summaryrefslogtreecommitdiffstats
path: root/application/palemoon/base
diff options
context:
space:
mode:
Diffstat (limited to 'application/palemoon/base')
-rw-r--r--application/palemoon/base/content/aboutDialog.xul7
-rw-r--r--application/palemoon/base/content/baseMenuOverlay.xul2
-rw-r--r--application/palemoon/base/content/blockedSite.xhtml193
-rw-r--r--application/palemoon/base/content/browser-fullScreen.js12
-rw-r--r--application/palemoon/base/content/browser.js22
-rw-r--r--application/palemoon/base/content/browser.xul2
-rw-r--r--application/palemoon/base/content/nsContextMenu.js14
-rw-r--r--application/palemoon/base/content/pageinfo/permissions.js27
-rw-r--r--application/palemoon/base/content/report-phishing-overlay.xul35
-rw-r--r--application/palemoon/base/content/tabbrowser.xml26
-rw-r--r--application/palemoon/base/content/utilityOverlay.js56
11 files changed, 142 insertions, 254 deletions
diff --git a/application/palemoon/base/content/aboutDialog.xul b/application/palemoon/base/content/aboutDialog.xul
index 743ff21df..5c344f55d 100644
--- a/application/palemoon/base/content/aboutDialog.xul
+++ b/application/palemoon/base/content/aboutDialog.xul
@@ -88,6 +88,7 @@
</vbox>
<description class="text-pmcreds">
+#if defined(MOZ_OFFICIAL_BRANDING) || defined(MC_OFFICIAL)
#ifdef MC_PRIVATE_BUILD
This is a private build of Pale Moon. If you did not manually build this copy from source yourself, then please download an official version from the <label class="text-link" href="http://www.palemoon.org/">Pale Moon website</label>.
#else
@@ -100,6 +101,12 @@
If you wish to contribute, please consider helping out by providing support to other users on the <label class="text-link" href="https://forum.palemoon.org/">Pale Moon forum</label>
or getting involved in our development by tackling some of the issues found in our GitHub issue tracker.
#endif
+#else
+ &brandFullName; is released by &vendorShortName;.
+ </description>
+ <description class="text-blurb">
+ This is an unofficial build of Pale Moon. For official builds, please go to <label class="text-link" href="http://www.palemoon.org/">the Pale Moon website</label>.
+#endif
</description>
</vbox>
</vbox>
diff --git a/application/palemoon/base/content/baseMenuOverlay.xul b/application/palemoon/base/content/baseMenuOverlay.xul
index f61348c9f..e9019dc55 100644
--- a/application/palemoon/base/content/baseMenuOverlay.xul
+++ b/application/palemoon/base/content/baseMenuOverlay.xul
@@ -41,7 +41,7 @@
label="&helpMenu.label;"
accesskey="&helpMenu.accesskey;">
#endif
- <menupopup id="menu_HelpPopup" onpopupshowing="buildHelpMenu();">
+ <menupopup id="menu_HelpPopup">
<menuitem id="menu_openHelp"
oncommand="openHelpLink('firefox-help')"
onclick="checkForMiddleClick(this, event);"
diff --git a/application/palemoon/base/content/blockedSite.xhtml b/application/palemoon/base/content/blockedSite.xhtml
deleted file mode 100644
index b56875eb6..000000000
--- a/application/palemoon/base/content/blockedSite.xhtml
+++ /dev/null
@@ -1,193 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!DOCTYPE html [
- <!ENTITY % htmlDTD PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
- %htmlDTD;
- <!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd">
- %globalDTD;
- <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
- %brandDTD;
- <!ENTITY % blockedSiteDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd">
- %blockedSiteDTD;
-]>
-
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
- <head>
- <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
- <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
-
- <script type="application/javascript"><![CDATA[
- // Error url MUST be formatted like this:
- // about:blocked?e=error_code&u=url
-
- // Note that this file uses document.documentURI to get
- // the URL (with the format from above). This is because
- // document.location.href gets the current URI off the docshell,
- // which is the URL displayed in the location bar, i.e.
- // the URI that the user attempted to load.
