File gecko-lockdown.patch of Package mozilla-xul-runner

Overview Repositories Revisions Requests Users Attributes Meta

File gecko-lockdown.patch of Package mozilla-xul-runner

From: Robert O'Callahan
Subject: Lockdown feature for Gecko
References:

Index: extensions/cookie/nsCookiePermission.cpp
===================================================================
--- extensions/cookie/nsCookiePermission.cpp.orig
+++ extensions/cookie/nsCookiePermission.cpp
@@ -86,6 +86,7 @@ static const char kCookiesPrefsMigrated[
 // obsolete pref names for migration
 static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled";
 static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior";
+static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions";
 static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies";
 
 static const char kPermissionType[] = "cookie";
@@ -125,6 +126,7 @@ nsCookiePermission::Init()
     prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE);
     prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE);
+    prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE);
 #ifdef MOZ_MAIL_NEWS
     prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE);
 #endif
@@ -182,6 +184,10 @@ nsCookiePermission::PrefChanged(nsIPrefB
       NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val)))
     mCookiesAlwaysAcceptSession = val;
 
+  if (PREF_CHANGED(kCookiesHonorExceptions) &&
+      NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val)))
+    mCookiesHonorExceptions = val;
+
 #ifdef MOZ_MAIL_NEWS
   if (PREF_CHANGED(kCookiesDisabledForMailNews) &&
       NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesDisabledForMailNews, &val)))
@@ -232,6 +238,11 @@ nsCookiePermission::CanAccess(nsIURI
 #endif // MOZ_MAIL_NEWS
   
   // finally, check with permission manager...
+  if (!mCookiesHonorExceptions) {
+    *aResult = ACCESS_DEFAULT;
+    return NS_OK;
+  }
+
   nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult);
   if (NS_SUCCEEDED(rv)) {
     switch (*aResult) {
Index: extensions/cookie/nsCookiePermission.h
===================================================================
--- extensions/cookie/nsCookiePermission.h.orig
+++ extensions/cookie/nsCookiePermission.h
@@ -61,6 +61,7 @@ public:
 #ifdef MOZ_MAIL_NEWS
     , mCookiesDisabledForMailNews(PR_TRUE)
 #endif
+    , mCookiesHonorExceptions(PR_TRUE)
     {}
   virtual ~nsCookiePermission() {}
 
@@ -76,7 +77,7 @@ private:
 #ifdef MOZ_MAIL_NEWS
   PRPackedBool mCookiesDisabledForMailNews;
 #endif
-
+  PRPackedBool mCookiesHonorExceptions;
 };
 
 // {EF565D0A-AB9A-4A13-9160-0644CDFD859A}
Index: extensions/permissions/nsContentBlocker.cpp
===================================================================
--- extensions/permissions/nsContentBlocker.cpp.orig
+++ extensions/permissions/nsContentBlocker.cpp
@@ -76,6 +76,7 @@ NS_IMPL_ISUPPORTS3(nsContentBlocker,
 nsContentBlocker::nsContentBlocker()
 {
   memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES);
+  memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES);
 }
 
 nsresult
@@ -92,6 +93,11 @@ nsContentBlocker::Init()
   rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch));
   NS_ENSURE_SUCCESS(rv, rv);
 
+  nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch;
+  rv = prefService->GetBranch("permissions.honorExceptions.",
+                              getter_AddRefs(honorExceptionsPrefBranch));
+  NS_ENSURE_SUCCESS(rv, rv);
+
   // Migrate old image blocker pref
   nsCOMPtr<nsIPrefBranch> oldPrefBranch;
   oldPrefBranch = do_QueryInterface(prefService);
@@ -121,8 +127,15 @@ nsContentBlocker::Init()
   mPrefBranchInternal = do_QueryInterface(prefBranch, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
+  mHonorExceptionsPrefBranchInternal =
+    do_QueryInterface(honorExceptionsPrefBranch, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
   rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE);
-  PrefChanged(prefBranch, nsnull);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE);
+  PrefChanged(nsnull);
 
   return rv;
 }
@@ -131,19 +144,22 @@ nsContentBlocker::Init()
 #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
 
 void
-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch,
-                              const char    *aPref)
+nsContentBlocker::PrefChanged(const char *aPref)
 {
-  PRInt32 val;
-
-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P))
-
-  for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
-    if (PREF_CHANGED(kTypeString[i]) &&
-        NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
-      mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+  for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+    if (!aPref || !strcmp(kTypeString[i], aPref)) {
+      PRInt32 val;
+      PRBool b;
+      if (mPrefBranchInternal &&
+          NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) {
+        mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+      }
+      if (mHonorExceptionsPrefBranchInternal &&
+          NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) {
+        mHonorExceptions[i] = b;
+      }
+    }
   }
-
 }
 
 // nsIContentPolicy Implementation
@@ -268,11 +284,13 @@ nsContentBlocker::TestPermission(nsIURI
   // default prefs.
   // Don't forget the aContentType ranges from 1..8, while the
   // array is indexed 0..7
-  PRUint32 permission;
-  nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
-                                                   kTypeString[aContentType - 1],
-                                                   &permission);
-  NS_ENSURE_SUCCESS(rv, rv);
+  PRUint32 permission = 0;
+  if (mHonorExceptions[aContentType - 1]) {
+    nsresult rv = mPermissionManager->TestPermission(aCurrentURI,
+                                                     kTypeString[aContentType - 1],
+                                                     &permission);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
 
   // If there is nothing on the list, use the default.
   if (!permission) {
@@ -298,7 +316,7 @@ nsContentBlocker::TestPermission(nsIURI
       return NS_OK;
 
