diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-08-05 11:35:53 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-08-05 11:35:53 +0200 |
commit | 6bd66b1728eeddb058066edda740aaeb2ceaec23 (patch) | |
tree | 985faf01c526763515731569fa01a99f4dbef36e /application/palemoon/base/content | |
parent | e0a8dcfed131ffa58a5e2cb1d30fe48c745c2fdc (diff) | |
parent | 559824514dc95e02fbe81f1786e6ac13ee8e9d55 (diff) | |
download | UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.gz UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.lz UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.tar.xz UXP-6bd66b1728eeddb058066edda740aaeb2ceaec23.zip |
Merge branch 'master' into js-modules
Diffstat (limited to 'application/palemoon/base/content')
11 files changed, 142 insertions, 254 deletions
diff --git a/application/palemoon/base/content/aboutDialog.xul b/application/palemoon/base/content/aboutDialog.xul index 743ff21df..5c344f55d 100644 --- a/application/palemoon/base/content/aboutDialog.xul +++ b/application/palemoon/base/content/aboutDialog.xul @@ -88,6 +88,7 @@ </vbox> <description class="text-pmcreds"> +#if defined(MOZ_OFFICIAL_BRANDING) || defined(MC_OFFICIAL) #ifdef MC_PRIVATE_BUILD This is a private build of Pale Moon. If you did not manually build this copy from source yourself, then please download an official version from the <label class="text-link" href="http://www.palemoon.org/">Pale Moon website</label>. #else @@ -100,6 +101,12 @@ If you wish to contribute, please consider helping out by providing support to other users on the <label class="text-link" href="https://forum.palemoon.org/">Pale Moon forum</label> or getting involved in our development by tackling some of the issues found in our GitHub issue tracker. #endif +#else + &brandFullName; is released by &vendorShortName;. + </description> + <description class="text-blurb"> + This is an unofficial build of Pale Moon. For official builds, please go to <label class="text-link" href="http://www.palemoon.org/">the Pale Moon website</label>. +#endif </description> </vbox> </vbox> diff --git a/application/palemoon/base/content/baseMenuOverlay.xul b/application/palemoon/base/content/baseMenuOverlay.xul index f61348c9f..e9019dc55 100644 --- a/application/palemoon/base/content/baseMenuOverlay.xul +++ b/application/palemoon/base/content/baseMenuOverlay.xul @@ -41,7 +41,7 @@ label="&helpMenu.label;" accesskey="&helpMenu.accesskey;"> #endif - <menupopup id="menu_HelpPopup" onpopupshowing="buildHelpMenu();"> + <menupopup id="menu_HelpPopup"> <menuitem id="menu_openHelp" oncommand="openHelpLink('firefox-help')" onclick="checkForMiddleClick(this, event);" diff --git a/application/palemoon/base/content/blockedSite.xhtml b/application/palemoon/base/content/blockedSite.xhtml deleted file mode 100644 index b56875eb6..000000000 --- a/application/palemoon/base/content/blockedSite.xhtml +++ /dev/null @@ -1,193 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> - -<!DOCTYPE html [ - <!ENTITY % htmlDTD PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> - %htmlDTD; - <!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd"> - %globalDTD; - <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" > - %brandDTD; - <!ENTITY % blockedSiteDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd"> - %blockedSiteDTD; -]> - -<!