From c962e2051a1f3767a221254487bcfc6d53aa59a1 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 28 Feb 2019 10:02:19 +0100 Subject: WIP fix 1 --- application/palemoon/base/content/browser.js | 5 +++++ application/palemoon/base/content/tabbrowser.xml | 5 ++++- application/palemoon/base/content/urlbarBindings.xml | 4 ++++ 3 files changed, 13 insertions(+), 1 deletion(-) (limited to 'application/palemoon') diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js index 3feeef9b6..4e753d422 100644 --- a/application/palemoon/base/content/browser.js +++ b/application/palemoon/base/content/browser.js @@ -2661,6 +2661,11 @@ function getWebNavigation() } function BrowserReloadWithFlags(reloadFlags) { + + // Reset DOS mitigation for auth prompts when user initiates a reload. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; + /* First, we'll try to use the session history object to reload so * that framesets are handled properly. If we're in a special * window (such as view-source) that has no session history, fall diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml index 988cae55c..c3b4872db 100644 --- a/application/palemoon/base/content/tabbrowser.xml +++ b/application/palemoon/base/content/tabbrowser.xml @@ -2458,7 +2458,10 @@ diff --git a/application/palemoon/base/content/urlbarBindings.xml b/application/palemoon/base/content/urlbarBindings.xml index d188e6658..d2d9cc720 100644 --- a/application/palemoon/base/content/urlbarBindings.xml +++ b/application/palemoon/base/content/urlbarBindings.xml @@ -302,6 +302,10 @@ // but don't let that interfere with the loading of the url. Cu.reportError(ex); } + + // Reset DOS mitigations for the basic auth prompt. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; function loadCurrent() { let flags = Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP; -- cgit v1.2.3 From c08b490c5c44f5f04049f408ad0848e9843f0702 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 28 Feb 2019 13:58:23 +0100 Subject: Move default-enable pref to application. --- application/palemoon/app/profile/palemoon.js | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'application/palemoon') diff --git a/application/palemoon/app/profile/palemoon.js b/application/palemoon/app/profile/palemoon.js index 43f020f9a..3df5d7194 100644 --- a/application/palemoon/app/profile/palemoon.js +++ b/application/palemoon/app/profile/palemoon.js @@ -1160,6 +1160,14 @@ pref("toolkit.pageThumbs.minHeight", 180); pref("ui.key.menuAccessKeyFocuses", true); #endif +// When a user cancels this number of authentication dialogs coming from +// a single web page (eTLD+1) in a row, all following authentication dialogs +// will be blocked (automatically canceled) for that page. +// This counter is per-tab and per-domain to minimize false positives. +// The counter resets when the page is reloaded from the UI +// (content-reloads do NOT clear this to mitigate reloading tricks). +pref("prompts.authentication_dialog_abuse_limit", 3); + // ****************** s4e prefs ****************** pref("status4evar.addonbar.borderStyle", false); pref("status4evar.addonbar.closeButton", false); -- cgit v1.2.3 From c1ece93c2be6fb571a013f9735dc629d7279f389 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 1 Mar 2019 14:01:09 +0100 Subject: Make the Auth prompt DOS protection a browser-element opt-in feature. --- application/palemoon/base/content/browser.xul | 3 ++- application/palemoon/base/content/tabbrowser.xml | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'application/palemoon') diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul index ce2a7c5a8..ddc305a7b 100644 --- a/application/palemoon/base/content/browser.xul +++ b/application/palemoon/base/content/browser.xul @@ -965,7 +965,8 @@ tabcontainer="tabbrowser-tabs" contentcontextmenu="contentAreaContextMenu" autocompletepopup="PopupAutoComplete" - datetimepicker="DateTimePickerPanel"/> + datetimepicker="DateTimePickerPanel" + authdosprotected="true"/>