-
- function getErrorCode()
- {
- var url = document.documentURI;
- var error = url.search(/e\=/);
- var duffUrl = url.search(/\&u\=/);
- return decodeURIComponent(url.slice(error + 2, duffUrl));
- }
-
- function getURL()
- {
- var url = document.documentURI;
- var match = url.match(/&u=([^&]+)&/);
-
- // match == null if not found; if so, return an empty string
- // instead of what would turn out to be portions of the URI
- if (!match)
- return "";
-
- url = decodeURIComponent(match[1]);
-
- // If this is a view-source page, then get then real URI of the page
- if (url.startsWith("view-source:"))
- url = url.slice(12);
- return url;
- }
-
- /**
- * Attempt to get the hostname via document.location. Fail back
- * to getURL so that we always return something meaningful.
- */
- function getHostString()
- {
- try {
- return document.location.hostname;
- } catch (e) {
- return getURL();
- }
- }
-
- function initPage()
- {
- // Handoff to the appropriate initializer, based on error code
- switch (getErrorCode()) {
- case "malwareBlocked" :
- initPage_malware();
- break;
- case "phishingBlocked" :
- initPage_phishing();
- break;
- }
- }
-
- /**
- * Initialize custom strings and functionality for blocked malware case
- */
- function initPage_malware()
- {
- // Remove phishing strings
- var el = document.getElementById("errorTitleText_phishing");
- el.parentNode.removeChild(el);
-
- el = document.getElementById("errorShortDescText_phishing");
- el.parentNode.removeChild(el);
-
- el = document.getElementById("errorLongDescText_phishing");
- el.parentNode.removeChild(el);
-
- // Set sitename
- document.getElementById("malware_sitename").textContent = getHostString();
- document.title = document.getElementById("errorTitleText_malware")
- .innerHTML;
- }
-
- /**
- * Initialize custom strings and functionality for blocked phishing case
- */
- function initPage_phishing()
- {
- // Remove malware strings
- var el = document.getElementById("errorTitleText_malware");
- el.parentNode.removeChild(el);
-
- el = document.getElementById("errorShortDescText_malware");
- el.parentNode.removeChild(el);
-
- el = document.getElementById("errorLongDescText_malware");
- el.parentNode.removeChild(el);
-
- // Set sitename
- document.getElementById("phishing_sitename").textContent = getHostString();
- document.title = document.getElementById("errorTitleText_phishing")
- .innerHTML;
- }
- ]]></script>
- <style type="text/css">
- /* Style warning button to look like a small text link in the
- bottom right. This is preferable to just using a text link
- since there is already a mechanism in browser.js for trapping
- oncommand events from unprivileged chrome pages (BrowserOnCommand).*/
- #ignoreWarningButton {
- -moz-appearance: none;
- background: transparent;
- border: none;
- color: white; /* Hard coded because netError.css forces this page's background to dark red */
- text-decoration: underline;
- margin: 0;
- padding: 0;
- position: relative;
- top: 23px;
- left: 20px;
- font-size: smaller;
- }
-
- #ignoreWarning {
- text-align: right;
- }
- </style>
- </head>
-
- <body dir="&locale.dir;">
- <div id="errorPageContainer">
-
- <!-- Error Title -->
- <div id="errorTitle">
- <h1 id="errorTitleText_phishing">&safeb.blocked.phishingPage.title;</h1>
- <h1 id="errorTitleText_malware">&safeb.blocked.malwarePage.title;</h1>
- </div>
-
- <div id="errorLongContent">
-
- <!-- Short Description -->
- <div id="errorShortDesc">
- <p id="errorShortDescText_phishing">&safeb.blocked.phishingPage.shortDesc;</p>
- <p id="errorShortDescText_malware">&safeb.blocked.malwarePage.shortDesc;</p>
- </div>
-
- <!-- Long Description -->
- <div id="errorLongDesc">
- <p id="errorLongDescText_phishing">&safeb.blocked.phishingPage.longDesc;</p>
- <p id="errorLongDescText_malware">&safeb.blocked.malwarePage.longDesc;</p>
- </div>
-
- <!-- Action buttons -->
- <div id="buttons">
- <!-- Commands handled in browser.js -->
- <button id="getMeOutButton">&safeb.palm.accept.label;</button>
- <button id="reportButton">&safeb.palm.reportPage.label;</button>
- </div>
- </div>
- <div id="ignoreWarning">
- <button id="ignoreWarningButton">&safeb.palm.decline.label;</button>
- </div>
- </div>
- <!--
- - Note: It is important to run the script this way, instead of using
- - an onload handler. This is because error pages are loaded as
- - LOAD_BACKGROUND, which means that onload handlers will not be executed.