-- This Source Code Form is subject to the terms of the Mozilla Public - - License, v. 2.0. If a copy of the MPL was not distributed with this - - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> - -<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist"> - <head> - <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" /> - <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/> - - <script type="application/javascript"><![CDATA[ - // Error url MUST be formatted like this: - // about:blocked?e=error_code&u=url - - // Note that this file uses document.documentURI to get - // the URL (with the format from above). This is because - // document.location.href gets the current URI off the docshell, - // which is the URL displayed in the location bar, i.e. - // the URI that the user attempted to load. - - function getErrorCode() - { - var url = document.documentURI; - var error = url.search(/e\=/); - var duffUrl = url.search(/\&u\=/); - return decodeURIComponent(url.slice(error + 2, duffUrl)); - } - - function getURL() - { - var url = document.documentURI; - var match = url.match(/&u=([^&]+)&/); - - // match == null if not found; if so, return an empty string - // instead of what would turn out to be portions of the URI - if (!match) - return ""; - - url = decodeURIComponent(match[1]); - - // If this is a view-source page, then get then real URI of the page - if (url.startsWith("view-source:")) - url = url.slice(12); - return url; - } - - /** - * Attempt to get the hostname via document.location. Fail back - * to getURL so that we always return something meaningful. - */ - function getHostString() - { - try { - return document.location.hostname; - } catch (e) { - return getURL(); - } - } - - function initPage() - { - // Handoff to the appropriate initializer, based on error code - switch (getErrorCode()) { - case "malwareBlocked" : - initPage_malware(); - break; - case "phishingBlocked" : - initPage_phishing(); - break; - } - } - - /** - * Initialize custom strings and functionality for blocked malware case - */ - function initPage_malware() - { - // Remove phishing strings - var el = document.getElementById("errorTitleText_phishing"); - el.parentNode.removeChild(el); - - el = document.getElementById("errorShortDescText_phishing"); - el.parentNode.removeChild(el); - - el = document.getElementById("errorLongDescText_phishing"); - el.parentNode.removeChild(el); - - // Set sitename - document.getElementById("malware_sitename").textContent = getHostString(); - document.title = document.getElementById("errorTitleText_malware") - .innerHTML; - } - - /** - * Initialize custom strings and functionality for blocked phishing case - */ - function initPage_phishing() - { - // Remove malware strings - var el = document.getElementById("errorTitleText_malware"); - el.parentNode.removeChild(el); - - el = document.getElementById("errorShortDescText_malware"); - el.parentNode.removeChild(el); - - el = document.getElementById("errorLongDescText_malware"); - el.parentNode.removeChild(el); - - // Set sitename - document.getElementById("phishing_sitename").textContent = getHostString(); - document.title = document.getElementById("errorTitleText_phishing") - .innerHTML; - } - ]]></script> - <style type="text/css"> - /* Style warning button to look like a small text link in the - bottom right. This is preferable to just using a text link - since there is already a mechanism in browser.js for trapping - oncommand events from unprivileged chrome pages (BrowserOnCommand).*/ - #ignoreWarningButton { - -moz-appearance: none; - background: transparent; - border: none; - color: white; /* Hard coded because netError.css forces this page's background to dark red */ - text-decoration: underline; - margin: 0; - padding: 0; - position: relative; - top: 23px; - left: 20px; - font-size: smaller; - } - - #ignoreWarning { - text-align: right; - } - </style> - </head> - - <body dir="&locale.dir;"> - <div id="errorPageContainer"> - - <!-- Error Title --> - <div id="errorTitle"> - <h1 id="errorTitleText_phishing">&safeb.blocked.phishingPage.title;</h1> - <h1 id="errorTitleText_malware">&safeb.blocked.malwarePage.title;</h1> - </div> - - <div id="errorLongContent"> - - <!-- Short Description --> - <div id="errorShortDesc"> - <p id="errorShortDescText_phishing">&safeb.blocked.phishingPage.shortDesc;</p> - <p id="errorShortDescText_malware">&safeb.blocked.malwarePage.shortDesc;</p> - </div> - - <!