diff options
Diffstat (limited to 'mobile/android/chrome/content/aboutCertError.xhtml')
-rw-r--r-- | mobile/android/chrome/content/aboutCertError.xhtml | 264 |
1 files changed, 264 insertions, 0 deletions
diff --git a/mobile/android/chrome/content/aboutCertError.xhtml b/mobile/android/chrome/content/aboutCertError.xhtml new file mode 100644 index 000000000..c5922e2fe --- /dev/null +++ b/mobile/android/chrome/content/aboutCertError.xhtml @@ -0,0 +1,264 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!DOCTYPE html [ + <!ENTITY % htmlDTD + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "DTD/xhtml1-strict.dtd"> + %htmlDTD; + <!ENTITY % globalDTD + SYSTEM "chrome://global/locale/global.dtd"> + %globalDTD; + <!ENTITY % certerrorDTD + SYSTEM "chrome://browser/locale/aboutCertError.dtd"> + %certerrorDTD; +]> + +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <title>&certerror.pagetitle;</title> + <meta name="viewport" content="width=device-width; user-scalable=false" /> + <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" /> + <!-- This page currently uses the same favicon as neterror.xhtml. + If the location of the favicon is changed for both pages, the + FAVICON_ERRORPAGE_URL symbol in toolkit/components/places/src/nsFaviconService.h + should be updated. If this page starts using a different favicon + than neterrorm nsFaviconService->SetAndLoadFaviconForPage + should be updated to ignore this one as well. --> + <link rel="icon" type="image/png" id="favicon" sizes="64x64" href="chrome://browser/skin/images/certerror-warning.png"/> + + <script type="application/javascript"><![CDATA[ + // Error url MUST be formatted like this: + // about:certerror?e=error&u=url&d=desc + + // Note that this file uses document.documentURI to get + // the URL (with the format from above). This is because + // document.location.href gets the current URI off the docshell, + // which is the URL displayed in the location bar, i.e. + // the URI that the user attempted to load. + + function getCSSClass() + { + var url = document.documentURI; + var matches = url.match(/s\=([^&]+)\&/); + // s is optional, if no match just return nothing + if (!matches || matches.length < 2) + return ""; + + // parenthetical match is the second entry + return decodeURIComponent(matches[1]); + } + + function getDescription() + { + var url = document.documentURI; + var desc = url.search(/d\=/); + + // desc == -1 if not found; if so, return an empty string + // instead of what would turn out to be portions of the URI + if (desc == -1) + return ""; + + return decodeURIComponent(url.slice(desc + 2)); + } + + function initPage() + { + // Replace the "#1" string in the intro with the hostname. Trickier + // than it might seem since we want to preserve the <b> tags, but + // not allow for any injection by just using innerHTML. Instead, + // just find the right target text node. + var intro = document.getElementById('introContentP1'); + function replaceWithHost(node) { + if (node.textContent == "#1") + node.textContent = location.host; + else + for(var i = 0; i < node.childNodes.length; i++) + replaceWithHost(node.childNodes[i]); + }; + replaceWithHost(intro); + + if (getCSSClass() == "expertBadCert") { + toggle('technicalContent'); + toggle('expertContent'); + } + + // Disallow overrides if this is a Strict-Transport-Security + // host and the cert is bad (STS Spec section 7.3) or if the + // certerror is in a frame (bug 633691). + if (getCSSClass() == "badStsCert" || window != top) + document.getElementById("expertContent").setAttribute("hidden", "true"); + + var tech = document.getElementById("technicalContentText"); + if (tech) + tech.textContent = getDescription(); + + addDomainErrorLinks(); + } + + /* Try to preserve the links contained in the error description, like + the error code. + + Also, in the case of SSL error pages about domain mismatch, see if + we can hyperlink the user to the correct site. We don't want + to do this generically since it allows MitM attacks to redirect + users to a site under attacker control, but in certain cases + it is safe (and helpful!) to do so. Bug 402210 + */ + function addDomainErrorLinks() { + // Rather than textContent, we need to treat description as HTML + var sd = document.getElementById("technicalContentText"); + if (sd) { + var desc = getDescription(); + + // sanitize description text - see bug 441169 + + // First, find the index of the <a> tags we care about, being + // careful not to use an over-greedy regex. + var codeRe = /<a id="errorCode" title="([^"]+)">/; + var codeResult = codeRe.exec(desc); + var domainRe = /<a id="cert_domain_link" title="([^"]+)">/; + var domainResult = domainRe.exec(desc); + + // The