- -->
- <script type="application/javascript">initPage();</script>
- </body>
-</html>
diff --git a/application/palemoon/base/content/browser-fullScreen.js b/application/palemoon/base/content/browser-fullScreen.js
index 6afd247be..b1235a8d3 100644
--- a/application/palemoon/base/content/browser-fullScreen.js
+++ b/application/palemoon/base/content/browser-fullScreen.js
@@ -53,6 +53,18 @@ var FullScreen = {
document.addEventListener("popupshown", this._setPopupOpen, false);
document.addEventListener("popuphidden", this._setPopupOpen, false);
this._shouldAnimate = true;
+ // If it is not safe to collapse, add the mouse position tracker or
+ // else it won't be possible to hide the navigation toolbox again
+ if (!this._safeToCollapse(document.mozFullScreen)) {
+ let rect = gBrowser.mPanelContainer.getBoundingClientRect();
+ this._mouseTargetRect = {
+ top: rect.top + 50,
+ bottom: rect.bottom,
+ left: rect.left,
+ right: rect.right
+ };
+ MousePosTracker.addListener(this);
+ }
// We don't animate the toolbar collapse if in DOM full-screen mode,
// as the size of the content area would still be changing after the
// mozfullscreenchange event fired, which could confuse content script.
diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js
index 386bd418b..7421fc5c3 100644
--- a/application/palemoon/base/content/browser.js
+++ b/application/palemoon/base/content/browser.js
@@ -1051,6 +1051,8 @@ var gBrowserInit = {
// [3]: postData (nsIInputStream)
// [4]: allowThirdPartyFixup (bool)
// [5]: referrerPolicy (int)
+ // [6]: originPrincipal (nsIPrincipal)
+ // [7]: triggeringPrincipal (nsIPrincipal)
else if (window.arguments.length >= 3) {
let referrerURI = window.arguments[2];
if (typeof(referrerURI) == "string") {
@@ -1063,7 +1065,10 @@ var gBrowserInit = {
let referrerPolicy = (window.arguments[5] != undefined ?
window.arguments[5] : Ci.nsIHttpChannel.REFERRER_POLICY_DEFAULT);
loadURI(uriToLoad, referrerURI, window.arguments[3] || null,
- window.arguments[4] || false, referrerPolicy);
+ window.arguments[4] || false, referrerPolicy,
+ // pass the origin principal (if any) and force its use to create
+ // an initial about:blank viewer if present:
+ window.arguments[6], !!window.arguments[6], window.arguments[7]);
window.focus();
}
// Note: loadOneOrMoreURIs *must not* be called if window.arguments.length >= 3.
@@ -1952,7 +1957,9 @@ function BrowserTryToCloseWindow()
window.close(); // WindowIsClosing does all the necessary checks
}
-function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy) {
+function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy,
+ originPrincipal, forceAboutBlankViewerInCurrent,
+ triggeringPrincipal) {
if (postData === undefined)
postData = null;
@@ -1968,6 +1975,9 @@ function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy)
referrerURI: referrer,
referrerPolicy: referrerPolicy,
postData: postData,
+ originPrincipal: originPrincipal,
+ triggeringPrincipal: triggeringPrincipal,
+ forceAboutBlankViewerInCurrent: forceAboutBlankViewerInCurrent,
});
} catch (e) {}
}
@@ -4395,9 +4405,11 @@ nsBrowserAccess.prototype = {
}
let referrer = aOpener ? makeURI(aOpener.location.href) : null;
+ let triggeringPrincipal = null;
let referrerPolicy = Ci.nsIHttpChannel.REFERRER_POLICY_DEFAULT;
if (aOpener && aOpener.document) {
referrerPolicy = aOpener.document.referrerPolicy;
+ triggeringPrincipal = aOpener.document.nodePrincipal;
}
switch (aWhere) {
@@ -4437,6 +4449,7 @@ nsBrowserAccess.prototype = {
let referrer = aOpener ? makeURI(aOpener.location.href) : null;
let tab = win.gBrowser.loadOneTab(aURI ? aURI.spec : "about:blank", {
+ triggeringPrincipal: triggeringPrincipal,
referrerURI: referrer,
referrerPolicy: referrerPolicy,
fromExternal: isExternal,
@@ -4459,6 +4472,7 @@ nsBrowserAccess.prototype = {
Ci.nsIWebNavigation.LOAD_FLAGS_NONE;
gBrowser.loadURIWithFlags(aURI.spec, {
flags: loadflags,
+ triggeringPrincipal: triggeringPrincipal,
referrerURI: referrer,
referrerPolicy: referrerPolicy,
});
@@ -5192,7 +5206,9 @@ function handleLinkClick(event, href, linkNode) {
urlSecurityCheck(href, doc.nodePrincipal);
openLinkIn(href, where, { referrerURI: doc.documentURIObject,
charset: doc.characterSet,
- referrerPolicy: doc.referrerPolicy });
+ referrerPolicy: doc.referrerPolicy,
+ originPrincipal: doc.nodePrincipal,
+ triggeringPrincipal: doc.nodePrincipal });
event.preventDefault();
return true;
}
diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul
index 254e2eee0..90899bb88 100644
--- a/application/palemoon/base/content/browser.xul
+++ b/application/palemoon/base/content/browser.xul
@@ -334,7 +334,9 @@
</button>
</hbox>
#endif
+#ifndef XP_MACOSX
<spacer id="titlebar-spacer" flex="1"/>
+#endif
<hbox id="titlebar-buttonbox-container" align="start">
<hbox id="titlebar-buttonbox">
<toolbarbutton class="titlebar-button" id="titlebar-min" oncommand="window.minimize();"/>
diff --git a/application/palemoon/base/content/nsContextMenu.js b/application/palemoon/base/content/nsContextMenu.js
index 738868ccb..19b2fac77 100644
--- a/application/palemoon/base/content/nsContextMenu.js
+++ b/application/palemoon/base/content/nsContextMenu.js
@@ -754,7 +754,9 @@ nsContextMenu.prototype = {
openLinkIn(this.linkURL, "window",
{ charset: doc.characterSet,
referrerURI: doc.documentURIObject,
- referrerPolicy: doc.referrerPolicy });
+ referrerPolicy: doc.referrerPolicy,
+ originPrincipal: doc.nodePrincipal,
+ triggeringPrincipal: doc.nodePrincipal });
},
// Open linked-to URL in a new private window.
@@ -765,6 +767,8 @@ nsContextMenu.prototype = {
{ charset: doc.characterSet,
referrerURI: doc.documentURIObject,
referrerPolicy: doc.referrerPolicy,
+ originPrincipal: doc.nodePrincipal,
+ triggeringPrincipal: doc.nodePrincipal,
private: true });
},
@@ -775,7 +779,9 @@ nsContextMenu.prototype = {
openLinkIn(this.linkURL, "tab",
{ charset: doc.characterSet,
referrerURI: doc.documentURIObject,
- referrerPolicy: doc.referrerPolicy });
+ referrerPolicy: doc.referrerPolicy,
+ originPrincipal: doc.nodePrincipal,
+ triggeringPrincipal: doc.nodePrincipal });
},
// open URL in current tab
@@ -784,7 +790,9 @@ nsContextMenu.prototype = {
urlSecurityCheck(this.linkURL, doc.nodePrincipal);
openLinkIn(this.linkURL, "current",
{ charset: doc.characterSet,
- referrerURI: doc.documentURIObject });
+ referrerURI: doc.documentURIObject,
+ originPrincipal: doc.nodePrincipal,
+ triggeringPrincipal: doc.nodePrincipal });
},
// Open frame in a new tab.
