291b95491f
Bug 168316 - When calling from Java into JS, add a "dummy" JS stack frame with
...
principal information for the security manager. r=dveditz, sr=jst, a=chofmann.
2002-10-30 03:15:59 +00:00
8ae6c40f5d
Removing old nmake build makefiles. Bug #158528 r=pavlov
2002-08-10 07:55:43 +00:00
b2160d158c
Use principals instead of URIs for same-origin checks.
...
b=159348, r=bz, sr=jst, a=asa
2002-07-30 21:26:32 +00:00
5bd0d2e2f1
Bug 154930 - If one page has explicitly set document.domain and another has not,
...
do not consider them to be of the same origin for security checks. r=dveditz, sr=jst
2002-07-09 00:10:02 +00:00
c55abc30d5
Bug 152725 - Get URL passed to cookie module from document principal, not document URL.
...
THis ensures that cookies set by javascript URL pages are set in the correct domain.
r=morse, sr=dveditz.
2002-07-02 17:58:24 +00:00
76d3ee501f
133170 - Need to re-check host for security on a redirect after a call to
...
XMLHttpRequest.open(). For xmlextras, r=heikki, sr=jband. For caps,
r=bzbarsky, sr=jst
147754 - Add same-origin check to XMLSerializer. Patch by jst. r=mstoltz,
sr=jband
113351 - Add same-origin check to XSL Include. Patch by peterv and jst,
r=mstoltz, sr=rpotts
135267 - Add same-origin check to stylesheets included via LINK tags.
r=dveditz, sr=scc
2002-06-14 23:54:18 +00:00
310147212f
A bunch of fixes in caps:
...
128697 - Added a pref listener for changes to capability.policy prefs,
removed profile-change listener
131025 - Removed insecure "trusted codebase principals" feature
131340 - Make nsCodebasePrincipal::Equals handle jar URLs correctly
131342 - Clean up privilege-grant dialog code
128861 - class policy hashtables allocated only when needed; avoids
PLDHash memory-use warning
Fixed comparison of -1 and 80 ports (Can't find the bug # right now)
All r=harishd, sr=jst, a=asa.
2002-03-20 05:53:46 +00:00
5db3c92b53
Bug 127938 - chrome scripts should be exempt from the security check put in for
...
bug 105050, on access to the opener property when the opener is a mail window.
r=pavlov, sr=jst, a=leaf.
2002-02-28 00:22:59 +00:00
c9cc21b1f1
partially backing out my last change - weird dependency problem
2002-02-26 05:28:26 +00:00
7b15894b8c
32571, present confirmation dialog before allowing scripts to close windows.
...
105050, pass null window.opener when opener is a mail window.
both r=heikki, sr=jst, a=asa.
Backed out previously because of tinderbox problem, which should be fixed now.
2002-02-26 04:50:21 +00:00
dbe661a6ae
Backing out mstoltz. r=dbaron,jrgm
2002-02-19 04:06:53 +00:00
7446e86422
Bug 105050 - return null window.opener to scripts if opener is a mail window.
...
Bug 32571 - Prompt user before allowing scripts to close windows if opener is null.
both r=heikki, sr=jst.
2002-02-19 01:09:45 +00:00
13c8dad931
Bug 119646 - Rewrite of the security manager policy database for improved
...
performance. r=jst, sr=jband.
2002-02-13 04:20:46 +00:00
2cab766559
License changes, take 2. Bug 98089. mozilla/config/, mozilla/caps/, mozilla/build/.
2001-09-25 01:03:58 +00:00
2a80f3fea9
Oops.
2001-09-20 00:02:59 +00:00
63e86dc84f
bug #98089 : ripped new license
2001-09-19 20:09:47 +00:00
8c7c819206
FASTLOAD_20010703_BRANCH landing, r=dbaron, sr=shaver.
2001-07-31 19:05:34 +00:00
50f00fbc78
Bug 77485 - defining a function in another window using a targeted javascript:
...
link. Prevent running javascript: urls cross-domain and add a security check for adding
and removing properties. r=harishd, sr=jst.