order of these links in the description is fixed in + // TransportSecurityInfo.cpp:formatOverridableCertErrorMessage. + var firstResult = domainResult; + if (!domainResult) + firstResult = codeResult; + if (!firstResult) + return; + + // Remove sd's existing children + sd.textContent = ""; + + // Everything up to the first link should be text content. + sd.appendChild(document.createTextNode(desc.slice(0, firstResult.index))); + + // Now create the actual links. + if (domainResult) { + createLink(sd, "cert_domain_link", domainResult[1]) + // Append text for anything between the two links. + sd.appendChild(document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length, codeResult.index))); + } + createLink(sd, "errorCode", codeResult[1]) + + // Finally, append text for anything after the last closing </a>. + sd.appendChild(document.createTextNode(desc.slice(desc.lastIndexOf("</a>") + "</a>".length))); + } + + // Then initialize the cert domain link. + var link = document.getElementById('cert_domain_link'); + if (!link) + return; + + var okHost = link.getAttribute("title"); + var thisHost = document.location.hostname; + var proto = document.location.protocol; + + // If okHost is a wildcard domain ("*.example.com") let's + // use "www" instead. "*.example.com" isn't going to + // get anyone anywhere useful. bug 432491 + okHost = okHost.replace(/^\*\./, "www."); + + /* case #1: + * example.com uses an invalid security certificate. + * + * The certificate is only valid for www.example.com + * + * Make sure to include the "." ahead of thisHost so that + * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com" + * + * We'd normally just use a RegExp here except that we lack a + * library function to escape them properly (bug 248062), and + * domain names are famous for having '.' characters in them, + * which would allow spurious and possibly hostile matches. + */ + if (okHost.endsWith("." + thisHost)) + link.href = proto + okHost; + + /* case #2: + * browser.garage.maemo.org uses an invalid security certificate. + * + * The certificate is only valid for garage.maemo.org + */ + if (thisHost.endsWith("." + okHost)) + link.href = proto + okHost; + + // If we set a link, meaning there's something helpful for + // the user here, expand the section by default + if (link.href && getCSSClass() != "expertBadCert") + toggle("technicalContent"); + } + + function createLink(el, id, text) { + var anchorEl = document.createElement("a"); + anchorEl.setAttribute("id", id); + anchorEl.setAttribute("title", text); + anchorEl.appendChild(document.createTextNode(text)); + el.appendChild(anchorEl); + } + + function toggle(id) { + var el = document.getElementById(id); + if (el.hasAttribute("collapsed")) + el.removeAttribute("collapsed"); + else + el.setAttribute("collapsed", true); + } + ]]></script> + </head> + + <body id="errorPage" class="certerror" dir="&locale.dir;"> + + <!-- PAGE CONTAINER (for styling purposes only) --> + <div id="errorPageContainer"> + + <!-- Error Title --> + <div id="errorTitle"> + <h1 class="errorTitleText">&certerror.longpagetitle;</h1> + </div> + + <!-- LONG CONTENT (the section most likely to require scrolling) --> + <div id="errorLongContent"> + <div id="introContent"> + <p id="introContentP1">&certerror.introPara1;</p> + </div> + + <div id="whatShouldIDoContent"> + <h2>&certerror.whatShouldIDo.heading;</h2> + <div id="whatShouldIDoContentText"> + <p>&certerror.whatShouldIDo.content;</p> + <button id="getMeOutOfHereButton">&certerror.getMeOutOfHere.label;</button> + </div> + </div> + + <!-- The following sections can be unhidden by default by setting the + "browser.xul.error_pages.expert_bad_cert" pref to true --> + <div id="technicalContent" collapsed="true"> + <h2 class="expander" onclick="toggle('technicalContent');" id="technicalContentHeading">&certerror.technical.heading;</h2> + <p id="technicalContentText"/> + </div> + + <div id="expertContent" collapsed="true"> + <h2 class="expander" onclick="toggle('expertContent');" id="expertContentHeading">&certerror.expert.heading;</h2> + <div> + <p>&certerror.expert.content;</p> + <p>&certerror.expert.contentPara2;</p> + <button id="temporaryExceptionButton">&certerror.addTemporaryException.label;</button> + <button id="permanentExceptionButton">&certerror.addPermanentException.label;</button> + </div> + </div> + </div> + </div> + + <!-- + - Note: It is important to run the script this way, instead of using + - an onload handler. This is because error pages are loaded as + - LOAD_BACKGROUND, which means that onload handlers will not be executed. + --> + <script type="application/javascript">initPage();</script> + + </body> +</html> |