Make the Auth prompt DOS protection a browser-element opt-in feature.

6 files changed, 40 insertions, 14 deletions

diff --git a/application/basilisk/base/content/browser.xul b/application/basilisk/base/content/browser.xul
index 3208538c1..be64f1bac 100644
--- a/application/basilisk/base/content/browser.xul
+++ b/application/basilisk/base/content/browser.xul
@@ -997,7 +997,8 @@
                     contentcontextmenu="contentAreaContextMenu"
                     autocompletepopup="PopupAutoComplete"
                     selectmenulist="ContentSelectDropdown"
-                    datetimepicker="DateTimePickerPanel"/>
+                    datetimepicker="DateTimePickerPanel"
+                    authdosprotected="true" />
       </vbox>
       <vbox id="browser-border-end" hidden="true" layer="true"/>
     </hbox>
diff --git a/application/basilisk/base/content/tabbrowser.xml b/application/basilisk/base/content/tabbrowser.xml
index c84c333c4..52c51db69 100644
--- a/application/basilisk/base/content/tabbrowser.xml
+++ b/application/basilisk/base/content/tabbrowser.xml
@@ -25,7 +25,7 @@
               <xul:vbox flex="1" class="browserContainer">
                 <xul:stack flex="1" class="browserStack" anonid="browserStack">
                   <xul:browser anonid="initialBrowser" type="content-primary" message="true" messagemanagergroup="browsers"
-                               xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker"/>
+                               xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker,authdosprotected"/>
                 </xul:stack>
               </xul:vbox>
             </xul:hbox>
@@ -1936,6 +1936,10 @@
             if (this.hasAttribute("datetimepicker")) {
               b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
             }
+            
+            if (this.hasAttribute("authdosprotected")) {
+              b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
+            }
 
             b.setAttribute("autoscrollpopup", this._autoScrollPopup.id);
 
diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul
index ce2a7c5a8..ddc305a7b 100644
--- a/application/palemoon/base/content/browser.xul
+++ b/application/palemoon/base/content/browser.xul
@@ -965,7 +965,8 @@
                   tabcontainer="tabbrowser-tabs"
                   contentcontextmenu="contentAreaContextMenu"
                   autocompletepopup="PopupAutoComplete"
-                  datetimepicker="DateTimePickerPanel"/>
+                  datetimepicker="DateTimePickerPanel"
+                  authdosprotected="true"/>
       <chatbar id="pinnedchats" layer="true" mousethrough="always" hidden="true"/>
       <statuspanel id="statusbar-display" inactive="true"/>
     </vbox>
diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml
index c3b4872db..cbe029af0 100644
--- a/application/palemoon/base/content/tabbrowser.xml
+++ b/application/palemoon/base/content/tabbrowser.xml
@@ -30,7 +30,7 @@
               <xul:vbox flex="1" class="browserContainer">
                 <xul:stack flex="1" class="browserStack" anonid="browserStack">
                   <xul:browser anonid="initialBrowser" type="content-primary" message="true" disablehistory="true"
-                               xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker"/>
+                               xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker,authdosprotected"/>
                 </xul:stack>
               </xul:vbox>
             </xul:hbox>
@@ -1588,6 +1588,10 @@
             if (this.hasAttribute("datetimepicker")) {
               b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
             }
+            
+            if (this.hasAttribute("authdosprotected")) {
+              b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
+            }
 
             // Create the browserStack container
             var stack = document.createElementNS(NS_XUL, "stack");
diff --git a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
index 35315110c..c4be39e31 100644
--- a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
+++ b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js
@@ -103,7 +103,7 @@ LoginManagerPromptFactory.prototype = {
     // cancel the prompt until we stop showing it.
     let browser = prompter._browser;
     let baseDomain = null;
-    if (browser) {
+    if (browser && browser.isAuthDOSProtected) {
       try {
         baseDomain = Services.eTLD.getBaseDomainFromHost(hostname);
       } catch (e) {
@@ -145,7 +145,7 @@ LoginManagerPromptFactory.prototype = {
           prompt.inProgress = false;
           self._asyncPromptInProgress = false;
 
-          if (browser) {
+          if (browser && browser.isAuthDOSProtected) {
             // Reset the counter state if the user replied to a prompt and actually
             // tried to login (vs. simply clicking any button to get out).
             if (ok && (prompt.authInfo.username || prompt.authInfo.password)) {
@@ -177,15 +177,27 @@ LoginManagerPromptFactory.prototype = {
 
     var cancelDialogLimit = Services.prefs.getIntPref("prompts.authentication_dialog_abuse_limit");
 
-    let cancelationCounter = browser.authPromptCounter[baseDomain];
-    this.log("cancelationCounter =", cancelationCounter);
-    if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
-      this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
-      delete this._asyncPrompts[hashKey];
-
-      // just make the runnable cancel all consumers
-      runnable.cancel = true;
+    // Block the auth prompt if:
+    // - There is an attached browser element
+    // - The browser element has opted-in to DOS protection
+    // - The dialog cancellation limit is not 0 (= feature disabled)
+    // - The amount of cancellations >= the set abuse limit
+    if (browser && browser.isAuthDOSProtected) {
+      let cancelationCounter = browser.authPromptCounter[baseDomain];
+      this.log("cancelationCounter =", cancelationCounter);
+
+      if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
+        this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
+        delete this._asyncPrompts[hashKey];
+
+        // just make the runnable cancel all consumers
+        runnable.cancel = true;
+      } else {
+        this._asyncPromptInProgress = true;
+        prompt.inProgress = true;
+      }
     } else {
+      // No DOS protection: prompt
       this._asyncPromptInProgress = true;
       prompt.inProgress = true;
     }
diff --git a/toolkit/content/widgets/browser.xml b/toolkit/content/widgets/browser.xml
index a30ff1c43..5a0a99bf8 100644
--- a/toolkit/content/widgets/browser.xml
+++ b/toolkit/content/widgets/browser.xml
@@ -899,6 +899,10 @@
 
       <field name="mIconURL">null</field>
 
+      <property name="isAuthDOSProtected"
+                onget="return (this.getAttribute('authdosprotected') == 'true');"
+                readonly="true"/>
+
       <!-- This is managed by the tabbrowser -->
       <field name="lastURI">null</field>