2001-07-13 07:08:26 +00:00
a86397a93a
PCKS7 implementation for signed JS. Bug# 82227 r=mstoltz@netscape.com,sr=blizzard@mozilla.org,a=blizzard@mozilla.org
2001-05-23 22:06:43 +00:00
edf3f8a6e9
Re-checking-in my fix for 47905, which was backed out last night because of a bug in some other code that was checked in along with it. This checkin was not causing the crasher and is unchanged. See earlier checkin comment - in short, this adds same-origin to XMLHttpRequest and cleans up some function calls in caps, removes some unnecessary parameters. r=vidur, sr=jst.
2001-05-19 00:33:51 +00:00
e1e5c32a99
Back out mstoltz because of blocker bug #81629 . Original bugs were 47905 79775.
2001-05-18 17:41:23 +00:00
201736a175
Bug 47905 - adding security check for XMLHttpRequest.open.
...
Added nsIScriptSecurityManager::CheckConnect for this purpose.
Also cleaned up the security check API by removing some unnecessary
parameters. r=vidur@netscape.com , sr=jst@netscape.com
Bug 79775 - Forward button broken in main mail window. Making
WindowWatcher not call GetSubjectPrincipal if the URL to be loaded is
chrome, since the calling principal is superfluous in this case.
No one has been able to find the root cause of this problem, but
this checkin works around it, which is the best we can do for now.
r=ducarroz@netscape.com , sr=jst@netscape.com
2001-05-18 06:56:29 +00:00
d0f2b845b9
Fixes for bugs 79796, 77203, and 54060. r=jband@netscape.com,
...
sr=brendan@mozilla.org
2001-05-11 00:43:27 +00:00
adf1d8320a
Landing the XPCDOM_20010329_BRANCH branch, changes mostly done by jband@netscape.com and jst@netscape.com, also some changes done by shaver@mozilla.org, peterv@netscape.com and markh@activestate.com. r= and sr= by vidur@netscape.com, jband@netscape.com, jst@netscpae.com, danm@netscape.com, hyatt@netscape.com, shaver@mozilla.org, dbradley@netscape.com, rpotts@netscape.com.
2001-05-08 16:46:42 +00:00
c302defdcd
More fixes for 55237, cleaned up CheckLoadURI and added a check on "Edit This Link." Also added error reporting (bug 40538).
...
r=beard, sr=hyatt
2001-04-17 01:21:44 +00:00
b26a1f0451
Bugs 55069, 70951 - JS-blocking APIs for mailnews and embedding. r=mscott, sr=attinasi.
...
Bug 54237 - fix for event-capture bug, r=heikki, sr=jband.
2001-03-23 04:22:56 +00:00
6672d1a27a
bug 47905, adding security check to XMLHttpRequest.open(). r=heikki, sr=brendan
2001-03-02 00:09:20 +00:00
d1ff4c4a38
Bug 66369, adding support for per-file permissions granting to caps. r=jst, sr=jband.
2001-01-27 01:42:20 +00:00
3161a54c16
Fixing bugscape 3109, LiveConnect exploit. sr=jband, brendan.
...
Fixing 58021, exploit in "open in new window," bug 55237. sr=brendan
2000-11-07 01:14:08 +00:00
99a2b79580
Fixing 56009, exploit allowing XPConnect access. r,a=hyatt, sr=scc
2000-10-13 22:59:47 +00:00
6cc70ebd6c
Bug 37275, Changing value of all progids, and changing everywhere a progid
...
is mentioned to mention a contractid, including in identifiers.
r=warren
2000-09-13 23:57:52 +00:00
88846ce93b
Fixing 41876 r=hyatt, also 48724, 49768, and crasher in nsBasePrincipal.cpp, r=jtaylor
2000-08-22 02:06:52 +00:00
02b25f73f7
fix bug 47410. Allow JS components to implement nsISecurityCheckedComponent and have sidebar componnet implement it to allow access from untrusted scripts. a=brendan@mozilla.org a=johng@netscape.com
2000-08-08 23:59:32 +00:00
b22731f07d
Checking in for mccabe, since he had to leave town. Partial fix for bug 41429. Adding a new interface that components can implement to control the capabilities needed for XPConnect access to them - default is UniversalXPConnect. r=vidur
2000-06-23 14:32:38 +00:00
ac67aba0ee
Part of fix for 38117, prevent scripts from running event handlers on windows from other domains. r:mstoltz
2000-06-21 00:21:50 +00:00
958ed96edd
Renaming nsIAllocator to nsIMemory (and nsAllocator to nsMemory). API cleanup/freeze. Bug #18433
2000-06-03 09:46:12 +00:00
3ec39eeed8
Removing archive attribute from nsCertificatePrincipal. This will not be used.