-- Long Description --> - <div id="errorLongDesc"> - <p id="errorLongDescText_phishing">&safeb.blocked.phishingPage.longDesc;</p> - <p id="errorLongDescText_malware">&safeb.blocked.malwarePage.longDesc;</p> - </div> - - <!-- Action buttons --> - <div id="buttons"> - <!-- Commands handled in browser.js --> - <button id="getMeOutButton">&safeb.palm.accept.label;</button> - <button id="reportButton">&safeb.palm.reportPage.label;</button> - </div> - </div> - <div id="ignoreWarning"> - <button id="ignoreWarningButton">&safeb.palm.decline.label;</button> - </div> - </div> - <!-- - - Note: It is important to run the script this way, instead of using - - an onload handler. This is because error pages are loaded as - - LOAD_BACKGROUND, which means that onload handlers will not be executed. - --> - <script type="application/javascript">initPage();</script> - </body> -</html> diff --git a/application/palemoon/base/content/browser-fullScreen.js b/application/palemoon/base/content/browser-fullScreen.js index 6afd247be..b1235a8d3 100644 --- a/application/palemoon/base/content/browser-fullScreen.js +++ b/application/palemoon/base/content/browser-fullScreen.js @@ -53,6 +53,18 @@ var FullScreen = { document.addEventListener("popupshown", this._setPopupOpen, false); document.addEventListener("popuphidden", this._setPopupOpen, false); this._shouldAnimate = true; + // If it is not safe to collapse, add the mouse position tracker or + // else it won't be possible to hide the navigation toolbox again + if (!this._safeToCollapse(document.mozFullScreen)) { + let rect = gBrowser.mPanelContainer.getBoundingClientRect(); + this._mouseTargetRect = { + top: rect.top + 50, + bottom: rect.bottom, + left: rect.left, + right: rect.right + }; + MousePosTracker.addListener(this); + } // We don't animate the toolbar collapse if in DOM full-screen mode, // as the size of the content area would still be changing after the // mozfullscreenchange event fired, which could confuse content script. diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js index 386bd418b..7421fc5c3 100644 --- a/application/palemoon/base/content/browser.js +++ b/application/palemoon/base/content/browser.js @@ -1051,6 +1051,8 @@ var gBrowserInit = { // [3]: postData (nsIInputStream) // [4]: allowThirdPartyFixup (bool) // [5]: referrerPolicy (int) + // [6]: originPrincipal (nsIPrincipal) + // [7]: triggeringPrincipal (nsIPrincipal) else if (window.arguments.length >= 3) { let referrerURI = window.arguments[2]; if (typeof(referrerURI) == "string") { @@ -1063,7 +1065,10 @@ var gBrowserInit = { let referrerPolicy = (window.arguments[5] != undefined ? window.arguments[5] : Ci.nsIHttpChannel.REFERRER_POLICY_DEFAULT); loadURI(uriToLoad, referrerURI, window.arguments[3] || null, - window.arguments[4] || false, referrerPolicy); + window.arguments[4] || false, referrerPolicy, + // pass the origin principal (if any) and force its use to create + // an initial about:blank viewer if present: + window.arguments[6], !!window.arguments[6], window.arguments[7]); window.focus(); } // Note: loadOneOrMoreURIs *must not* be called if window.arguments.length >= 3. @@ -1952,7 +1957,9 @@ function BrowserTryToCloseWindow() window.close(); // WindowIsClosing does all the necessary checks } -function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy) { +function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy, + originPrincipal, forceAboutBlankViewerInCurrent, + triggeringPrincipal) { if (postData === undefined) postData = null; @@ -1968,6 +1975,9 @@ function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy) referrerURI: referrer, referrerPolicy: referrerPolicy, postData: postData, + originPrincipal: originPrincipal, + triggeringPrincipal: triggeringPrincipal, + forceAboutBlankViewerInCurrent: forceAboutBlankViewerInCurrent, }); } catch (e) {} } @@ -4395,9 +4405,11 @@ nsBrowserAccess.prototype = { } let referrer = aOpener ? makeURI(aOpener.location.href) : null; + let triggeringPrincipal = null; let referrerPolicy = Ci.nsIHttpChannel.REFERRER_POLICY_DEFAULT; if (aOpener && aOpener.document) { referrerPolicy = aOpener.document.referrerPolicy; + triggeringPrincipal = aOpener.document.nodePrincipal; } switch (aWhere) { @@ -4437,6 +4449,7 @@ nsBrowserAccess.prototype = { let referrer = aOpener ? makeURI(aOpener.location.href) : null; let tab = win.gBrowser.loadOneTab(aURI ? aURI.spec : "about:blank", { + triggeringPrincipal: triggeringPrincipal, referrerURI: referrer, referrerPolicy: referrerPolicy, fromExternal: isExternal, @@ -4459,6 +4472,7 @@ nsBrowserAccess.prototype = { Ci.nsIWebNavigation.LOAD_FLAGS_NONE; gBrowser.loadURIWithFlags(aURI.spec, { flags: loadflags, + triggeringPrincipal: triggeringPrincipal, referrerURI: referrer, referrerPolicy: referrerPolicy, }); @@ -5192,7 +5206,9 @@ function handleLinkClick(event, href, linkNode) { urlSecurityCheck(href, doc.nodePrincipal); openLinkIn(href, where, { referrerURI: doc.documentURIObject, charset: doc.characterSet, - referrerPolicy: doc.referrerPolicy }); + referrerPolicy: doc.referrerPolicy, + originPrincipal: doc.nodePrincipal, + triggeringPrincipal: doc.nodePrincipal }); event.preventDefault(); return true; } diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul index 254e2eee0..90899bb88 100644 --- a/application/palemoon/base/content/browser.xul +++ b/application/palemoon/base/content/browser.xul @@ -334,7 +334,9 @@ </button> </hbox> #endif +#ifndef XP_MACOSX <spacer id="titlebar-spacer" flex="1"/> +#endif <hbox id="titlebar-buttonbox-container" align="start"> <hbox id="titlebar-buttonbox"> <toolbarbutton class="titlebar-button" id="titlebar-min" oncommand="window.minimize();"/> diff --git a/application/palemoon/base/content/nsContextMenu.js b/application/palemoon/base/content/nsContextMenu.js index 738868ccb..19b2fac77 100644 --- a/application/palemoon/base/content/nsContextMenu.js +++ b/application/palemoon/base/content/nsContextMenu.js @@ -754,7 +754,9 @@ nsContextMenu.prototype = { openLinkIn(this.linkURL, "window", { charset: doc.characterSet, referrerURI: doc.documentURIObject, - referrerPolicy: doc.referrerPolicy }); + referrerPolicy: doc.referrerPolicy, + originPrincipal: doc.nodePrincipal, + triggeringPrincipal: doc.nodePrincipal }); }, // Open linked-to URL in a new private window. @@ -765,6 +767,8 @@ nsContextMenu.prototype = { { charset: doc.characterSet, referrerURI: doc.documentURIObject, referrerPolicy: doc.referrerPolicy, + originPrincipal: doc.nodePrincipal, + triggeringPrincipal: doc.nodePrincipal, private: true }); }, @@ -775,7 +779,9 @@ nsContextMenu.prototype = { openLinkIn(this.linkURL, "tab", { charset: doc.characterSet, referrerURI: doc.documentURIObject, - referrerPolicy: doc.referrerPolicy }); + referrerPolicy: doc.referrerPolicy, + originPrincipal: doc.nodePrincipal, + triggeringPrincipal: doc.nodePrincipal }); }, // open URL in current tab @@ -784,7 +790,9 @@ nsContextMenu.prototype = { urlSecurityCheck(this.linkURL, doc.nodePrincipal); openLinkIn(this.linkURL, "current", { charset: doc.characterSet, - referrerURI: doc.documentURIObject }); + referrerURI: doc.documentURIObject, + originPrincipal: doc.nodePrincipal, + triggeringPrincipal: doc.nodePrincipal }); }, // Open frame in a new tab. diff --git a/application/palemoon/base/content/pageinfo/permissions.js b/application/palemoon/base/content/pageinfo/permissions.js index 5d25a800d..4f8382f66 100644 --- a/application/palemoon/base/content/pageinfo/permissions.js +++ b/application/palemoon/base/content/pageinfo/permissions.js @@ -217,14 +217,20 @@ function