From c1ece93c2be6fb571a013f9735dc629d7279f389 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Fri, 1 Mar 2019 14:01:09 +0100
Subject: Make the Auth prompt DOS protection a browser-element opt-in feature.

---
 .../passwordmgr/nsLoginManagerPrompter.js          | 32 +++++++++++++++-------
 toolkit/content/widgets/browser.xml                |  4 +++
 2 files changed, 26 insertions(+), 10 deletions(-)

(limited to 'toolkit')

diff --git a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
index 35315110c..c4be39e31 100644
--- a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
+++ b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
@@ -103,7 +103,7 @@ LoginManagerPromptFactory.prototype = {
     // cancel the prompt until we stop showing it.
     let browser = prompter._browser;
     let baseDomain = null;
-    if (browser) {
+    if (browser && browser.isAuthDOSProtected) {
       try {
         baseDomain = Services.eTLD.getBaseDomainFromHost(hostname);
       } catch (e) {
@@ -145,7 +145,7 @@ LoginManagerPromptFactory.prototype = {
           prompt.inProgress = false;
           self._asyncPromptInProgress = false;
 
-          if (browser) {
+          if (browser && browser.isAuthDOSProtected) {
             // Reset the counter state if the user replied to a prompt and actually
             // tried to login (vs. simply clicking any button to get out).
             if (ok && (prompt.authInfo.username || prompt.authInfo.password)) {
@@ -177,15 +177,27 @@ LoginManagerPromptFactory.prototype = {
 
     var cancelDialogLimit = Services.prefs.getIntPref("prompts.authentication_dialog_abuse_limit");
 
-    let cancelationCounter = browser.authPromptCounter[baseDomain];
-    this.log("cancelationCounter =", cancelationCounter);
-    if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
-      this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
-      delete this._asyncPrompts[hashKey];
-
-      // just make the runnable cancel all consumers
-      runnable.cancel = true;
+    // Block the auth prompt if:
+    // - There is an attached browser element
+    // - The browser element has opted-in to DOS protection
+    // - The dialog cancellation limit is not 0 (= feature disabled)
+    // - The amount of cancellations >= the set abuse limit
+    if (browser && browser.isAuthDOSProtected) {
+      let cancelationCounter = browser.authPromptCounter[baseDomain];
+      this.log("cancelationCounter =", cancelationCounter);
+
+      if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
+        this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
+        delete this._asyncPrompts[hashKey];
+
+        // just make the runnable cancel all consumers
+        runnable.cancel = true;
+      } else {
+        this._asyncPromptInProgress = true;
+        prompt.inProgress = true;
+      }
     } else {
+      // No DOS protection: prompt
       this._asyncPromptInProgress = true;
       prompt.inProgress = true;
     }
diff --git a/toolkit/content/widgets/browser.xml b/toolkit/content/widgets/browser.xml
index a30ff1c43..5a0a99bf8 100644
--- a/toolkit/content/widgets/browser.xml
+++ b/toolkit/content/widgets/browser.xml
@@ -899,6 +899,10 @@
 
       <field name="mIconURL">null</field>
 
+      <property name="isAuthDOSProtected"
+                onget="return (this.getAttribute('authdosprotected') == 'true');"
+                readonly="true"/>
+
       <!-- This is managed by the tabbrowser -->
       <field name="lastURI">null</field>
 
-- 
cgit v1.2.3