Bug 383252: Cannot drag / drop URL or link onto tabbar, r=mconnor

When SeaMonkey switched to toolkit's nsDragAndDrop.js, it lost the dragDropSecurityCheck method, which for SM was on nsDragAndDrop, but for FF was on tabbrowser. Moving that method from tabbrowser to toolkit's nsDragAndDrop.js, and cleaning it up a little.
2007-07-26 06:40:27 +00:00 · 2007-07-26 06:40:27 +00:00 · eda120e901
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -2172,7 +2172,7 @@ var urlbarObserver = {
      // The URL bar automatically handles inputs with newline characters,
      // so we can get away with treating text/x-moz-url flavours as text/unicode.
      if (url) {
-        getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+        nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);

        try {
          gURLBar.value = url;
@ -2517,7 +2517,7 @@ var newTabButtonObserver = {
      var postData = {};
      var url = getShortcutOrURI(draggedText, postData);
      if (url) {
-        getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+        nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);
        // allow third-party services to fixup this URL
        openNewTabWith(url, null, postData.value, aEvent, true);
      }
@ -2553,7 +2553,7 @@ var newWindowButtonObserver = {
      var postData = {};
      var url = getShortcutOrURI(draggedText, postData);
      if (url) {
-        getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+        nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);
        // allow third-party services to fixup this URL
        openNewWindowWith(url, null, postData.value, true);
      }
@ -2589,7 +2589,7 @@ var goButtonObserver = {
      var postData = {};
      var url = getShortcutOrURI(draggedText, postData);
      try {
-        getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+        nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);
        urlSecurityCheck(url,
                         gBrowser.contentPrincipal,
                         Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
@ -2628,7 +2628,7 @@ var DownloadsButtonDNDObserver = {
    var split = aXferData.data.split("\n");
    var url = split[0];
    if (url != aXferData.data) {  //do nothing, not a valid URL
-      getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+      nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);

      var name = split[1];
      saveURL(url, name, null, true, true);
@ -4335,7 +4335,7 @@ var contentAreaDNDObserver = {
          /^\s*(javascript|data):/.test(url))
        return;

-      getBrowser().dragDropSecurityCheck(aEvent, aDragSession, url);
+      nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);

      switch (document.documentElement.getAttribute('windowtype')) {
        case "navigator:browser":
--- a/toolkit/content/nsDragAndDrop.js
+++ b/toolkit/content/nsDragAndDrop.js
@ -587,6 +587,63 @@ var nsDragAndDrop = {
      if ("canDrop" in aDragDropObserver)
        this.mDragSession.canDrop &= aDragDropObserver.canDrop(aEvent, this.mDragSession);
      return true;
-    } 
+    },
+
+  /**
+   * Do a security check for drag n' drop. Make sure the source document
+   * can load the dragged link.
+   *
+   * @param DOMEvent aEvent
+   *        the DOM event fired by leaving the element
+   * @param Object aDragDropObserver
+   *        javascript object of format described above that specifies
+   *        the way in which the element responds to drag events.
+   * @param String aDraggedText
+   *        the text being dragged
+   **/
+  dragDropSecurityCheck: function (aEvent, aDragSession, aDraggedText)
+    {
+      var sourceDoc = aDragSession.sourceDocument;
+      if (!sourceDoc)
+        return;
+
+      // Strip leading and trailing whitespace, then try to create a
+      // URI from the dropped string. If that succeeds, we're
+      // dropping a URI and we need to do a security check to make
+      // sure the source document can load the dropped URI. We don't
+      // so much care about creating the real URI here
+      // (i.e. encoding differences etc don't matter), we just want
+      // to know if aDraggedText really is a URI.
+
+      aDraggedText = aDraggedText.replace(/^\s*|\s*$/g, '');
+
+      var uri;
+
+      try {
+        uri = Components.classes["@mozilla.org/network/io-service;1"]
+                        .getService(Components.interfaces.nsIIOService)
+                        .newURI(aDraggedText, null, null);
+      } catch (e) {
+      }
+
+      if (!uri)
+        return;
+
+      // aDraggedText is a URI, do the security check.
+      const nsIScriptSecurityManager = Components.interfaces
+                                                 .nsIScriptSecurityManager;
+      var secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                             .getService(nsIScriptSecurityManager);
+
+      try {
+        secMan.checkLoadURIStr(sourceDoc.documentURI, aDraggedText,
+                               nsIScriptSecurityManager.STANDARD);
+      } catch (e) {
+        // Stop event propagation right here.
+        aEvent.stopPropagation();
+
+        throw "Drop of " + aDraggedText + " denied.";
+      }
+    }
 };

--- a/toolkit/content/widgets/tabbrowser.xml
+++ b/toolkit/content/widgets/tabbrowser.xml
@ -1912,7 +1912,7 @@
                  /^\s*(javascript|data):/.test(url))
                return;

-              this.dragDropSecurityCheck(aEvent, aDragSession, url);
+              nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, url);

              var bgLoad = true;
              try {
@ -2310,51 +2310,7 @@
        <parameter name="aUri"/>
        <body>
          <![CDATA[
-            // Do a security check for drag n' drop. Make sure the
-            // source document can load the dragged link.
-            var sourceDoc = aDragSession.sourceDocument;
-
-            if (sourceDoc) {
-              // Strip leading and trailing whitespace, then try to
-              // create a URI from the dropped string. If that
-              // succeeds, we're dropping a URI and we need to do a
-              // security check to make sure the source document can
-              // load the dropped URI. We don't so much care about
-              // creating the real URI here (i.e. encoding differences
-              // etc don't matter), we just want to know if aUri
-              // really is a URI.
-
-              var uriStr = aUri.replace(/^\s*|\s*$/g, '');
-              var uri = null;
-
-              try {
-                uri = Components.classes["@mozilla.org/network/io-service;1"]
-                  .getService(Components.interfaces.nsIIOService)
-                  .newURI(uriStr, null, null);
-              } catch (e) {
-              }
-
-              if (uri) {
-                // aUri is a URI, do the security check.
-                var sourceURI = sourceDoc.documentURI;
-
-                const nsIScriptSecurityManager =
-                  Components.interfaces.nsIScriptSecurityManager;
-                var secMan =
-                  Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(nsIScriptSecurityManager);
-
-                try {
-                  secMan.checkLoadURIStr(sourceURI, uriStr,
-                                         nsIScriptSecurityManager.STANDARD);
-                } catch (e) {
-                  // Stop event propagation right here.
-                  aEvent.stopPropagation();
-
-                  throw "Drop of " + aUri + " denied.";
-                }
-              }
-            }
+            nsDragAndDrop.dragDropSecurityCheck(aEvent, aDragSession, aUri);
          ]]>
        </body>
      </method>