fillInPluginPermissionTemplate(aPermissionString, aPluginObject) { .cloneNode(true); permPluginTemplate.setAttribute("permString", aPermissionString); permPluginTemplate.setAttribute("tooltiptext", aPluginObject.description); - let attrs = [ - [ ".permPluginTemplateLabel", "value", aPluginObject.name ], - [ ".permPluginTemplateRadioGroup", "id", aPermissionString + "RadioGroup" ], - [ ".permPluginTemplateRadioDefault", "id", aPermissionString + "#0" ], - [ ".permPluginTemplateRadioAsk", "id", aPermissionString + "#3" ], - [ ".permPluginTemplateRadioAllow", "id", aPermissionString + "#1" ], - [ ".permPluginTemplateRadioBlock", "id", aPermissionString + "#2" ] - ]; + let attrs = []; + attrs.push([".permPluginTemplateLabel", "value", aPluginObject.name]); + attrs.push([".permPluginTemplateRadioGroup", "id", aPermissionString + "RadioGroup"]); + attrs.push([".permPluginTemplateRadioDefault", "id", aPermissionString + "#0"]); + let permPluginTemplateRadioAsk = ".permPluginTemplateRadioAsk"; + if (Services.prefs.getBoolPref("plugins.click_to_play") || + aPluginObject.vulnerable) { + attrs.push([permPluginTemplateRadioAsk, "id", aPermissionString + "#3"]); + } else { + permPluginTemplate.querySelector(permPluginTemplateRadioAsk) + .setAttribute("disabled", "true"); + } + attrs.push([".permPluginTemplateRadioAllow", "id", aPermissionString + "#1"]); + attrs.push([".permPluginTemplateRadioBlock", "id", aPermissionString + "#2"]); for (let attr of attrs) { permPluginTemplate.querySelector(attr[0]).setAttribute(attr[1], attr[2]); @@ -264,13 +270,16 @@ function initPluginsRow() { } let permString = pluginHost.getPermissionStringForType(mimeType); if (!permissionMap.has(permString)) { - var name = makeNicePluginName(plugin.name) + " " + plugin.version; + let name = makeNicePluginName(plugin.name) + " " + plugin.version; + let vulnerable = false; if (permString.startsWith("plugin-vulnerable:")) { name += " \u2014 " + vulnerableLabel; + vulnerable = true; } permissionMap.set(permString, { "name": name, "description": plugin.description, + "vulnerable": vulnerable }); } } diff --git a/application/palemoon/base/content/report-phishing-overlay.xul b/application/palemoon/base/content/report-phishing-overlay.xul deleted file mode 100644 index 76baf01da..000000000 --- a/application/palemoon/base/content/report-phishing-overlay.xul +++ /dev/null @@ -1,35 +0,0 @@ -<?xml version="1.0"?> -<!-- This Source Code Form is subject to the terms of the Mozilla Public - - License, v. 2.0. If a copy of the MPL was not distributed with this - - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> - -<!DOCTYPE overlay [ -<!ENTITY % reportphishDTD SYSTEM "chrome://browser/locale/safebrowsing/report-phishing.dtd"> -%reportphishDTD; -<!ENTITY % safebrowsingDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd"> -%safebrowsingDTD; -]> - -<overlay id="reportPhishingMenuOverlay" - xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> - <broadcasterset id="mainBroadcasterSet"> - <broadcaster id="reportPhishingBroadcaster" disabled="true"/> - <broadcaster id="reportPhishingErrorBroadcaster" disabled="true"/> - </broadcasterset> - <menupopup id="menu_HelpPopup"> - <menuitem id="menu_HelpPopup_reportPhishingtoolmenu" - label="&reportPhishSiteMenu.title2;" - accesskey="&reportPhishSiteMenu.accesskey;" - insertbefore="aboutSeparator" - observes="reportPhishingBroadcaster" - oncommand="openUILink(gSafeBrowsing.getReportURL('Phish'), event);" - onclick="checkForMiddleClick(this, event);"/> - <menuitem id="menu_HelpPopup_reportPhishingErrortoolmenu" - label="&safeb.palm.notforgery.label2;" - accesskey="&reportPhishSiteMenu.accesskey;" - insertbefore="aboutSeparator" - observes="reportPhishingErrorBroadcaster" - oncommand="openUILinkIn(gSafeBrowsing.getReportURL('Error'), 'tab');" - onclick="checkForMiddleClick(this, event);"/> - </menupopup> -</overlay> diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml index ea68d00ad..d5735149e 100644 --- a/application/palemoon/base/content/tabbrowser.xml +++ b/application/palemoon/base/content/tabbrowser.xml @@ -1313,13 +1313,16 @@ <parameter name="aAllowThirdPartyFixup"/> <body> <![CDATA[ + var aTriggeringPrincipal; var aReferrerPolicy; var aFromExternal; var aRelatedToCurrent; + var aOriginPrincipal; if (arguments.length == 2 && typeof arguments[1] == "object" && !