aXPos, PRInt32 aYPos)
   FORWARD_TO_OUTER(MoveTo, (aXPos, aYPos), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent window.moveTo() by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -4304,11 +4342,11 @@ nsGlobalWindow::MoveBy(PRInt32 aXDif, PRInt32 aYDif)
   FORWARD_TO_OUTER(MoveBy, (aXDif, aYDif), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent window.moveBy() by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -4335,11 +4373,11 @@ nsGlobalWindow::ResizeTo(PRInt32 aWidth, PRInt32 aHeight)
   FORWARD_TO_OUTER(ResizeTo, (aWidth, aHeight), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent window.resizeTo() by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -4362,11 +4400,11 @@ nsGlobalWindow::ResizeBy(PRInt32 aWidthDif, PRInt32 aHeightDif)
   FORWARD_TO_OUTER(ResizeBy, (aWidthDif, aHeightDif), NS_ERROR_NOT_INITIALIZED);
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
+   * If caller is not chrome and the user has not explicitly exempted the site,
    * prevent window.resizeBy() by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 
@@ -4398,11 +4436,11 @@ nsGlobalWindow::SizeToContent()
   }
 
   /*
-   * If caller is not chrome and dom.disable_window_move_resize is true,
-   * block window.SizeToContent() by exiting
+   * If caller is not chrome and the user has not explicitly exempted the site,
+   * prevent window.sizeToContent() by exiting early
    */
 
-  if (!CanSetProperty("dom.disable_window_move_resize") || IsFrame()) {
+  if (!CanMoveResizeWindows() || IsFrame()) {
     return NS_OK;
   }
 

dom/src/base/nsGlobalWindow.h

@@ -561,6 +561,8 @@ protected:
 
   static void MakeScriptDialogTitle(nsAString &aOutTitle);
 
+  static PRBool CanMoveResizeWindows();
+
   // Helper for window.find()
   nsresult FindInternal(const nsAString& aStr, PRBool caseSensitive,
                        PRBool backwards, PRBool wrapAround, PRBool wholeWord, 

modules/libpref/src/init/all.js

@@ -441,7 +441,6 @@ pref("capability.policy.default.Clipboard.paste", "noAccess");
 // Scripts & Windows prefs
 pref("dom.disable_image_src_set",           false);
 pref("dom.disable_window_flip",             false);
-pref("dom.disable_window_move_resize",      false);
 pref("dom.disable_window_status_change",    false);
 
 pref("dom.disable_window_open_feature.titlebar",    false);