diff --git a/application/palemoon/base/content/pageinfo/permissions.js b/application/palemoon/base/content/pageinfo/permissions.js
index 5d25a800d..4f8382f66 100644
--- a/application/palemoon/base/content/pageinfo/permissions.js
+++ b/application/palemoon/base/content/pageinfo/permissions.js
@@ -217,14 +217,20 @@ function fillInPluginPermissionTemplate(aPermissionString, aPluginObject) {
.cloneNode(true);
permPluginTemplate.setAttribute("permString", aPermissionString);
permPluginTemplate.setAttribute("tooltiptext", aPluginObject.description);
- let attrs = [
- [ ".permPluginTemplateLabel", "value", aPluginObject.name ],
- [ ".permPluginTemplateRadioGroup", "id", aPermissionString + "RadioGroup" ],
- [ ".permPluginTemplateRadioDefault", "id", aPermissionString + "#0" ],
- [ ".permPluginTemplateRadioAsk", "id", aPermissionString + "#3" ],
- [ ".permPluginTemplateRadioAllow", "id", aPermissionString + "#1" ],
- [ ".permPluginTemplateRadioBlock", "id", aPermissionString + "#2" ]
- ];
+ let attrs = [];
+ attrs.push([".permPluginTemplateLabel", "value", aPluginObject.name]);
+ attrs.push([".permPluginTemplateRadioGroup", "id", aPermissionString + "RadioGroup"]);
+ attrs.push([".permPluginTemplateRadioDefault", "id", aPermissionString + "#0"]);
+ let permPluginTemplateRadioAsk = ".permPluginTemplateRadioAsk";
+ if (Services.prefs.getBoolPref("plugins.click_to_play") ||
+ aPluginObject.vulnerable) {
+ attrs.push([permPluginTemplateRadioAsk, "id", aPermissionString + "#3"]);
+ } else {
+ permPluginTemplate.querySelector(permPluginTemplateRadioAsk)
+ .setAttribute("disabled", "true");
+ }
+ attrs.push([".permPluginTemplateRadioAllow", "id", aPermissionString + "#1"]);
+ attrs.push([".permPluginTemplateRadioBlock", "id", aPermissionString + "#2"]);
for (let attr of attrs) {
permPluginTemplate.querySelector(attr[0]).setAttribute(attr[1], attr[2]);
@@ -264,13 +270,16 @@ function initPluginsRow() {
}
let permString = pluginHost.getPermissionStringForType(mimeType);
if (!permissionMap.has(permString)) {
- var name = makeNicePluginName(plugin.name) + " " + plugin.version;
+ let name = makeNicePluginName(plugin.name) + " " + plugin.version;
+ let vulnerable = false;
if (permString.startsWith("plugin-vulnerable:")) {
name += " \u2014 " + vulnerableLabel;
+ vulnerable = true;
}
permissionMap.set(permString, {
"name": name,
"description": plugin.description,
+ "vulnerable": vulnerable
});
}
}
diff --git a/application/palemoon/base/content/report-phishing-overlay.xul b/application/palemoon/base/content/report-phishing-overlay.xul
deleted file mode 100644
index 76baf01da..000000000
--- a/application/palemoon/base/content/report-phishing-overlay.xul
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0"?>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<!DOCTYPE overlay [
-<!ENTITY % reportphishDTD SYSTEM "chrome://browser/locale/safebrowsing/report-phishing.dtd">
-%reportphishDTD;
-<!ENTITY % safebrowsingDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd">
-%safebrowsingDTD;
-]>
-
-<overlay id="reportPhishingMenuOverlay"
- xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
- <broadcasterset id="mainBroadcasterSet">
- <broadcaster id="reportPhishingBroadcaster" disabled="true"/>
- <broadcaster id="reportPhishingErrorBroadcaster" disabled="true"/>
- </broadcasterset>
- <menupopup id="menu_HelpPopup">
- <menuitem id="menu_HelpPopup_reportPhishingtoolmenu"
- label="&reportPhishSiteMenu.title2;"
- accesskey="&reportPhishSiteMenu.accesskey;"
- insertbefore="aboutSeparator"
- observes="reportPhishingBroadcaster"
- oncommand="openUILink(gSafeBrowsing.getReportURL('Phish'), event);"
- onclick="checkForMiddleClick(this, event);"/>
- <menuitem id="menu_HelpPopup_reportPhishingErrortoolmenu"
- label="&safeb.palm.notforgery.label2;"
- accesskey="&reportPhishSiteMenu.accesskey;"
- insertbefore="aboutSeparator"
- observes="reportPhishingErrorBroadcaster"
- oncommand="openUILinkIn(gSafeBrowsing.getReportURL('Error'), 'tab');"
- onclick="checkForMiddleClick(this, event);"/>
- </menupopup>
-</overlay>
diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml
index ea68d00ad..d5735149e 100644
--- a/application/palemoon/base/content/tabbrowser.xml
+++ b/application/palemoon/base/content/tabbrowser.xml