(arguments[1] instanceof Ci.nsIURI)) { let params = arguments[1]; + aTriggeringPrincipal = params.triggeringPrincipal; aReferrerURI = params.referrerURI; aReferrerPolicy = params.referrerPolicy; aCharset = params.charset; @@ -1328,12 +1331,14 @@ aAllowThirdPartyFixup = params.allowThirdPartyFixup; aFromExternal = params.fromExternal; aRelatedToCurrent = params.relatedToCurrent; + aOriginPrincipal = params.originPrincipal; } var bgLoad = (aLoadInBackground != null) ? aLoadInBackground : Services.prefs.getBoolPref("browser.tabs.loadInBackground"); var owner = bgLoad ? null : this.selectedTab; var tab = this.addTab(aURI, { + triggeringPrincipal: aTriggeringPrincipal, referrerURI: aReferrerURI, referrerPolicy: aReferrerPolicy, charset: aCharset, @@ -1341,6 +1346,7 @@ ownerTab: owner, allowThirdPartyFixup: aAllowThirdPartyFixup, fromExternal: aFromExternal, + originPrincipal: aOriginPrincipal, relatedToCurrent: aRelatedToCurrent}); if (!bgLoad) this.selectedTab = tab; @@ -1461,14 +1467,17 @@ <body> <![CDATA[ const NS_XUL = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"; + var aTriggeringPrincipal; var aReferrerPolicy; var aFromExternal; var aRelatedToCurrent; var aSkipAnimation; + var aOriginPrincipal; if (arguments.length == 2 && typeof arguments[1] == "object" && !(arguments[1] instanceof Ci.nsIURI)) { let params = arguments[1]; + aTriggeringPrincipal = params.triggeringPrincipal; aReferrerURI = params.referrerURI; aReferrerPolicy = params.referrerPolicy; aCharset = params.charset; @@ -1478,6 +1487,7 @@ aFromExternal = params.fromExternal; aRelatedToCurrent = params.relatedToCurrent; aSkipAnimation = params.skipAnimation; + aOriginPrincipal = params.originPrincipal; } // if we're adding tabs, we're past interrupt mode, ditch the owner @@ -1486,6 +1496,11 @@ var t = document.createElementNS(NS_XUL, "tab"); + let aURIObject = null; + try { + aURIObject = Services.io.newURI(aURI || "about:blank"); + } catch (ex) { /* we'll try to fix up this URL later */ } + var uriIsAboutBlank = !aURI || aURI == "about:blank"; if (!aURI || isBlankPageURL(aURI)) @@ -1625,6 +1640,16 @@ evt.initEvent("TabOpen", true, false); t.dispatchEvent(evt); + if (aOriginPrincipal && aURI) { + let {URI_INHERITS_SECURITY_CONTEXT} = Ci.nsIProtocolHandler; + // Unless we know for sure we're not inheriting principals, + // force the about:blank viewer to have the right principal: + if (!aURIObject || + (Services.io.getProtocolFlags(aURIObject.scheme) & URI_INHERITS_SECURITY_CONTEXT)) { + b.createAboutBlankContentViewer(aOriginPrincipal); + } + } + // If we didn't swap docShells with a preloaded browser // then let's just continue loading the page normally. if (!docShellsSwapped && !uriIsAboutBlank) { @@ -1643,6 +1668,7 @@ try { b.loadURIWithFlags(aURI, { flags: flags, + triggeringPrincipal: aTriggeringPrincipal, referrerURI: aReferrerURI, referrerPolicy: aReferrerPolicy, charset: aCharset, diff --git a/application/palemoon/base/content/utilityOverlay.js b/application/palemoon/base/content/utilityOverlay.js index 63488e209..2c1a95f83 100644 --- a/application/palemoon/base/content/utilityOverlay.js +++ b/application/palemoon/base/content/utilityOverlay.js @@ -230,6 +230,10 @@ function openLinkIn(url, where, params) { var aDisallowInheritPrincipal = params.disallowInheritPrincipal; var aInitiatingDoc = params.initiatingDoc; var