     PRBool trustedSource = PR_FALSE;
-    rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+    nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource);
     NS_ENSURE_SUCCESS(rv,rv);
     if (!trustedSource) {
       rv = aFirstURI->SchemeIs("resource", &trustedSource);
@@ -363,8 +381,6 @@ nsContentBlocker::Observe(nsISupports
 {
   NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic),
                "unexpected topic - we only deal with pref changes!");
-
-  if (mPrefBranchInternal)
-    PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get());
+  PrefChanged(NS_LossyConvertUTF16toASCII(aData).get());
   return NS_OK;
 }
Index: extensions/permissions/nsContentBlocker.h
===================================================================
--- extensions/permissions/nsContentBlocker.h.orig
+++ extensions/permissions/nsContentBlocker.h
@@ -66,7 +66,7 @@ public:
 private:
   ~nsContentBlocker() {}
 
-  void PrefChanged(nsIPrefBranch *, const char *);
+  void PrefChanged(const char *);
   nsresult TestPermission(nsIURI *aCurrentURI,
                           nsIURI *aFirstURI,
                           PRInt32 aContentType,
@@ -75,7 +75,9 @@ private:
 
   nsCOMPtr<nsIPermissionManager> mPermissionManager;
   nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal;
+  nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal;
   PRUint8 mBehaviorPref[NUMBER_OF_TYPES];
+  PRPackedBool mHonorExceptions[NUMBER_OF_TYPES];
 };
 
 #define NS_CONTENTBLOCKER_CID \
Index: modules/libpref/src/init/all.js
===================================================================
--- modules/libpref/src/init/all.js.orig
+++ modules/libpref/src/init/all.js
@@ -798,6 +798,7 @@ pref("network.automatic-ntlm-auth.truste
 pref("network.ntlm.send-lm-response", false);
 
 pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
+pref("permissions.honorExceptions.image",   true);
 
 #ifndef XP_MACOSX
 #ifdef XP_UNIX
@@ -825,6 +826,7 @@ pref("network.proxy.no_proxies_on",
 pref("network.proxy.failover_timeout",      1800); // 30 minutes
 pref("network.online",                      true); //online/offline
 pref("network.cookie.cookieBehavior",       0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
+pref("network.cookie.honorExceptions",      true);
 pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail
 pref("network.cookie.lifetimePolicy",       0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays
 pref("network.cookie.alwaysAcceptSessionCookies", false);
Index: widget/src/gtk2/nsWindow.cpp
===================================================================
--- widget/src/gtk2/nsWindow.cpp.orig
+++ widget/src/gtk2/nsWindow.cpp
@@ -81,6 +81,7 @@
 #include "nsIServiceManager.h"
 #include "nsIStringBundle.h"
 #include "nsGfxCIID.h"
+#include "nsIPrefService.h"
 
 #ifdef ACCESSIBILITY
 #include "nsIAccessibilityService.h"
@@ -91,7 +92,6 @@
 static PRBool sAccessibilityChecked = PR_FALSE;
 /* static */
 PRBool nsWindow::sAccessibilityEnabled = PR_FALSE;
-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1";
 static const char sAccEnv [] = "GNOME_ACCESSIBILITY";
 static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility";
 #endif
@@ -3992,18 +3992,18 @@ nsWindow::NativeCreate(nsIWidget
             sAccessibilityEnabled = atoi(envValue) != 0;
             LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue));
         }
-        //check gconf-2 setting
+        //check preference setting
         else {
-            nsCOMPtr<nsIPrefBranch> sysPrefService =
-                do_GetService(sSysPrefService, &rv);
-            if (NS_SUCCEEDED(rv) && sysPrefService) {
-
-                // do the work to get gconf setting.
-                // will be done soon later.
-                sysPrefService->GetBoolPref(sAccessibilityKey,
+            nsCOMPtr<nsIPrefService> prefService =
+               do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+            if (NS_SUCCEEDED(rv) && prefService) {
+                nsCOMPtr<nsIPrefBranch> prefBranch;
+                rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch));
+                if (NS_SUCCEEDED(rv) && prefBranch) {
+                    prefBranch->GetBoolPref(sAccessibilityKey,
                                             &sAccessibilityEnabled);
+                }
             }
-
         }
     }
     if (sAccessibilityEnabled) {
Index: xpinstall/src/nsXPInstallManager.cpp
===================================================================
--- xpinstall/src/nsXPInstallManager.cpp.orig
+++ xpinstall/src/nsXPInstallManager.cpp
@@ -290,6 +290,7 @@ nsXPInstallManager::InitManagerInternal(
         //-----------------------------------------------------
         // Get permission to install
         //-----------------------------------------------------
+        nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID));
 
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         if ( mChromeType == CHROME_SKIN )
@@ -299,17 +300,26 @@ nsXPInstallManager::InitManagerInternal(
 
             // skins get a simpler/friendlier dialog
             // XXX currently not embeddable
-            OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList );
+            PRBool themesDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled);
+            OKtoInstall = !themesDisabled &&
+               ConfirmChromeInstall( mParentWindow, packageList );
         }
         else
         {
 #endif
-            rv = dlgSvc->ConfirmInstall( mParentWindow,
-                                         packageList,
-                                         numStrings,
-                                         &OKtoInstall );
-            if (NS_FAILED(rv))
-                OKtoInstall = PR_FALSE;
+            PRBool extensionsDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled);
+            if (!extensionsDisabled) {
+                rv = dlgSvc->ConfirmInstall( mParentWindow,
+                                             packageList,
+                                             numStrings,
+                                             &OKtoInstall );
+                if (NS_FAILED(rv))
+                    OKtoInstall = PR_FALSE;
+            }
 #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
         }
 #endif

Places

File gecko-lockdown.patch of Package mozilla-xul-runner

Places