summaryrefslogtreecommitdiffstats
path: root/application
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-03-01 14:10:57 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-03-01 14:12:02 +0100
commite64dae886b83c63931c2f608c756885c689aeb56 (patch)
treedd2502a462e73fdc4941dce6925ea31f96ab8fef /application
parentf89a809df5e50fc4f7a58fcaac55861aa33a8e31 (diff)
parentc1ece93c2be6fb571a013f9735dc629d7279f389 (diff)
downloadUXP-e64dae886b83c63931c2f608c756885c689aeb56.tar
UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.gz
UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.lz
UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.xz
UXP-e64dae886b83c63931c2f608c756885c689aeb56.zip
Improve the http basic auth DOS protection heuristics.
-> Merge branch 'authprompt-work'
Diffstat (limited to 'application')
-rw-r--r--application/basilisk/app/profile/basilisk.js8
-rw-r--r--application/basilisk/base/content/browser.js5
-rw-r--r--application/basilisk/base/content/browser.xul3
-rw-r--r--application/basilisk/base/content/tabbrowser.xml11
-rw-r--r--application/basilisk/base/content/urlbarBindings.xml3
-rw-r--r--application/palemoon/app/profile/palemoon.js8
-rw-r--r--application/palemoon/base/content/browser.js5
-rw-r--r--application/palemoon/base/content/browser.xul3
-rw-r--r--application/palemoon/base/content/tabbrowser.xml11
-rw-r--r--application/palemoon/base/content/urlbarBindings.xml4
10 files changed, 55 insertions, 6 deletions
diff --git a/application/basilisk/app/profile/basilisk.js b/application/basilisk/app/profile/basilisk.js
index 79d767851..24f1c582c 100644
--- a/application/basilisk/app/profile/basilisk.js
+++ b/application/basilisk/app/profile/basilisk.js
@@ -1438,3 +1438,11 @@ pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
// controlling validation are located in /services/sync/services-sync.js
pref("services.sync.validation.enabled", true);
#endif
+
+// When a user cancels this number of authentication dialogs coming from
+// a single web page (eTLD+1) in a row, all following authentication dialogs
+// will be blocked (automatically canceled) for that page.
+// This counter is per-tab and per-domain to minimize false positives.
+// The counter resets when the page is reloaded from the UI
+// (content-reloads do NOT clear this to mitigate reloading tricks).
+pref("prompts.authentication_dialog_abuse_limit", 3);
diff --git a/application/basilisk/base/content/browser.js b/application/basilisk/base/content/browser.js
index 9fb997a42..336670fa0 100644
--- a/application/basilisk/base/content/browser.js
+++ b/application/basilisk/base/content/browser.js
@@ -3094,6 +3094,11 @@ function getWebNavigation()
}
function BrowserReloadWithFlags(reloadFlags) {
+
+ // Reset DOS mitigation for auth prompts when user initiates a reload.
+ let browser = gBrowser.selectedBrowser;
+ delete browser.authPromptCounter;
+
let url = gBrowser.currentURI.spec;
if (gBrowser.updateBrowserRemotenessByURL(gBrowser.selectedBrowser, url)) {
// If the remoteness has changed, the new browser doesn't have any
diff --git a/application/basilisk/base/content/browser.xul b/application/basilisk/base/content/browser.xul
index 3208538c1..be64f1bac 100644
--- a/application/basilisk/base/content/browser.xul
+++ b/application/basilisk/base/content/browser.xul
@@ -997,7 +997,8 @@
contentcontextmenu="contentAreaContextMenu"
autocompletepopup="PopupAutoComplete"
selectmenulist="ContentSelectDropdown"
- datetimepicker="DateTimePickerPanel"/>
+ datetimepicker="DateTimePickerPanel"
+ authdosprotected="true" />
</vbox>
<vbox id="browser-border-end" hidden="true" layer="true"/>
</hbox>
diff --git a/application/basilisk/base/content/tabbrowser.xml b/application/basilisk/base/content/tabbrowser.xml
index 043838020..52c51db69 100644
--- a/application/basilisk/base/content/tabbrowser.xml
+++ b/application/basilisk/base/content/tabbrowser.xml
@@ -25,7 +25,7 @@
<xul:vbox flex="1" class="browserContainer">
<xul:stack flex="1" class="browserStack" anonid="browserStack">
<xul:browser anonid="initialBrowser" type="content-primary" message="true" messagemanagergroup="browsers"
- xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker"/>
+ xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker,authdosprotected"/>
</xul:stack>
</xul:vbox>
</xul:hbox>
@@ -1936,6 +1936,10 @@
if (this.hasAttribute("datetimepicker")) {
b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
}
+
+ if (this.hasAttribute("authdosprotected")) {
+ b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
+ }
b.setAttribute("autoscrollpopup", this._autoScrollPopup.id);
@@ -2991,7 +2995,10 @@
<parameter name="aTab"/>
<body>
<![CDATA[
- this.getBrowserForTab(aTab).reload();
+ let browser = this.getBrowserForTab(aTab);
+ // Reset DOS mitigation for basic auth prompt
+ delete browser.authPromptCounter;
+ browser.reload();
]]>
</body>
</method>
diff --git a/application/basilisk/base/content/urlbarBindings.xml b/application/basilisk/base/content/urlbarBindings.xml
index ad11f7fdf..b9c17818a 100644
--- a/application/basilisk/base/content/urlbarBindings.xml
+++ b/application/basilisk/base/content/urlbarBindings.xml
@@ -540,6 +540,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/.