aIsPrivate = params.private; + var aPrincipal = params.originPrincipal; + var aTriggeringPrincipal = params.triggeringPrincipal; + var aForceAboutBlankViewerInCurrent = + params.forceAboutBlankViewerInCurrent; var sendReferrerURI = true; if (where == "save") { @@ -254,6 +258,23 @@ function openLinkIn(url, where, params) { // Note that if |w| is null we might have no current browser (we'll open a new window). var aCurrentBrowser = params.currentBrowser || (w && w.gBrowser.selectedBrowser); + // Teach the principal about the right OA to use, e.g. in case when + // opening a link in a new private window. + // Please note we do not have to do that for SystemPrincipals and we + // can not do it for NullPrincipals since NullPrincipals are only + // identical if they actually are the same object (See Bug: 1346759) + function useOAForPrincipal(principal) { + if (principal && principal.isCodebasePrincipal) { + let attrs = { + privateBrowsingId: aIsPrivate || (w && PrivateBrowsingUtils.isWindowPrivate(w)), + }; + return Services.scriptSecurityManager.createCodebasePrincipal(principal.URI, attrs); + } + return principal; + } + aPrincipal = useOAForPrincipal(aPrincipal); + aTriggeringPrincipal = useOAForPrincipal(aTriggeringPrincipal); + if (!w || where == "window") { // This propagates to window.arguments. // Strip referrer data when opening a new private window, to prevent @@ -297,6 +318,8 @@ function openLinkIn(url, where, params) { sa.AppendElement(aPostData); sa.AppendElement(allowThirdPartyFixupSupports); sa.AppendElement(referrerPolicySupports); + sa.AppendElement(aPrincipal); + sa.AppendElement(aTriggeringPrincipal); let features = "chrome,dialog=no,all"; if (aIsPrivate) { @@ -314,10 +337,17 @@ function openLinkIn(url, where, params) { getBoolPref("browser.tabs.loadInBackground"); } + let uriObj; + if (where == "current") { + try { + uriObj = Services.io.newURI(url, null, null); + } catch (e) {} + } + if (where == "current" && w.gBrowser.selectedTab.pinned) { try { - let uriObj = Services.io.newURI(url, null, null); - if (!uriObj.schemeIs("javascript") && + // nsIURI.host can throw for non-nsStandardURL nsIURIs. + if (!uriObj || !uriObj.schemeIs("javascript") && w.gBrowser.currentURI.host != uriObj.host) { where = "tab"; loadInBackground = false; @@ -345,11 +375,22 @@ function openLinkIn(url, where, params) { if (aForceAllowDataURI) { flags |= Ci.nsIWebNavigation.LOAD_FLAGS_FORCE_ALLOW_DATA_URI; } + let {URI_INHERITS_SECURITY_CONTEXT} = Ci.nsIProtocolHandler; + if (aForceAboutBlankViewerInCurrent && + (!uriObj || + (Services.io.getProtocolFlags(uriObj.scheme) & URI_INHERITS_SECURITY_CONTEXT))) { + // Unless we know for sure we're not inheriting principals, + // force the about:blank viewer to have the right principal: + w.gBrowser.selectedBrowser.createAboutBlankContentViewer(aPrincipal); + } + w.gBrowser.loadURIWithFlags(url, { flags: flags, + triggeringPrincipal: aTriggeringPrincipal, referrerURI: aReferrerURI, referrerPolicy: aReferrerPolicy, postData: aPostData, + originPrincipal: aPrincipal, }); browserUsedForLoad = aCurrentBrowser; break; @@ -365,7 +406,9 @@ function openLinkIn(url, where, params) { postData: aPostData, inBackground: loadInBackground, allowThirdPartyFixup: aAllowThirdPartyFixup, - relatedToCurrent: aRelatedToCurrent}); + relatedToCurrent: aRelatedToCurrent, + originPrincipal: aPrincipal, + triggeringPrincipal: aTriggeringPrincipal }); browserUsedForLoad = tabUsedForLoad.linkedBrowser; break; } @@ -564,13 +607,6 @@ function openFeedbackPage() openUILinkIn(Services.prefs.getCharPref("browser.feedback.url"), "tab"); } -function buildHelpMenu() -{ - // Enable/disable the "Report Web Forgery" menu item. - if (typeof gSafeBrowsing != "undefined") - gSafeBrowsing.setReportPhishingMenu(); -} - function isElementVisible(aElement) { if (!aElement) |