Bug 337344: inform users using a notification bar when sites hide chrome on popups, patch by Johnathan Nightingale <johnath@mozilla.com>, r=mconnor

2007-06-06 20:17:26 +00:00 · 2007-06-06 20:17:26 +00:00 · e7cf51675a
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -549,3 +549,6 @@ pref("accessibility.blockautorefresh", false);

 // import bookmarks.html into Places bookmarks
 pref("browser.places.importBookmarksHTML", true);
+
+// Show infobar on chromeless windows
+pref("browser.warn_chromeless_window.infobar", true);
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -40,6 +40,7 @@
 #   Pamela Greene <pamg.bugs@gmail.com>
 #   Michael Ventnor <m.ventnor@gmail.com>
 #   Simon Bünzli <zeniko@gmail.com>
+#   Johnathan Nightingale <johnath@mozilla.com>
 #
 # Alternatively, the contents of this file may be used under the terms of
 # either the GNU General Public License Version 2 or later (the "GPL"), or
@ -1163,6 +1164,10 @@ function delayedStartup()

  // bookmark-all-tabs command
  gBookmarkAllTabsHandler = new BookmarkAllTabsHandler();
+  
+  // Prevent chrome-spoofing popups from forging our chrome, by adding a
+  // notification box entry in cases of chromeless popups.
+  checkForChromelessWindow();
 }

 function BrowserShutdown()
@ -5912,3 +5917,84 @@ BookmarkAllTabsHandler.prototype = {
    this._updateCommandState(aEvent.type == "TabClose");
  }
 };
+
+
+/**
+ * Check the chromehidden attribute to see if the toolbar is hidden.  If so,
+ * and if they haven't disabled the security.warn_chromeless_window.infobar
+ * pref, show an infobar notification informing them of what's going on.  This
+ * helps fight chrome spoofing on popups.  See bug 337344
+ */
+function checkForChromelessWindow() {
+
+  var prefs = Components.classes["@mozilla.org/preferences-service;1"]
+                        .getService(Components.interfaces.nsIPrefBranch);
+  
+  // true by default
+  if (!prefs.getBoolPref("browser.warn_chromeless_window.infobar"))
+    return;
+
+  if (document.documentElement.getAttribute("chromehidden").indexOf("toolbar") != -1 ||
+      document.documentElement.getAttribute("chromehidden").indexOf("location") != -1) {
+    
+    var bundle_browser = document.getElementById("bundle_browser");
+    
+    // It's possible that something in the window.content.opener.location.path
+    // chain might be null.  Rather than chaining a ton of 99% pass null checks,
+    // though, let's try/catch in order to fail gracefully
+    try {
+      var messageString = bundle_browser.getFormattedString("chromelessWindow.warningMessage",
+                                                            [window.content.opener.location.host]);
+    } catch (ex) {
+        
+      // An exception here is not worth breaking our security warning, but is worth
+      // logging, since it shouldn't happen.
+      Components.utils.reportError(ex);
+      messageString = bundle_browser.getString("chromelessWindow.warningNoLocation");
+      
+    }
+
+    var notificationBox = gBrowser.getNotificationBox();
+    var notificationName = "chromeless-info";
+    if (notificationBox.getNotificationWithValue(notificationName)) {
+      Components.utils.reportError("Already have a chromeless-info notification!")
+      return;
+    }
+    
+    var buttons = [{
+      label: bundle_browser.getString("chromelessWindow.showToolbarsButton"),
+      accessKey: bundle_browser.getString("chromelessWindow.accessKey"),
+      popup: null,
+      callback: function() { return showToolbars(); }
+    }];
+
+    notificationBox.appendNotification(messageString,
+                                       notificationName,
+                                       "chrome://browser/skin/Info.png",
+                                       notificationBox.PRIORITY_INFO_HIGH,
+                                       buttons);
+  }
+}
+
+/**
+ * Callback for "Show Toolbars" button in chromeless window notification box.
+ * Resets visibility of the go button stack and url bar, and wipes the
+ * chromehidden document attribute.
+ */
+function showToolbars() {
+
+  // Unhide the chrome elements
+  document.documentElement.removeAttribute("chromehidden");
+  
+  // Undo the URLBar tweaks performed when the url bar was chromehidden
+  if (gURLBar) {
+    gURLBar.removeAttribute("readonly");
+    gURLBar.setAttribute("enablehistory", "true");
+  }
+  
+  var goButtonStack = document.getElementById("go-button-stack");
+  if (goButtonStack)
+    goButtonStack.removeAttribute("hidden");
+  
+  return false; // Dismiss the notification message
+}
--- a/browser/locales/en-US/chrome/browser/browser.properties
+++ b/browser/locales/en-US/chrome/browser/browser.properties
@ -91,3 +91,9 @@ refreshBlocked.goButton=Allow
 refreshBlocked.goButton.accesskey=A
 refreshBlocked.refreshLabel=%S prevented this page from automatically reloading.
 refreshBlocked.redirectLabel=%S prevented this page from automatically redirecting to another page.
+
+# Chromeless popup handling
+chromelessWindow.warningMessage=The web site at %S has hidden your toolbars.
+chromelessWindow.warningNoLocation=This web site has hidden your toolbars.
+chromelessWindow.showToolbarsButton=Show Toolbars
+chromelessWindow.accessKey=S