@@ -1313,13 +1313,16 @@
<parameter name="aAllowThirdPartyFixup"/>
<body>
<![CDATA[
+ var aTriggeringPrincipal;
var aReferrerPolicy;
var aFromExternal;
var aRelatedToCurrent;
+ var aOriginPrincipal;
if (arguments.length == 2 &&
typeof arguments[1] == "object" &&
!(arguments[1] instanceof Ci.nsIURI)) {
let params = arguments[1];
+ aTriggeringPrincipal = params.triggeringPrincipal;
aReferrerURI = params.referrerURI;
aReferrerPolicy = params.referrerPolicy;
aCharset = params.charset;
@@ -1328,12 +1331,14 @@
aAllowThirdPartyFixup = params.allowThirdPartyFixup;
aFromExternal = params.fromExternal;
aRelatedToCurrent = params.relatedToCurrent;
+ aOriginPrincipal = params.originPrincipal;
}
var bgLoad = (aLoadInBackground != null) ? aLoadInBackground :
Services.prefs.getBoolPref("browser.tabs.loadInBackground");
var owner = bgLoad ? null : this.selectedTab;
var tab = this.addTab(aURI, {
+ triggeringPrincipal: aTriggeringPrincipal,
referrerURI: aReferrerURI,
referrerPolicy: aReferrerPolicy,
charset: aCharset,
@@ -1341,6 +1346,7 @@
ownerTab: owner,
allowThirdPartyFixup: aAllowThirdPartyFixup,
fromExternal: aFromExternal,
+ originPrincipal: aOriginPrincipal,
relatedToCurrent: aRelatedToCurrent});
if (!bgLoad)
this.selectedTab = tab;
@@ -1461,14 +1467,17 @@
<body>
<![CDATA[
const NS_XUL = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
+ var aTriggeringPrincipal;
var aReferrerPolicy;
var aFromExternal;
var aRelatedToCurrent;
var aSkipAnimation;
+ var aOriginPrincipal;
if (arguments.length == 2 &&
typeof arguments[1] == "object" &&
!(arguments[1] instanceof Ci.nsIURI)) {
let params = arguments[1];
+ aTriggeringPrincipal = params.triggeringPrincipal;
aReferrerURI = params.referrerURI;
aReferrerPolicy = params.referrerPolicy;
aCharset = params.charset;
@@ -1478,6 +1487,7 @@
aFromExternal = params.fromExternal;
aRelatedToCurrent = params.relatedToCurrent;
aSkipAnimation = params.skipAnimation;
+ aOriginPrincipal = params.originPrincipal;
}
// if we're adding tabs, we're past interrupt mode, ditch the owner
@@ -1486,6 +1496,11 @@
var t = document.createElementNS(NS_XUL, "tab");
+ let aURIObject = null;
+ try {
+ aURIObject = Services.io.newURI(aURI || "about:blank");
+ } catch (ex) { /* we'll try to fix up this URL later */ }
+
var uriIsAboutBlank = !aURI || aURI == "about:blank";
if (!aURI || isBlankPageURL(aURI))
@@ -1625,6 +1640,16 @@
evt.initEvent("TabOpen", true, false);
t.dispatchEvent(evt);
+ if (aOriginPrincipal && aURI) {
+ let {URI_INHERITS_SECURITY_CONTEXT} = Ci.nsIProtocolHandler;
+ // Unless we know for sure we're not inheriting principals,
+ // force the about:blank viewer to have the right principal:
+ if (!aURIObject ||
+ (Services.io.getProtocolFlags(aURIObject.scheme) & URI_INHERITS_SECURITY_CONTEXT)) {
+ b.createAboutBlankContentViewer(aOriginPrincipal);
+ }
+ }
+
// If we didn't swap docShells with a preloaded browser
// then let's just continue loading the page normally.
if (!docShellsSwapped && !uriIsAboutBlank) {
@@ -1643,6 +1668,7 @@
try {
b.loadURIWithFlags(aURI, {
flags: flags,
+ triggeringPrincipal: aTriggeringPrincipal,
referrerURI: aReferrerURI,
referrerPolicy: aReferrerPolicy,
charset: aCharset,
diff --git a/application/palemoon/base/content/utilityOverlay.js b/application/palemoon/base/content/utilityOverlay.js
index 63488e209..2c1a95f83 100644
--- a/application/palemoon/base/content/utilityOverlay.js
+++ b/application/palemoon/base/content/utilityOverlay.js
@@ -230,6 +230,10 @@ function openLinkIn(url, where, params) {
var aDisallowInheritPrincipal = params.disallowInheritPrincipal;
var aInitiatingDoc = params.initiatingDoc;
var aIsPrivate = params.private;
+ var aPrincipal = params.originPrincipal;
+ var aTriggeringPrincipal = params.triggeringPrincipal;
+ var aForceAboutBlankViewerInCurrent =
+ params.forceAboutBlankViewerInCurrent;
var sendReferrerURI = true;
if (where == "save") {
@@ -254,6 +258,23 @@ function openLinkIn(url, where, params) {
// Note that if |w| is null we might have no current browser (we'll open a new window).
var aCurrentBrowser = params.currentBrowser || (w && w.gBrowser.selectedBrowser);
+ // Teach the principal about the right OA to use, e.g. in case when
+ // opening a link in a new private window.
