bb2529b51f
Followup patch to bug 425201. Make sure to throw if xhr.open is called with an illegal uri. Also restore the nsIScriptSecurityManager.CheckConnect API as soap still uses it
2008-04-18 10:35:55 -07:00
b245f0fae8
Allow XMLHttpRequest and document.load load files from subdirectories. r/sr=dveditz
2008-04-08 17:38:12 -07:00
df31fc12aa
Finally kill off CheckSameOriginPrincipal, fix remaining callers to do the checks they really want to be doing. Fix screw-up in nsPrincipal::Equals if one principal has a cert and the other does not. Bug 418996, r=mrbkap,dveditz, sr=jst
2008-03-18 14:14:49 -07:00
6d7a04555f
Fixing bug 410851. Expose a faster way of getting the subject principal, and use that from performance critical code. r+sr=mrbkap@gmail.com
2008-01-04 15:59:12 -08:00
ebee2dc0d9
bug 394390: Don't report bogus warnings to the error console when using cross-site xmlhttprequest. Patch by Surya Ismail <suryaismail@gmail.com>, r/sr=sicking
2007-10-26 18:46:09 -07:00
2bbf042698
Make security manager API more useful from script. Make more things
...
scriptable, and add a scriptable method for testing whether a given principal
is the system principal. Bug 383783, r=dveditz, sr=jst
2007-06-18 08:12:09 -07:00
0054412272
Bug 374866. Reftests for text-transform. r=dbaron
2007-03-22 16:01:14 -07:00
d7ad434701
Followup patch to bug 425201. Make sure to throw if xhr.open is called with an illegal uri. Also restore the nsIScriptSecurityManager.CheckConnect API as soap still uses it
2008-04-18 17:35:57 +00:00
2ec9134081
Bug 425201: Allow XMLHttpRequest and document.load load files from subdirectories. r/sr=dveditz
2008-04-09 00:38:13 +00:00
e5ba2cdf44
Finally kill off CheckSameOriginPrincipal, fix remaining callers to do the
...
checks they really want to be doing. Fix screw-up in nsPrincipal::Equals if
one principal has a cert and the other does not. Bug 418996, r=mrbkap,dveditz, sr=jst
2008-03-18 21:14:50 +00:00
7b4a352e60
Fixing bug 410851. Expose a faster way of getting the subject principal, and use that from performance critical code. r+sr=mrbkap@gmail.com
2008-01-04 23:59:12 +00:00
fbb4b149f7
bug 394390: Don't report bogus warnings to the error console when using cross-site xmlhttprequest. Patch by Surya Ismail <suryaismail@gmail.com>, r/sr=sicking
2007-10-27 01:46:11 +00:00
00f9002d32
Make security manager API more useful from script. Make more things
...
scriptable, and add a scriptable method for testing whether a given principal
is the system principal. Bug 383783, r=dveditz, sr=jst
2007-06-18 15:12:09 +00:00
81cfa9db1e
Make the redirect check get principals the same way we get them elsewhere.
...
Clean up some code to use the new security manager method. Bug 354693,
r=dveditz, sr=sicking
2006-11-22 18:27:54 +00:00
5abb54c90b
Remove securityCompareURIs() from nsIScriptSecurityManager. Bug 327243, r+sr=jst
2006-11-14 22:46:45 +00:00
142a417a31
Make it possible for protocol handlers to configure how CheckLoadURI should
...
treat them via their protocol flags. Remove the protocol list we used before.
Bug 120373, r=dveditz, sr=darin
2006-11-10 23:49:08 +00:00
e2524af589
Introduce CheckLoadURIStrWithPrincipal(). Bug 348559, r=dveditz, sr=jst
2006-08-21 22:15:20 +00:00
2c5f1c1bd7
Make nsIPrincipal and some methods that use it scriptable. Bug 327242, r=jst,
...
sr=dveditz
2006-02-17 16:12:17 +00:00
f29ba2b9fb
Backing out since tree is closed.
