Prevented PreviewBrowser from having chrome privilege by using resource:// rather than chrome:// (#714). Adjusted skins and map command for the change.

2009-11-01 17:30:15 +09:00 · 2009-11-01 17:30:15 +09:00 · a3bdfcd75f
--- a/ubiquity/chrome/content/browser.xul
+++ b/ubiquity/chrome/content/browser.xul
@ -4,7 +4,6 @@

 <overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
         xmlns:svg="http://www.w3.org/2000/svg">
-
  <script type="application/javascript;version=1.8"
          src="chrome://ubiquity/content/ubiquity.js"/>
  <script type="application/javascript;version=1.8"
@ -12,7 +11,7 @@
  <script type="application/javascript;version=1.8"
          src="chrome://ubiquity/content/browser.js"/>
  <popupset id="mainPopupSet">
-    <panel id="ubiquity-transparent-panel" class="msgPanel">
+    <panel id="ubiquity-transparent-panel">
      <div id="ubiquity-panel"
        xmlns="http://www.w3.org/1999/xhtml"
        xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
@ -26,7 +25,8 @@
          </div>
          <div id="ubiquity-preview-container">
            <div id="ubiquity-preview">
-              <xul:browser id="ubiquity-browser" width="490" height="500"
+              <xul:browser id="ubiquity-browser"
+                type="content" width="490" height="500"
                disablesecurity="true" disablehistory="true"/>
            </div>
          </div>
--- a/ubiquity/chrome/content/preview.html
+++ b/ubiquity/chrome/content/preview.html
@ -1,10 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-          "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xml:lang="en" lang="en">
-<head>
-  <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
-</head>
-<body></body>
-</html>
--- a/ubiquity/chrome/skin/skins/custom.css
+++ b/ubiquity/chrome/skin/skins/custom.css
@ -1,12 +1,10 @@
 /*
  =skin=
-  
  @name Custom
  @author You
  @homepage http://www.yourpage.com
  @email you@you.com
  @license MPL/LGPL/GPL
-
  =/skin=
 */

@ -106,7 +104,7 @@
 }

 /* Formatting for the Preview box */
-@-moz-document url(chrome://ubiquity/content/preview.html) {
+@-moz-document url(resource://ubiquity/preview.html) {

 body {
  margin: 0;
--- a/ubiquity/chrome/skin/skins/default.css
+++ b/ubiquity/chrome/skin/skins/default.css
@ -141,7 +141,7 @@
 }

 /* Formatting for the Preview box */
-@-moz-document url-prefix(chrome://ubiquity/content/preview.html) {
+@-moz-document url-prefix(resource://ubiquity/preview.html) {

 body {
  color: #ffffff;
--- a/ubiquity/chrome/skin/skins/experimental.css
+++ b/ubiquity/chrome/skin/skins/experimental.css
@ -1,12 +1,10 @@
 /*
  =skin=
-  
  @name Ubiquity Evolved
  @author Stephen Horlander and Aza Raskin
  @homepage http://azarask.in
  @email aza@mozilla.com
  @license MPL/LGPL/GPL
-  
  =/skin=
 */

@ -220,7 +218,7 @@


 /* Formatting for the Preview box */
-@-moz-document url(chrome://ubiquity/content/preview.html) {
+@-moz-document url(resource://ubiquity/preview.html) {

 body {
  margin: 0;
--- a/ubiquity/chrome/skin/skins/old.css
+++ b/ubiquity/chrome/skin/skins/old.css
@ -117,7 +117,7 @@ body {

 }

-@-moz-document url-prefix(chrome://ubiquity/content/preview.html) {
+@-moz-document url-prefix(resource://ubiquity/preview.html) {

 body {
  margin: 0;
--- a/ubiquity/modules/cmdmanager.js
+++ b/ubiquity/modules/cmdmanager.js
@ -52,7 +52,7 @@ var L = LocalizationUtils.propertySelector(
  "chrome://ubiquity/locale/coreubiquity.properties");

 const {prefs} = Utils.Application;
-const DEFAULT_PREVIEW_URL = "chrome://ubiquity/content/preview.html";
+const DEFAULT_PREVIEW_URL = "resource://ubiquity/preview.html";
 const DEFAULT_MAX_SUGGESTIONS = 5;
 const PREF_MAX_SUGGESTIONS = "extensions.ubiquity.maxSuggestions";
 const MIN_MAX_SUGGS = 1;
--- a/ubiquity/modules/preview_browser.js
+++ b/ubiquity/modules/preview_browser.js
@ -57,7 +57,6 @@ function PreviewBrowser(browser, defaultUrl) {
      this.contentDocument.addEventListener(h, resizeContainer, true);
  }, true);

-  browser.setAttribute("type", "content");
  browser.setAttribute("src", defaultUrl);
 }

@ -121,9 +120,16 @@ PreviewBrowser.prototype = {
    var self = this;
    function showPreview() {
      if (self.__queuedPreview !== showPreview) return;
-
+      if (url) {
+        var uri = Utils.uri(url);
+        if (uri.scheme === "chrome") { // #714
+          Utils.reportInfo(
+            "PreviewBrowser: chrome URL is forbidden! (" + uri.spec + ")");
+          return;
+        }
+      }
      self._ensurePreviewBrowserUrlLoaded(
-        url ? Utils.url(url).spec : self.__defaultUrl,
+        url ? uri.spec : self.__defaultUrl,
        function PB___onUrlLoaded() {
          if (self.__queuedPreview === showPreview) {
            self.__queuedPreview = null;
--- a/ubiquity/preview.html
+++ b/ubiquity/preview.html
@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<head>
+  <title></title>
+  <meta charset="UTF-8"/>
+</head>
+<body></body>
--- a/ubiquity/standard-feeds/map.js
+++ b/ubiquity/standard-feeds/map.js
@ -24,8 +24,8 @@ CmdUtils.CreateCommand({
  preview: function map_preview(pblock, {object}) {
    // TODO: This isn't terribly safe; ideally, we should be communicating
    // with the other page via DOM events, etc.
-    var {Ubiquity} =
-      XPCSafeJSObjectWrapper(pblock.ownerDocument.defaultView);
+    var {Ubiquity} = XPCSafeJSObjectWrapper(
+      pblock.ownerDocument.defaultView.wrappedJSObject);
    Ubiquity.insertHtml = function map_insertHtml(html, text) {
      if (typeof html !== "string") return;