+ // Please note we do not have to do that for SystemPrincipals and we
+ // can not do it for NullPrincipals since NullPrincipals are only
+ // identical if they actually are the same object (See Bug: 1346759)
+ function useOAForPrincipal(principal) {
+ if (principal && principal.isCodebasePrincipal) {
+ let attrs = {
+ privateBrowsingId: aIsPrivate || (w && PrivateBrowsingUtils.isWindowPrivate(w)),
+ };
+ return Services.scriptSecurityManager.createCodebasePrincipal(principal.URI, attrs);
+ }
+ return principal;
+ }
+ aPrincipal = useOAForPrincipal(aPrincipal);
+ aTriggeringPrincipal = useOAForPrincipal(aTriggeringPrincipal);
+
if (!w || where == "window") {
// This propagates to window.arguments.
// Strip referrer data when opening a new private window, to prevent
@@ -297,6 +318,8 @@ function openLinkIn(url, where, params) {
sa.AppendElement(aPostData);
sa.AppendElement(allowThirdPartyFixupSupports);
sa.AppendElement(referrerPolicySupports);
+ sa.AppendElement(aPrincipal);
+ sa.AppendElement(aTriggeringPrincipal);
let features = "chrome,dialog=no,all";
if (aIsPrivate) {
@@ -314,10 +337,17 @@ function openLinkIn(url, where, params) {
getBoolPref("browser.tabs.loadInBackground");
}
+ let uriObj;
+ if (where == "current") {
+ try {
+ uriObj = Services.io.newURI(url, null, null);
+ } catch (e) {}
+ }
+
if (where == "current" && w.gBrowser.selectedTab.pinned) {
try {
- let uriObj = Services.io.newURI(url, null, null);
- if (!uriObj.schemeIs("javascript") &&
+ // nsIURI.host can throw for non-nsStandardURL nsIURIs.
+ if (!uriObj || !uriObj.schemeIs("javascript") &&
w.gBrowser.currentURI.host != uriObj.host) {
where = "tab";
loadInBackground = false;
@@ -345,11 +375,22 @@ function openLinkIn(url, where, params) {
if (aForceAllowDataURI) {
flags |= Ci.nsIWebNavigation.LOAD_FLAGS_FORCE_ALLOW_DATA_URI;
}
+ let {URI_INHERITS_SECURITY_CONTEXT} = Ci.nsIProtocolHandler;
+ if (aForceAboutBlankViewerInCurrent &&
+ (!uriObj ||
+ (Services.io.getProtocolFlags(uriObj.scheme) & URI_INHERITS_SECURITY_CONTEXT))) {
+ // Unless we know for sure we're not inheriting principals,
+ // force the about:blank viewer to have the right principal:
+ w.gBrowser.selectedBrowser.createAboutBlankContentViewer(aPrincipal);
+ }
+
w.gBrowser.loadURIWithFlags(url, {
flags: flags,
+ triggeringPrincipal: aTriggeringPrincipal,
referrerURI: aReferrerURI,
referrerPolicy: aReferrerPolicy,
postData: aPostData,
+ originPrincipal: aPrincipal,
});
browserUsedForLoad = aCurrentBrowser;
break;
@@ -365,7 +406,9 @@ function openLinkIn(url, where, params) {
postData: aPostData,
inBackground: loadInBackground,
allowThirdPartyFixup: aAllowThirdPartyFixup,
- relatedToCurrent: aRelatedToCurrent});
+ relatedToCurrent: aRelatedToCurrent,
+ originPrincipal: aPrincipal,
+ triggeringPrincipal: aTriggeringPrincipal });
browserUsedForLoad = tabUsedForLoad.linkedBrowser;
break;
}
@@ -564,13 +607,6 @@ function openFeedbackPage()
openUILinkIn(Services.prefs.getCharPref("browser.feedback.url"), "tab");
}
-function buildHelpMenu()
-{
- // Enable/disable the "Report Web Forgery" menu item.
- if (typeof gSafeBrowsing != "undefined")
- gSafeBrowsing.setReportPhishingMenu();
-}
-
function isElementVisible(aElement)
{
if (!aElement)