2000-05-16 22:37:38 +00:00
ecc9b44676
Fixes for 32878, 37739. Added PR_CALLBACK macros. Changed security.principal pref syntax to a nicer syntax. Removed "security.checkxpconnect" hack.
2000-05-16 03:40:51 +00:00
0f88b44d07
Removed dependency of libjar on psm-glue, bug 36853. Fixed out parameter type problem in PSMComponent::HashEnd
2000-05-10 01:49:33 +00:00
2483630a16
Added archive attribute to nsICertificatePrincipal...part of fix for 37481.
2000-05-01 23:39:51 +00:00
4794c651b5
Fixes for 27010, 32878, and 32948.
2000-04-26 03:50:07 +00:00
200b920525
Backing out changes until I can figure out why it's crashing on startup.
2000-04-23 21:25:39 +00:00
9ac7780368
Fixes for bugs 27010, 32878, 32948.
2000-04-23 20:30:29 +00:00
a3caa18f07
Fix
...
28390, 28866, 34364
r=brendan@mozilla.org
35701
r=jst@netscape.com
2000-04-14 03:14:53 +00:00
72ad6e26bf
Fixed bug 30915 using nsAggregatePrincipal. r=norris
2000-03-31 00:31:18 +00:00
c19429e137
Adding nsAggregatePrincipal support. r=norris
2000-03-21 04:05:35 +00:00
b06e55722c
Files:
...
caps/idl/nsICertificatePrincipal.idl
caps/idl/nsIPrincipal.idl
caps/src/nsBasePrincipal.cpp
Implement the ability to manipulate multiple capabilties simultaneously.
r=mstoltz@netscape.com
Files:
caps/src/nsCodebasePrincipal.cpp
Codebase equality should be based upon origin, not full path.
r=mstoltz@netscape.com
Files:
caps/src/nsScriptSecurityManager.cpp
Change URI checking to deny based upon scheme rather than allow based upon
scheme for greater flexibility.
r=mstoltz@netscape.com
Files:
dom/public/nsDOMPropEnums.h
dom/public/nsDOMPropNames.h
dom/src/base/nsGlobalWindow.cpp
modules/libpref/src/init/all.js
Fix bug 20469 Seeing JS functions and global variables from arbitrary host
r=vidur@netscape.com
Files:
dom/src/base/nsJSUtils.cpp
dom/src/base/nsJSUtils.h
dom/src/base/nsJSEnvironment.cpp
dom/tools/JSStubGen.cpp
layout/base/src/nsDocument.cpp
layout/html/content/src/nsGenericHTMLElement.cpp
Improve performance by removing NS_WITH_SERVICE call for every DOM access.
Propagate XPCOM failure codes out properly.
r=vidur@netscape.com
Files:
layout/html/document/src/nsFrameFrame.cpp
Fix 27387 Circumventing Same Origin security policy using setAttribute
r=vidur@netscape.com
2000-03-11 06:32:42 +00:00
3d5f67908e
Fix 28612 META Refresh allowed in Mail/News
...
r=mstoltz,a=jar
Fix 28658 File upload vulnerability
r=vidur,a=jar
2000-02-23 22:34:40 +00:00
80d944693e
Fix 25062 Reload vulnerability
...
25206 Reload vulnerability #2
Implement grant dialogs and persistence for capabilities.
most r=mstoltz, some code from morse w/ r=norris
2000-02-10 04:56:56 +00:00
131271ae68
Fix bug #25864 watch() vulnerability
...
r=vidur,rogerl
2000-02-02 00:22:58 +00:00
mstoltz%netscape.com
seawood%netscape.com
sicking%bigfoot.com
mcafee%netscape.com
gerv%gerv.net
scc%mozilla.org
brendan%mozilla.org
ddrinan%netscape.com
blizzard%redhat.com
jst%netscape.com
rayw%netscape.com
jband%netscape.com
vidur%netscape.com
joki%netscape.com
warren%netscape.com
norris%netscape.com