diff options
Diffstat (limited to 'netwerk')
| -rw-r--r-- | netwerk/base/nsIOService.cpp | 9 | ||||
| -rw-r--r-- | netwerk/base/nsIOService.h | 4 | ||||
| -rw-r--r-- | netwerk/protocol/http/nsHttpChannelAuthProvider.cpp | 25 | ||||
| -rw-r--r-- | netwerk/protocol/http/nsHttpChannelAuthProvider.h | 3 |
4 files changed, 34 insertions, 7 deletions
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp index e0dc7d8e8..bd9a4a96f 100644 --- a/netwerk/base/nsIOService.cpp +++ b/netwerk/base/nsIOService.cpp @@ -166,6 +166,7 @@ uint32_t nsIOService::gDefaultSegmentSize = 4096; uint32_t nsIOService::gDefaultSegmentCount = 24; bool nsIOService::sBlockToplevelDataUriNavigations = false; +bool nsIOService::sBlockFTPSubresources = false; //////////////////////////////////////////////////////////////////////////////// @@ -243,6 +244,8 @@ nsIOService::Init() Preferences::AddBoolVarCache(&sBlockToplevelDataUriNavigations, "security.data_uri.block_toplevel_data_uri_navigations", false); + Preferences::AddBoolVarCache(&sBlockFTPSubresources, + "security.block_ftp_subresources", true); Preferences::AddBoolVarCache(&mOfflineMirrorsConnectivity, OFFLINE_MIRRORS_CONNECTIVITY, true); gIOService = this; @@ -1869,5 +1872,11 @@ nsIOService::BlockToplevelDataUriNavigations() return sBlockToplevelDataUriNavigations; } +/*static*/ bool +nsIOService::BlockFTPSubresources() +{ + return sBlockFTPSubresources; +} + } // namespace net } // namespace mozilla diff --git a/netwerk/base/nsIOService.h b/netwerk/base/nsIOService.h index 19eed743a..f3a26f5d2 100644 --- a/netwerk/base/nsIOService.h +++ b/netwerk/base/nsIOService.h @@ -94,6 +94,8 @@ public: static bool BlockToplevelDataUriNavigations(); + static bool BlockFTPSubresources(); + // Used to trigger a recheck of the captive portal status nsresult RecheckCaptivePortal(); private: @@ -175,6 +177,8 @@ private: static bool sBlockToplevelDataUriNavigations; + static bool sBlockFTPSubresources; + // Time a network tearing down started. mozilla::Atomic<PRIntervalTime> mNetTearingDownStarted; public: diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp index 0e7eb55c3..a6681cfc6 100644 --- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp +++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp @@ -95,6 +95,8 @@ nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider() uint32_t nsHttpChannelAuthProvider::sAuthAllowPref = SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL; +bool nsHttpChannelAuthProvider::sImgCrossOriginAuthAllowPref = false; + void nsHttpChannelAuthProvider::InitializePrefs() { @@ -102,6 +104,9 @@ nsHttpChannelAuthProvider::InitializePrefs() mozilla::Preferences::AddUintVarCache(&sAuthAllowPref, "network.auth.subresource-http-auth-allow", SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL); + mozilla::Preferences::AddBoolVarCache(&sImgCrossOriginAuthAllowPref, + "network.auth.subresource-http-img-XO-auth", + false); } NS_IMETHODIMP @@ -867,15 +872,15 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge, else if (authFlags & nsIHttpAuthenticator::IDENTITY_ENCRYPTED) level = nsIAuthPrompt2::LEVEL_PW_ENCRYPTED; - // Depending on the pref setting, the authentication dialog may be + // Depending on the pref settings, the authentication dialog may be // blocked for all sub-resources, blocked for cross-origin // sub-resources, or always allowed for sub-resources. - // For more details look at the bug 647010. - // BlockPrompt will set mCrossOrigin parameter as well. + // If always allowed, image prompts may still be blocked by pref. + // BlockPrompt() will set the mCrossOrigin parameter as well. if (BlockPrompt()) { LOG(("nsHttpChannelAuthProvider::GetCredentialsForChallenge: " - "Prompt is blocked [this=%p pref=%d]\n", - this, sAuthAllowPref)); + "Prompt is blocked [this=%p pref=%d img-pref=%d]\n", + this, sAuthAllowPref, sImgCrossOriginAuthAllowPref)); return NS_ERROR_ABORT; } @@ -983,7 +988,15 @@ nsHttpChannelAuthProvider::BlockPrompt() // the sub-resources only if they are not cross-origin. return !topDoc && !xhr && mCrossOrigin; case SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL: - // Allow the http-authentication dialog. + // Allow the http-authentication dialog for subresources. + // If the pref network.auth.subresource-http-img-XO-auth is set to false, + // the http authentication dialog for image subresources is still blocked. + if (!sImgCrossOriginAuthAllowPref && + loadInfo && + ((loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGE) || + (loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGESET))) { + return true; + } return false; default: // This is an invalid value. diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.h b/netwerk/protocol/http/nsHttpChannelAuthProvider.h index 44d79b22b..0d6045875 100644 --- a/netwerk/protocol/http/nsHttpChannelAuthProvider.h +++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.h @@ -179,10 +179,11 @@ private: RefPtr<nsHttpHandler> mHttpHandler; // keep gHttpHandler alive - // A variable holding the preference settings to whether to open HTTP + // Variables holding the preference settings for whether to open HTTP // authentication credentials dialogs for sub-resources and cross-origin // sub-resources. static uint32_t sAuthAllowPref; + static bool sImgCrossOriginAuthAllowPref; nsCOMPtr<nsICancelable> mGenerateCredentialsCancelable; }; |