2006-02-17 03:33:03 +00:00
2eeb07467d
Make nsIPrincipal and some methods that use it scriptable. Bug 327242, r=jst,
...
sr=dveditz
2006-02-17 03:26:03 +00:00
dc27182f65
Expose the subject name for the cert and an nsISupports pointer to the cert on
...
nsIPrincipal that represents a certificate principal. Change preference
storage to ensure matches in not only the fingerprint but also the subjectName
before applying privileges from preferences to a certificate principal. Remove
possibility for creating certificate principals without a useful identifying
name and make sure that names don't get munged by being forced to ASCII. Bug
240661, r=caillon, sr=dveditz, a=bsmedberg
2005-07-22 19:05:42 +00:00
879c58672c
Cleaner fix for bug 290036. b=290949 r=dveditz sr=darin a=asa
2005-05-12 18:20:07 +00:00
8b6abc1d30
bug 280613 : checkLoadURIStr of nsIScriptSecurityManager should accept AUTF8String istead of string (for IDN), r=dveditz, sr=darin
2005-02-02 07:17:53 +00:00
8d004584b6
Add a version of CheckLoadURI that takes a source principal instead of a source
...
URI. Update a bunch of callers to use it. Bug 233108, r=caillon, sr=dveditz
2004-04-25 16:55:27 +00:00
692411203a
Bug 236613: change to MPL/LGPL/GPL tri-license.
2004-04-17 21:52:36 +00:00
fc16739ba6
Bug 227758 make subjectPrincipalIsSystem unscriptable and checkSameOriginURI scriptable r=caillon sr=dveditz
2003-12-19 21:51:37 +00:00
de3d3fbf61
Re-land patch for bug 83536, merging principal objects.
...
Also includes fixes from bug 216041.
r=bzbarsky
sr=jst
2003-10-21 22:11:49 +00:00
08f08cbf57
Expose nsIScriptSecurityManager::SecurityCompareURIs for use by nsGlobalWindow::SetNewDocument, to avoid spurious window.open same-origin violation errors (220421, r=caillon, sr=bzbarsky).
2003-09-28 04:22:01 +00:00
c11c6acb17
Backing out the patch to bug 83536.
...
I will reland this when 1.6a re-opens.
r+sr=jst@netscape.com
a=chofmann
2003-08-22 03:06:53 +00:00
9c22160a4b
Bug 83536.
...
Merge script principal implementations into one class.
Should reduce footprint, speed up calls to caps a little bit, and fixes several memory leaks.
Also fixes bugs 211174 and 211263
r=jst@netscape.com
sr=bzbarsky@mit.edu
moa=mstoltz@netscape.com (he looked at an earlier patch and said it looked fine, and will do a retroactive review when he returns from vacation as well)
2003-07-24 05:15:20 +00:00
f438318e22
Disallowing javascript or data schemes in a redirect. r=mstoltz, sr=brendan, a=rjesup, b=195201
2003-05-29 21:56:38 +00:00
0b32036f70
Disallowing javascript or data schemes in a redirect. r=mstoltz, sr=brendan, a=rjesup, b=195201
2003-05-29 21:51:34 +00:00
291b95491f
Bug 168316 - When calling from Java into JS, add a "dummy" JS stack frame with
...
principal information for the security manager. r=dveditz, sr=jst, a=chofmann.
2002-10-30 03:15:59 +00:00
b2160d158c
Use principals instead of URIs for same-origin checks.
...
b=159348, r=bz, sr=jst, a=asa
2002-07-30 21:26:32 +00:00
76d3ee501f
133170 - Need to re-check host for security on a redirect after a call to
...
XMLHttpRequest.open(). For xmlextras, r=heikki, sr=jband. For caps,
r=bzbarsky, sr=jst
147754 - Add same-origin check to XMLSerializer. Patch by jst. r=mstoltz,
sr=jband
113351 - Add same-origin check to XSL Include. Patch by peterv and jst,
r=mstoltz, sr=rpotts
135267 - Add same-origin check to stylesheets included via LINK tags.
r=dveditz, sr=scc
2002-06-14 23:54:18 +00:00
310147212f
A bunch of fixes in caps:
...
128697 - Added a pref listener for changes to capability.policy prefs,
removed profile-change listener
131025 - Removed insecure "trusted codebase principals" feature
131340 - Make nsCodebasePrincipal::Equals handle jar URLs correctly
131342 - Clean up privilege-grant dialog code
128861 - class policy hashtables allocated only when needed; avoids
PLDHash memory-use warning
Fixed comparison of -1 and 80 ports (Can't find the bug # right now)
All r=harishd, sr=jst, a=asa.
2002-03-20 05:53:46 +00:00
5db3c92b53
Bug 127938 - chrome scripts should be exempt from the security check put in for
...
bug 105050, on access to the opener property when the opener is a mail window.
r=pavlov, sr=jst, a=leaf.
2002-02-28 00:22:59 +00:00
c9cc21b1f1
partially backing out my last change - weird dependency problem
2002-02-26 05:28:26 +00:00
7b15894b8c
32571, present confirmation dialog before allowing scripts to close windows.
...
105050, pass null window.opener when opener is a mail window.
both r=heikki, sr=jst, a=asa.
Backed out previously because of tinderbox problem, which should be fixed now.
2002-02-26 04:50:21 +00:00
dbe661a6ae
Backing out mstoltz. r=dbaron,jrgm
2002-02-19 04:06:53 +00:00
7446e86422
Bug 105050 - return null window.opener to scripts if opener is a mail window.
...
Bug 32571 - Prompt user before allowing scripts to close windows if opener is null.
both r=heikki, sr=jst.
2002-02-19 01:09:45 +00:00
13c8dad931
Bug 119646 - Rewrite of the security manager policy database for improved
...
performance. r=jst, sr=jband.
2002-02-13 04:20:46 +00:00
2cab766559
License changes, take 2. Bug 98089. mozilla/config/, mozilla/caps/, mozilla/build/.
2001-09-25 01:03:58 +00:00
2a80f3fea9
Oops.
2001-09-20 00:02:59 +00:00
63e86dc84f
bug #98089 : ripped new license
2001-09-19 20:09:47 +00:00
50f00fbc78
Bug 77485 - defining a function in another window using a targeted javascript:
...
link. Prevent running javascript: urls cross-domain and add a security check for adding
and removing properties. r=harishd, sr=jst.
2001-07-13 07:08:26 +00:00
edf3f8a6e9
Re-checking-in my fix for 47905, which was backed out last night because of a bug in some other code that was checked in along with it. This checkin was not causing the crasher and is unchanged. See earlier checkin comment - in short, this adds same-origin to XMLHttpRequest and cleans up some function calls in caps, removes some unnecessary parameters. r=vidur, sr=jst.
2001-05-19 00:33:51 +00:00
e1e5c32a99
Back out mstoltz because of blocker bug #81629 . Original bugs were 47905 79775.
2001-05-18 17:41:23 +00:00
201736a175
Bug 47905 - adding security check for XMLHttpRequest.open.
...
Added nsIScriptSecurityManager::CheckConnect for this purpose.
Also cleaned up the security check API by removing some unnecessary
parameters. r=vidur@netscape.com , sr=jst@netscape.com
Bug 79775 - Forward button broken in main mail window. Making
WindowWatcher not call GetSubjectPrincipal if the URL to be loaded is
chrome, since the calling principal is superfluous in this case.
No one has been able to find the root cause of this problem, but
this checkin works around it, which is the best we can do for now.
r=ducarroz@netscape.com , sr=jst@netscape.com
2001-05-18 06:56:29 +00:00
d0f2b845b9
Fixes for bugs 79796, 77203, and 54060. r=jband@netscape.com,
...
sr=brendan@mozilla.org
2001-05-11 00:43:27 +00:00
jonas@sicking.cc
bzbarsky@mit.edu
jst@mozilla.org
roc+@cs.cmu.edu
jonas%sicking.cc
bzbarsky%mit.edu
jst%mozilla.org
dbaron%dbaron.org
jshin%mailaps.org
gerv%gerv.net
neil%parkwaycc.co.uk
caillon%returnzero.com
brendan%mozilla.org
dougt%meer.net
mstoltz%netscape.com
sicking%bigfoot.com
mcafee%netscape.com
scc%mozilla.org
blizzard%redhat.com