Cu.reportError(ex);
}
+ // Reset DOS mitigations for the basic auth prompt.
+ delete browser.authPromptCounter;
+
let params = {
postData,
allowThirdPartyFixup: true,
diff --git a/application/palemoon/app/profile/palemoon.js b/application/palemoon/app/profile/palemoon.js
index 43f020f9a..3df5d7194 100644
--- a/application/palemoon/app/profile/palemoon.js
+++ b/application/palemoon/app/profile/palemoon.js
@@ -1160,6 +1160,14 @@ pref("toolkit.pageThumbs.minHeight", 180);
pref("ui.key.menuAccessKeyFocuses", true);
#endif
+// When a user cancels this number of authentication dialogs coming from
+// a single web page (eTLD+1) in a row, all following authentication dialogs
+// will be blocked (automatically canceled) for that page.
+// This counter is per-tab and per-domain to minimize false positives.
+// The counter resets when the page is reloaded from the UI
+// (content-reloads do NOT clear this to mitigate reloading tricks).
+pref("prompts.authentication_dialog_abuse_limit", 3);
+
// ****************** s4e prefs ******************
pref("status4evar.addonbar.borderStyle", false);
pref("status4evar.addonbar.closeButton", false);
diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js
index 3feeef9b6..4e753d422 100644
--- a/application/palemoon/base/content/browser.js
+++ b/application/palemoon/base/content/browser.js
@@ -2661,6 +2661,11 @@ function getWebNavigation()
}
function BrowserReloadWithFlags(reloadFlags) {
+
+ // Reset DOS mitigation for auth prompts when user initiates a reload.
+ let browser = gBrowser.selectedBrowser;
+ delete browser.authPromptCounter;
+
/* First, we'll try to use the session history object to reload so
* that framesets are handled properly. If we're in a special
* window (such as view-source) that has no session history, fall
diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul
index ce2a7c5a8..ddc305a7b 100644
--- a/application/palemoon/base/content/browser.xul
+++ b/application/palemoon/base/content/browser.xul
@@ -965,7 +965,8 @@
tabcontainer="tabbrowser-tabs"
contentcontextmenu="contentAreaContextMenu"
autocompletepopup="PopupAutoComplete"
- datetimepicker="DateTimePickerPanel"/>
+ datetimepicker="DateTimePickerPanel"
+ authdosprotected="true"/>
<chatbar id="pinnedchats" layer="true" mousethrough="always" hidden="true"/>
<statuspanel id="statusbar-display" inactive="true"/>
</vbox>
diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml
index 988cae55c..cbe029af0 100644
--- a/application/palemoon/base/content/tabbrowser.xml
+++ b/application/palemoon/base/content/tabbrowser.xml
@@ -30,7 +30,7 @@
<xul:vbox flex="1" class="browserContainer">
<xul:stack flex="1" class="browserStack" anonid="browserStack">
<xul:browser anonid="initialBrowser" type="content-primary" message="true" disablehistory="true"
- xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker"/>
+ xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker,authdosprotected"/>
</xul:stack>
</xul:vbox>
</xul:hbox>
@@ -1588,6 +1588,10 @@
if (this.hasAttribute("datetimepicker")) {
b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
}
+
+ if (this.hasAttribute("authdosprotected")) {
+ b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
+ }
// Create the browserStack container
var stack = document.createElementNS(NS_XUL, "stack");
@@ -2458,7 +2462,10 @@
<parameter name="aTab"/>
<body>
<![CDATA[
- this.getBrowserForTab(aTab).reload();
+ let browser = this.getBrowserForTab(aTab);
+ // Reset DOS mitigation for basic auth prompt
+ delete browser.authPromptCounter;
+ browser.reload();
]]>
</body>
</method>
diff --git a/application/palemoon/base/content/urlbarBindings.xml b/application/palemoon/base/content/urlbarBindings.xml
index d188e6658..d2d9cc720 100644
--- a/application/palemoon/base/content/urlbarBindings.xml
+++ b/application/palemoon/base/content/urlbarBindings.xml
@@ -302,6 +302,10 @@
// but don't let that interfere with the loading of the url.
Cu.reportError(ex);
}
+
+ // Reset DOS mitigations for the basic auth prompt.
+ let browser = gBrowser.selectedBrowser;
+ delete browser.authPromptCounter;
function loadCurrent() {
let flags = Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP;