From 7d0c56c2879861e97e0c8af6daa16fa3b945eec4 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 15 Jun 2017 16:38:41 +0200 Subject: Restrict XML file recursion depth to 200. This resolves #2. --- parser/htmlparser/nsExpatDriver.cpp | 14 +++++++++++--- parser/htmlparser/nsExpatDriver.h | 7 ++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp index 8882ec593..9cf888f69 100644 --- a/parser/htmlparser/nsExpatDriver.cpp +++ b/parser/htmlparser/nsExpatDriver.cpp @@ -338,6 +338,9 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver) NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink) +// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8. +PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX); + nsExpatDriver::nsExpatDriver() : mExpatParser(nullptr), mInCData(false), @@ -345,6 +348,7 @@ nsExpatDriver::nsExpatDriver() mInExternalDTD(false), mMadeFinalCallToExpat(false), mIsFinalChunk(false), + mTagDepth(0), mInternalState(NS_OK), mExpatBuffered(0), mCatalogData(nullptr), @@ -359,7 +363,7 @@ nsExpatDriver::~nsExpatDriver() } } -nsresult +void nsExpatDriver::HandleStartElement(const char16_t *aValue, const char16_t **aAtts) { @@ -377,13 +381,16 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue, } if (mSink) { + if (++mTagDepth == MAX_XML_TREE_DEPTH) { + MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP); + return; + } + nsresult rv = mSink-> HandleStartElement(aValue, aAtts, attrArrayLength, XML_GetCurrentLineNumber(mExpatParser)); MaybeStopParser(rv); } - - return NS_OK; } nsresult @@ -395,6 +402,7 @@ nsExpatDriver::HandleEndElement(const char16_t *aValue) if (mSink && mInternalState != NS_ERROR_HTMLPARSER_STOPPARSING) { nsresult rv = mSink->HandleEndElement(aValue); + --mTagDepth; MaybeStopParser(rv); } diff --git a/parser/htmlparser/nsExpatDriver.h b/parser/htmlparser/nsExpatDriver.h index 1bf022ade..0d62bd09d 100644 --- a/parser/htmlparser/nsExpatDriver.h +++ b/parser/htmlparser/nsExpatDriver.h @@ -16,6 +16,9 @@ #include "nsIParser.h" #include "nsCycleCollectionParticipant.h" +// Tree depth limit for XML-based files (xml/svg/etc.) +#define MAX_XML_TREE_DEPTH 200 + class nsIExpatSink; class nsIExtendedExpatSink; struct nsCatalogData; @@ -37,7 +40,7 @@ public: const char16_t *aBase, const char16_t *aSystemId, const char16_t *aPublicId); - nsresult HandleStartElement(const char16_t *aName, const char16_t **aAtts); + void HandleStartElement(const char16_t *aName, const char16_t **aAtts); nsresult HandleEndElement(const char16_t *aName); nsresult HandleCharacterData(const char16_t *aCData, const uint32_t aLength); nsresult HandleComment(const char16_t *aName); @@ -119,6 +122,8 @@ private: // Whether we're sure that we won't be getting more buffers to parse from // Necko bool mIsFinalChunk; + + uint8_t mTagDepth; nsresult mInternalState; -- cgit v1.2.3 From d795f4c2c2dfee7d6c1f86116e3213c8cd7c109f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 16 Jun 2017 11:57:08 +0200 Subject: Support "SourceMap" header along with "X-SourceMap" --- dom/base/nsScriptLoader.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dom/base/nsScriptLoader.cpp b/dom/base/nsScriptLoader.cpp index 6c732db6c..a6d20e363 100644 --- a/dom/base/nsScriptLoader.cpp +++ b/dom/base/nsScriptLoader.cpp @@ -2630,7 +2630,10 @@ nsScriptLoader::PrepareLoadedRequest(nsScriptLoadRequest* aRequest, } nsAutoCString sourceMapURL; - rv = httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("X-SourceMap"), sourceMapURL); + rv = httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("SourceMap"), sourceMapURL); + if (NS_FAILED(rv)) { + rv = httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("X-SourceMap"), sourceMapURL); + } if (NS_SUCCEEDED(rv)) { aRequest->mHasSourceMapURL = true; aRequest->mSourceMapURL = NS_ConvertUTF8toUTF16(sourceMapURL); -- cgit v1.2.3 From 216bd0a9580417e846aa357e3bc2a6dcfd5b1409 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 19 Jun 2017 18:39:27 +0200 Subject: Fix toolkit update logic to prevent update loops. Only consider equal appversion to be "update available" if BuildID is present AND greater than current. This resolves #13. --- toolkit/mozapps/update/nsUpdateService.js | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/toolkit/mozapps/update/nsUpdateService.js b/toolkit/mozapps/update/nsUpdateService.js index 10eb1d100..e23ab3f40 100644 --- a/toolkit/mozapps/update/nsUpdateService.js +++ b/toolkit/mozapps/update/nsUpdateService.js @@ -2395,14 +2395,16 @@ UpdateService.prototype = { let lastCheckCode = AUSTLMY.CHK_NO_COMPAT_UPDATE_FOUND; updates.forEach(function(aUpdate) { - // Ignore updates for older versions of the application and updates for - // the same version of the application with the same build ID. + // Ignore updates for older versions of the applications and updates for + // the same version or build id of the application if (vc.compare(aUpdate.appVersion, Services.appinfo.version) < 0 || - vc.compare(aUpdate.appVersion, Services.appinfo.version) == 0 && - aUpdate.buildID == Services.appinfo.appBuildID) { + (vc.compare(aUpdate.appVersion, Services.appinfo.version) == 0 && + aUpdate.buildID <= Services.appinfo.appBuildID) || + (vc.compare(aUpdate.appVersion, Services.appinfo.version) == 0 && + aUpdate.buildID == undefined)) { LOG("UpdateService:selectUpdate - skipping update because the " + - "update's application version is less than the current " + - "application version"); + "update's application version is less than or equal to " + + "the current application version."); lastCheckCode = AUSTLMY.CHK_UPDATE_PREVIOUS_VERSION; return; } -- cgit v1.2.3 From 8a1dc97a5aaf1f245b8bbf72de0e9458d15eeb81 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 19 Jul 2017 01:24:28 +0200 Subject: Implement configuration pref for Generational Garbage Collection. Pref: javascript.options.mem.gc_generational This resolves #20 --- dom/base/nsJSEnvironment.cpp | 5 +++++ js/src/jsapi.cpp | 11 +++++++++++ js/src/jsapi.h | 3 +++ modules/libpref/init/all.js | 1 + 4 files changed, 20 insertions(+) diff --git a/dom/base/nsJSEnvironment.cpp b/dom/base/nsJSEnvironment.cpp index b273d00c9..576f3052a 100644 --- a/dom/base/nsJSEnvironment.cpp +++ b/dom/base/nsJSEnvironment.cpp @@ -2282,6 +2282,7 @@ SetMemoryGCModePrefChangedCallback(const char* aPrefName, void* aClosure) { bool enableZoneGC = Preferences::GetBool("javascript.options.mem.gc_per_zone"); bool enableIncrementalGC = Preferences::GetBool("javascript.options.mem.gc_incremental"); + bool enableGenerationalGC = Preferences::GetBool("javascript.options.mem.gc_generational"); JSGCMode mode; if (enableIncrementalGC) { mode = JSGC_MODE_INCREMENTAL; @@ -2291,6 +2292,7 @@ SetMemoryGCModePrefChangedCallback(const char* aPrefName, void* aClosure) mode = JSGC_MODE_GLOBAL; } JS_SetGCParameter(sContext, JSGC_MODE, mode); + JS_SetGGCMode(sContext, enableGenerationalGC); } static void @@ -2485,6 +2487,9 @@ nsJSContext::EnsureStatics() Preferences::RegisterCallbackAndCall(SetMemoryGCSliceTimePrefChangedCallback, "javascript.options.mem.gc_incremental_slice_ms"); + Preferences::RegisterCallbackAndCall(SetMemoryGCModePrefChangedCallback, + "javascript.options.mem.gc_generational"); + Preferences::RegisterCallbackAndCall(SetMemoryGCCompactingPrefChangedCallback, "javascript.options.mem.gc_compacting"); diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp index a99d08951..e4e86effa 100644 --- a/js/src/jsapi.cpp +++ b/js/src/jsapi.cpp @@ -1410,6 +1410,17 @@ JS_SetGCParameter(JSContext* cx, JSGCParamKey key, uint32_t value) MOZ_ALWAYS_TRUE(cx->gc.setParameter(key, value, lock)); } +JS_PUBLIC_API(void) +JS_SetGGCMode(JSContext* cx, bool enabled) +{ + // Control GGC + if (enabled && !cx->gc.isGenerationalGCEnabled()) { + cx->gc.enableGenerationalGC(); + } else if (!enabled && cx->gc.isGenerationalGCEnabled()) { + cx->gc.disableGenerationalGC(); + } +} + JS_PUBLIC_API(uint32_t) JS_GetGCParameter(JSContext* cx, JSGCParamKey key) { diff --git a/js/src/jsapi.h b/js/src/jsapi.h index 46aa15947..6700a6c51 100644 --- a/js/src/jsapi.h +++ b/js/src/jsapi.h @@ -1768,6 +1768,9 @@ typedef enum JSGCParamKey { extern JS_PUBLIC_API(void) JS_SetGCParameter(JSContext* cx, JSGCParamKey key, uint32_t value); +extern JS_PUBLIC_API(void) +JS_SetGGCMode(JSContext* cx, bool enabled); + extern JS_PUBLIC_API(uint32_t) JS_GetGCParameter(JSContext* cx, JSGCParamKey key); diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 72eb8524e..67c632e71 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -1258,6 +1258,7 @@ pref("javascript.options.mem.max", -1); pref("javascript.options.mem.gc_per_zone", true); pref("javascript.options.mem.gc_incremental", true); pref("javascript.options.mem.gc_incremental_slice_ms", 10); +pref("javascript.options.mem.gc_generational", true); pref("javascript.options.mem.gc_compacting", true); pref("javascript.options.mem.log", false); pref("javascript.options.mem.notify", false); -- cgit v1.2.3 From 3b70762534d82b9dc0bc59934327e981f032e69f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:11:42 +0200 Subject: Add Camellia to the active cipher suites. Issue #4 point 1. Camellia is a strong, modern, safe cipher with no known weaknesses or reduced strength attacks. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. --- netwerk/base/security-prefs.js | 4 ++++ security/manager/ssl/nsNSSComponent.cpp | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 9f42745f7..be3c6f33d 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -28,7 +28,11 @@ pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true); pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_aes_128_sha", true); +pref("security.ssl3.dhe_rsa_camellia_256_sha", true); pref("security.ssl3.dhe_rsa_aes_256_sha", true); +pref("security.ssl3.dhe_rsa_camellia_128_sha", true); +pref("security.ssl3.rsa_camellia_128_sha", true); +pref("security.ssl3.rsa_camellia_256_sha", true); pref("security.ssl3.rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_sha", true); pref("security.ssl3.rsa_des_ede3_sha", true); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index d53f846ed..b46e69cbc 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1347,9 +1347,13 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_256_sha", + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true}, { "security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_128_sha", + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, { "security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, true }, { "security.tls13.chacha20_poly1305_sha256", @@ -1357,6 +1361,10 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + {"security.ssl3.rsa_camellia_128_sha", + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, + {"security.ssl3.rsa_camellia_256_sha", + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, true }, { "security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) { "security.ssl3.rsa_aes_256_sha", -- cgit v1.2.3 From acaf15453c3c00b2fa387239ae854736383134db Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:17:40 +0200 Subject: Add RSA-AES + SHA256/384 suites for web compatibility. Sites with these ciphers (commonly IIS) would otherwise fall back to weak 3DES that will be disabled by default. Issue #4 points 2 and 3 --- netwerk/base/security-prefs.js | 4 ++++ security/manager/ssl/nsNSSComponent.cpp | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index be3c6f33d..9403b3139 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -31,11 +31,15 @@ pref("security.ssl3.dhe_rsa_aes_128_sha", true); pref("security.ssl3.dhe_rsa_camellia_256_sha", true); pref("security.ssl3.dhe_rsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_camellia_128_sha", true); +pref("security.ssl3.rsa_aes_256_gcm_sha384", true); +pref("security.ssl3.rsa_aes_256_sha256", true); pref("security.ssl3.rsa_camellia_128_sha", true); pref("security.ssl3.rsa_camellia_256_sha", true); pref("security.ssl3.rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_sha", true); pref("security.ssl3.rsa_des_ede3_sha", true); +pref("security.ssl3.rsa_aes_128_gcm_sha256", false); +pref("security.ssl3.rsa_aes_128_sha256", false); pref("security.content.signature.root_hash", "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E"); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index b46e69cbc..89b33b7c2 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1361,6 +1361,10 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + { "security.ssl3.rsa_aes_256_gcm_sha384", + TLS_RSA_WITH_AES_256_GCM_SHA384, true }, + { "security.ssl3.rsa_aes_256_sha256", + TLS_RSA_WITH_AES_256_CBC_SHA256, true }, {"security.ssl3.rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, {"security.ssl3.rsa_camellia_256_sha", @@ -1369,6 +1373,10 @@ static const CipherPref sCipherPrefs[] = { TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) { "security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange) + { "security.ssl3.rsa_aes_128_gcm_sha256", + TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated + { "security.ssl3.rsa_aes_128_sha256", + TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated { "security.ssl3.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES) -- cgit v1.2.3 From d98565a287341f86f07eafac47ce076b51cd94f4 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:19:54 +0200 Subject: Disable 3DES cipher by default + re-order a few things. Issue #4 point 4 --- netwerk/base/security-prefs.js | 6 ++++-- security/manager/ssl/nsNSSComponent.cpp | 15 +++++++++------ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 9403b3139..5b90d0642 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -17,6 +17,7 @@ pref("security.ssl.false_start.require-npn", false); pref("security.ssl.enable_npn", true); pref("security.ssl.enable_alpn", true); +// TLS 1.0-1.2 cipher suites pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true); @@ -27,19 +28,20 @@ pref("security.ssl3.ecdhe_rsa_aes_128_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true); pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); -pref("security.ssl3.dhe_rsa_aes_128_sha", true); pref("security.ssl3.dhe_rsa_camellia_256_sha", true); pref("security.ssl3.dhe_rsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_camellia_128_sha", true); +pref("security.ssl3.dhe_rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_gcm_sha384", true); pref("security.ssl3.rsa_aes_256_sha256", true); pref("security.ssl3.rsa_camellia_128_sha", true); pref("security.ssl3.rsa_camellia_256_sha", true); pref("security.ssl3.rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_sha", true); -pref("security.ssl3.rsa_des_ede3_sha", true); +// Weak / deprecated pref("security.ssl3.rsa_aes_128_gcm_sha256", false); pref("security.ssl3.rsa_aes_128_sha256", false); +pref("security.ssl3.rsa_des_ede3_sha", false); pref("security.content.signature.root_hash", "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E"); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 89b33b7c2..1bcdcc1b0 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1344,9 +1344,6 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true }, - { "security.ssl3.dhe_rsa_aes_128_sha", - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, - { "security.ssl3.dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true}, { "security.ssl3.dhe_rsa_aes_256_sha", @@ -1354,6 +1351,9 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_aes_128_sha", + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, true }, { "security.tls13.chacha20_poly1305_sha256", @@ -1361,6 +1361,7 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + // Deprecated (RSA key exchange): { "security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384, true }, { "security.ssl3.rsa_aes_256_sha256", @@ -1370,15 +1371,17 @@ static const CipherPref sCipherPrefs[] = { {"security.ssl3.rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, true }, { "security.ssl3.rsa_aes_128_sha", - TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) + TLS_RSA_WITH_AES_128_CBC_SHA, true }, { "security.ssl3.rsa_aes_256_sha", - TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange) + TLS_RSA_WITH_AES_256_CBC_SHA, true }, + +// Expensive/deprecated/weak { "security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated { "security.ssl3.rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated { "security.ssl3.rsa_des_ede3_sha", - TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES) + TLS_RSA_WITH_3DES_EDE_CBC_SHA, false }, // Weak (3DES) // All the rest are disabled -- cgit v1.2.3 From 2bacef6f143fe5cd246a5038759bdff004d4be94 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:22:19 +0200 Subject: Disable static DHE + AES suites by default (common combination for weak DH keys) Issue #4 point 5 --- netwerk/base/security-prefs.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 5b90d0642..329a4c6b7 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -29,9 +29,7 @@ pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true); pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_camellia_256_sha", true); -pref("security.ssl3.dhe_rsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_camellia_128_sha", true); -pref("security.ssl3.dhe_rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_gcm_sha384", true); pref("security.ssl3.rsa_aes_256_sha256", true); pref("security.ssl3.rsa_camellia_128_sha", true); @@ -39,6 +37,8 @@ pref("security.ssl3.rsa_camellia_256_sha", true); pref("security.ssl3.rsa_aes_128_sha", true); pref("security.ssl3.rsa_aes_256_sha", true); // Weak / deprecated +pref("security.ssl3.dhe_rsa_aes_256_sha", false); +pref("security.ssl3.dhe_rsa_aes_128_sha", false); pref("security.ssl3.rsa_aes_128_gcm_sha256", false); pref("security.ssl3.rsa_aes_128_sha256", false); pref("security.ssl3.rsa_des_ede3_sha", false); -- cgit v1.2.3 From cd3c3c6018409a6405697927791a069db9ab1a01 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 25 Jul 2017 09:30:50 +0200 Subject: That's quite enough of /this/ nonsense. --- .../themes/shared/customizableui/panelUI.inc.css | 59 --------------------- browser/themes/shared/customizableui/whimsy.png | Bin 6639 -> 0 bytes browser/themes/shared/customizableui/whimsy@2x.png | Bin 18370 -> 0 bytes browser/themes/shared/jar.inc.mn | 2 - 4 files changed, 61 deletions(-) delete mode 100644 browser/themes/shared/customizableui/whimsy.png delete mode 100644 browser/themes/shared/customizableui/whimsy@2x.png diff --git a/browser/themes/shared/customizableui/panelUI.inc.css b/browser/themes/shared/customizableui/panelUI.inc.css index b46110ab5..b0bb05415 100644 --- a/browser/themes/shared/customizableui/panelUI.inc.css +++ b/browser/themes/shared/customizableui/panelUI.inc.css @@ -28,65 +28,6 @@ height: 128px; } -#PanelUI-popup #PanelUI-contents:empty::before { - content: ""; - background-image: url(chrome://browser/skin/customizableui/whimsy.png); - background-size: 64px 64px; - display: block; - width: 64px; - height: 64px; - position: absolute; - transition: transform 1s ease-out; - animation: whimsyMoveX 3.05s linear 0s infinite alternate, - whimsyMoveY 3.4s linear 0s infinite alternate; -} - -#PanelUI-popup #PanelUI-contents:not(:hover):empty::before { - filter: grayscale(100%); -} - -#PanelUI-popup #PanelUI-contents:active:empty::before { - animation: whimsyMoveX 3.05s linear 0s infinite alternate, - whimsyMoveY 3.4s linear 0s infinite alternate, - whimsyRotate 1s linear 0s infinite normal; -} - -#PanelUI-popup #PanelUI-contents:-moz-locale-dir(rtl):empty::before { - animation: whimsyMoveXRTL 3.05s linear 0s infinite alternate, - whimsyMoveY 3.4s linear 0s infinite alternate; -} - -#PanelUI-popup #PanelUI-contents:-moz-locale-dir(rtl):active:empty::before { - animation: whimsyMoveXRTL 3.05s linear 0s infinite alternate, - whimsyMoveY 3.4s linear 0s infinite alternate, - whimsyRotate 1s linear 0s infinite normal; -} - -@media (min-resolution: 2dppx) { - #PanelUI-popup #PanelUI-contents:empty::before { - background-image: url(chrome://browser/skin/customizableui/whimsy@2x.png); - } -} - -@keyframes whimsyMoveX { - /* These values are adjusted for the padding on the panel. */ - from { margin-left: -15px; } to { margin-left: calc(100% - 49px); } -} - -@keyframes whimsyMoveXRTL { - /* These values are adjusted for the padding on the panel. */ - from { margin-right: -15px; } to { margin-right: calc(100% - 49px); } -} - -@keyframes whimsyMoveY { - /* These values are adjusted for the padding and height of the panel. */ - from { margin-top: -.5em; } to { margin-top: calc(64px - .5em); } -} - -@keyframes whimsyRotate { - to { transform: perspective(5000px) rotateY(360deg); } -} - #PanelUI-button { margin-inline-start: 2px; border-inline-start: 1px solid; diff --git a/browser/themes/shared/customizableui/whimsy.png b/browser/themes/shared/customizableui/whimsy.png deleted file mode 100644 index 2e9fdd7eb..000000000 Binary files a/browser/themes/shared/customizableui/whimsy.png and /dev/null differ diff --git a/browser/themes/shared/customizableui/whimsy@2x.png b/browser/themes/shared/customizableui/whimsy@2x.png deleted file mode 100644 index 61f55f60f..000000000 Binary files a/browser/themes/shared/customizableui/whimsy@2x.png and /dev/null differ diff --git a/browser/themes/shared/jar.inc.mn b/browser/themes/shared/jar.inc.mn index f99f8de3c..dcc1e9dd9 100644 --- a/browser/themes/shared/jar.inc.mn +++ b/browser/themes/shared/jar.inc.mn @@ -48,8 +48,6 @@ skin/classic/browser/customizableui/subView-arrow-back-inverted@2x.png (../shared/customizableui/subView-arrow-back-inverted@2x.png) skin/classic/browser/customizableui/subView-arrow-back-inverted-rtl.png (../shared/customizableui/subView-arrow-back-inverted-rtl.png) skin/classic/browser/customizableui/subView-arrow-back-inverted-rtl@2x.png (../shared/customizableui/subView-arrow-back-inverted-rtl@2x.png) - skin/classic/browser/customizableui/whimsy.png (../shared/customizableui/whimsy.png) - skin/classic/browser/customizableui/whimsy@2x.png (../shared/customizableui/whimsy@2x.png) skin/classic/browser/downloads/contentAreaDownloadsView.css (../shared/downloads/contentAreaDownloadsView.css) skin/classic/browser/downloads/download-blocked.svg (../shared/downloads/download-blocked.svg) skin/classic/browser/downloads/menubutton-dropmarker.svg (../shared/downloads/menubutton-dropmarker.svg) -- cgit v1.2.3 From 6d3a0633543c2f6dfa3cb82aab519ac5fbd33e35 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 1 Aug 2017 16:06:43 +0200 Subject: Fix spellchecker dictionary logic. This fixes #6. --- editor/composer/nsEditorSpellCheck.cpp | 300 +++++++++++++-------------------- modules/libpref/init/all.js | 3 + 2 files changed, 118 insertions(+), 185 deletions(-) diff --git a/editor/composer/nsEditorSpellCheck.cpp b/editor/composer/nsEditorSpellCheck.cpp index 7cae48c1f..790480034 100644 --- a/editor/composer/nsEditorSpellCheck.cpp +++ b/editor/composer/nsEditorSpellCheck.cpp @@ -594,45 +594,24 @@ nsEditorSpellCheck::SetCurrentDictionary(const nsAString& aDictionary) // Ignore pending dictionary fetchers by increasing this number. mDictionaryFetcherGroup++; - uint32_t flags = 0; - mEditor->GetFlags(&flags); - if (!(flags & nsIPlaintextEditor::eEditorMailMask)) { - if (!aDictionary.IsEmpty() && (mPreferredLang.IsEmpty() || - !mPreferredLang.Equals(aDictionary, - nsCaseInsensitiveStringComparator()))) { - // When user sets dictionary manually, we store this value associated - // with editor url, if it doesn't match the document language exactly. - // For example on "en" sites, we need to store "en-GB", otherwise - // the language might jump back to en-US although the user explicitly - // chose otherwise. - StoreCurrentDictionary(mEditor, aDictionary); -#ifdef DEBUG_DICT - printf("***** Writing content preferences for |%s|\n", - NS_ConvertUTF16toUTF8(aDictionary).get()); -#endif - } else { - // If user sets a dictionary matching the language defined by - // document, we consider content pref has been canceled, and we clear it. - ClearCurrentDictionary(mEditor); -#ifdef DEBUG_DICT - printf("***** Clearing content preferences for |%s|\n", - NS_ConvertUTF16toUTF8(aDictionary).get()); -#endif - } - - // Also store it in as a preference, so we can use it as a fallback. - // We don't want this for mail composer because it uses - // "spellchecker.dictionary" as a preference. - Preferences::SetString("spellchecker.dictionary", aDictionary); -#ifdef DEBUG_DICT - printf("***** Storing spellchecker.dictionary |%s|\n", - NS_ConvertUTF16toUTF8(aDictionary).get()); -#endif + if (mPreferredLang.IsEmpty() || + !mPreferredLang.Equals(aDictionary, nsCaseInsensitiveStringComparator())) { + // When user sets dictionary manually, we store this value associated + // with editor url, if it doesn't match the document language exactly. + // For example on "en" sites, we need to store "en-GB", otherwise + // the language might jump back to en-US although the user explicitly + // chose otherwise. + StoreCurrentDictionary(mEditor, aDictionary); + } else { + // If user sets a dictionary matching the language defined by + // document, we consider content pref has been canceled, and we clear it. + ClearCurrentDictionary(mEditor); } } return mSpellChecker->SetCurrentDictionary(aDictionary); } + NS_IMETHODIMP nsEditorSpellCheck::UninitSpellChecker() { @@ -771,23 +750,16 @@ nsEditorSpellCheck::DictionaryFetched(DictionaryFetcher* aFetcher) /* * We try to derive the dictionary to use based on the following priorities: - * 1) Content preference, so the language the user set for the site before. - * (Introduced in bug 678842 and corrected in bug 717433.) - * 2) Language set by the website, or any other dictionary that partly - * matches that. (Introduced in bug 338427.) - * Eg. if the website is "en-GB", a user who only has "en-US" will get - * that. If the website is generic "en", the user will get one of the - * "en-*" installed, (almost) at random. - * However, we prefer what is stored in "spellchecker.dictionary", - * so if the user chose "en-AU" before, they will get "en-AU" on a plain - * "en" site. (Introduced in bug 682564.) - * 3) The value of "spellchecker.dictionary" which reflects a previous - * language choice of the user (on another site). - * (This was the original behaviour before the aforementioned bugs - * landed). - * 4) The user's locale. - * 5) Use the current dictionary that is currently set. - * 6) The content of the "LANG" environment variable (if set). + * 1) Content preference: the language the user set for the site before. + * 2) The value of "spellchecker.dictionary.override" which reflects a + * global choice of language explicitly set by the user. + * 3) Language set by the website, or any other dictionary that partly matches that. + * Eg. if the website is "en-GB", a user who only has "en-US" will get that. + * If the website is generic "en", the user will get one of the "en-*" installed, + * pretty much at random. + * 4) The user's locale + * 5) Leave the current dictionary set. + * 6) The content of the "LANG" environment variable (if set) * 7) The first spell check dictionary installed. */ @@ -795,131 +767,100 @@ nsEditorSpellCheck::DictionaryFetched(DictionaryFetcher* aFetcher) // https://html.spec.whatwg.org/#attr-lang // This is used in SetCurrentDictionary. mPreferredLang.Assign(aFetcher->mRootContentLang); -#ifdef DEBUG_DICT - printf("***** mPreferredLang (element) |%s|\n", - NS_ConvertUTF16toUTF8(mPreferredLang).get()); -#endif // If no luck, try the "Content-Language" header. if (mPreferredLang.IsEmpty()) { mPreferredLang.Assign(aFetcher->mRootDocContentLang); -#ifdef DEBUG_DICT - printf("***** mPreferredLang (content-language) |%s|\n", - NS_ConvertUTF16toUTF8(mPreferredLang).get()); -#endif } - - // Auxiliary status. - nsresult rv2; - - // We obtain a list of available dictionaries. - nsTArray dictList; - rv2 = mSpellChecker->GetDictionaryList(&dictList); - NS_ENSURE_SUCCESS(rv2, rv2); - + // Priority 1: + // Get language from content prefs, if set. // If we successfully fetched a dictionary from content prefs, do not go // further. Use this exact dictionary. - // Don't use content preferences for editor with eEditorMailMask flag. nsAutoString dictName; - uint32_t flags; - mEditor->GetFlags(&flags); - if (!(flags & nsIPlaintextEditor::eEditorMailMask)) { - dictName.Assign(aFetcher->mDictionary); - if (!dictName.IsEmpty()) { - if (NS_SUCCEEDED(TryDictionary(dictName, dictList, DICT_NORMAL_COMPARE))) { -#ifdef DEBUG_DICT - printf("***** Assigned from content preferences |%s|\n", - NS_ConvertUTF16toUTF8(dictName).get()); -#endif - - // We take an early exit here, so let's not forget to clear the word - // list. - DeleteSuggestedWordList(); - return NS_OK; - } - // May be dictionary was uninstalled ? - // Clear the content preference and continue. - ClearCurrentDictionary(mEditor); + dictName.Assign(aFetcher->mDictionary); + if (!dictName.IsEmpty()) { + if (NS_SUCCEEDED(SetCurrentDictionary(dictName))) { + // We take an early exit here, so clear the suggested word list. + DeleteSuggestedWordList(); + return NS_OK; } + // Maybe the dictionary was uninstalled ? + // Clear the content preference and continue. + ClearCurrentDictionary(mEditor); } - + // Priority 2: - // After checking the content preferences, we use the language of the element - // or document. - dictName.Assign(mPreferredLang); -#ifdef DEBUG_DICT - printf("***** Assigned from element/doc |%s|\n", - NS_ConvertUTF16toUTF8(dictName).get()); -#endif - - // Get the preference value. + // Get global preferred language from preferences, if set. nsAutoString preferredDict; - preferredDict = Preferences::GetLocalizedString("spellchecker.dictionary"); + preferredDict = Preferences::GetLocalizedString("spellchecker.dictionary.override"); + if (!preferredDict.IsEmpty()) { + dictName.Assign(preferredDict); + } - // The following will be driven by this status. Once we were able to set a + // Priority 3: + // Get language from element/doc, if set. + if (dictName.IsEmpty() && !mPreferredLang.IsEmpty()) { + dictName.Assign(mPreferredLang); + } + + // Auxiliary status value + nsresult rv2; + + // Obtain a list of available dictionaries to check against. + nsTArray dictList; + rv2 = mSpellChecker->GetDictionaryList(&dictList); + NS_ENSURE_SUCCESS(rv2, rv2); + int32_t i, dictCount = dictList.Length(); + + // The following will be driven by this status. Once we are able to set a // dictionary successfully, we're done. So we start with a "failed" status. - nsresult rv = NS_ERROR_NOT_AVAILABLE; - + nsresult rv = NS_ERROR_FAILURE; + if (!dictName.IsEmpty()) { - // RFC 5646 explicitly states that matches should be case-insensitive. - rv = TryDictionary (dictName, dictList, DICT_COMPARE_CASE_INSENSITIVE); - - if (NS_FAILED(rv)) { -#ifdef DEBUG_DICT - printf("***** Setting of |%s| failed (or it wasn't available)\n", - NS_ConvertUTF16toUTF8(dictName).get()); -#endif + for (i = 0; i < dictCount; i++) { + nsAutoString dictStr(dictList.ElementAt(i)); + if (dictName.Equals(dictStr, nsCaseInsensitiveStringComparator())) { + // First let's correct any problems due to non-matching case. + // This applies to both a user-set override and document language. + // RFC 5646 explicitly states that matches should be case-insensitive. + dictName.Assign(dictStr); + // Try to set it. Doing this inside this loop avoids trying to set a + // dictionary that isn't available. + rv = SetCurrentDictionary(dictName); + break; + } + } + if (NS_FAILED(rv)) { // Required dictionary was not available. Try to get a dictionary - // matching at least language part of dictName. + // matching at least the language part of dictName: nsAutoString langCode; int32_t dashIdx = dictName.FindChar('-'); - if (dashIdx != -1) { + if (dashIdx != -1) { langCode.Assign(Substring(dictName, 0, dashIdx)); } else { langCode.Assign(dictName); } - // Try dictionary.spellchecker preference, if it starts with langCode, - // so we don't just get any random dictionary matching the language. - if (!preferredDict.IsEmpty() && - nsStyleUtil::DashMatchCompare(preferredDict, langCode, nsDefaultStringComparator())) { -#ifdef DEBUG_DICT - printf("***** Trying preference value |%s| since it matches language code\n", - NS_ConvertUTF16toUTF8(preferredDict).get()); -#endif - rv = TryDictionary (preferredDict, dictList, - DICT_COMPARE_CASE_INSENSITIVE); - } + nsDefaultStringComparator comparator; - if (NS_FAILED(rv)) { - // Use any dictionary with the required language. -#ifdef DEBUG_DICT - printf("***** Trying to find match for language code |%s|\n", - NS_ConvertUTF16toUTF8(langCode).get()); -#endif - rv = TryDictionary (langCode, dictList, DICT_COMPARE_DASHMATCH); + // Loop over available dictionaries; if we find one with the required + // language, use it. + for (i = 0; i < dictCount; i++) { + nsAutoString dictStr(dictList.ElementAt(i)); + if (nsStyleUtil::DashMatchCompare(dictStr, langCode, comparator) && + NS_SUCCEEDED(rv = SetCurrentDictionary(dictStr))) { + break; + } } } } - - // Priority 3: - // If the document didn't supply a dictionary or the setting failed, - // try the user preference next. - if (NS_FAILED(rv)) { - if (!preferredDict.IsEmpty()) { -#ifdef DEBUG_DICT - printf("***** Trying preference value |%s|\n", - NS_ConvertUTF16toUTF8(preferredDict).get()); -#endif - rv = TryDictionary (preferredDict, dictList, DICT_NORMAL_COMPARE); - } - } - + // Priority 4: - // As next fallback, try the current locale. - if (NS_FAILED(rv)) { + // Content prefs, override and document didn't give us a valid dictionary + // name, so we just get the current locale and try to use that. + if (NS_FAILED (rv)) { nsCOMPtr packageRegistry = mozilla::services::GetXULChromeRegistryService(); @@ -929,69 +870,57 @@ nsEditorSpellCheck::DictionaryFetched(DictionaryFetcher* aFetcher) false, utf8DictName); dictName.Assign(EmptyString()); AppendUTF8toUTF16(utf8DictName, dictName); -#ifdef DEBUG_DICT - printf("***** Trying locale |%s|\n", - NS_ConvertUTF16toUTF8(dictName).get()); -#endif - rv = TryDictionary (dictName, dictList, DICT_COMPARE_CASE_INSENSITIVE); + // Try to set it, if it's in the list. + for (i = 0; i < dictCount; i++) { + nsAutoString dictStr(dictList.ElementAt(i)); + if (dictStr.Equals(dictName)) { + rv = SetCurrentDictionary(dictName); + break; + } + } } } - + if (NS_FAILED(rv)) { - // Still no success. + // Still no success. Further fallback attempts required. - // Priority 5: - // If we have a current dictionary, don't try anything else. + // Priority 5: + // If we have a current dictionary, don't try anything else. nsAutoString currentDictionary; rv2 = GetCurrentDictionary(currentDictionary); -#ifdef DEBUG_DICT - if (NS_SUCCEEDED(rv2)) { - printf("***** Retrieved current dict |%s|\n", - NS_ConvertUTF16toUTF8(currentDictionary).get()); - } -#endif - + if (NS_FAILED(rv2) || currentDictionary.IsEmpty()) { + // We don't have a current dictionary. // Priority 6: // Try to get current dictionary from environment variable LANG. - // LANG = language[_territory][.charset] + // LANG = language[_territory][.codeset] char* env_lang = getenv("LANG"); - if (env_lang) { + if (env_lang != nullptr) { nsString lang = NS_ConvertUTF8toUTF16(env_lang); + // Strip trailing charset, if there is any. int32_t dot_pos = lang.FindChar('.'); if (dot_pos != -1) { lang = Substring(lang, 0, dot_pos); } - + + // Convert underscore to dash. int32_t underScore = lang.FindChar('_'); if (underScore != -1) { lang.Replace(underScore, 1, '-'); -#ifdef DEBUG_DICT - printf("***** Trying LANG from environment |%s|\n", - NS_ConvertUTF16toUTF8(lang).get()); -#endif - nsAutoString lang2; - lang2.Assign(lang); - rv = TryDictionary(lang2, dictList, DICT_COMPARE_CASE_INSENSITIVE); + // Only attempt to set if a _territory is present. + rv = SetCurrentDictionary(lang); } } - + // Priority 7: - // If it does not work, pick the first one. - if (NS_FAILED(rv) && !dictList.IsEmpty()) { - nsAutoString firstInList; - firstInList.Assign(dictList[0]); - rv = TryDictionary(firstInList, dictList, DICT_NORMAL_COMPARE); -#ifdef DEBUG_DICT - printf("***** Trying first of list |%s|\n", - NS_ConvertUTF16toUTF8(dictList[0]).get()); - if (NS_SUCCEEDED(rv)) { - printf ("***** Setting worked.\n"); + // If LANG does not work either, pick the first one. + if (NS_FAILED(rv)) { + if (dictList.Length() > 0) { + rv = SetCurrentDictionary(dictList[0]); } -#endif } - } + } } // If an error was thrown while setting the dictionary, just @@ -999,6 +928,7 @@ nsEditorSpellCheck::DictionaryFetched(DictionaryFetcher* aFetcher) // up. The user can manually reset the language to their choice on // the dialog if it is wrong. + // Dictionary has changed, so delete the suggested word list. DeleteSuggestedWordList(); return NS_OK; diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 67c632e71..62aedead2 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -1117,6 +1117,9 @@ pref("print.print_via_parent", false); // in a document. pref("extensions.spellcheck.inline.max-misspellings", 500); +// Predefined convenience pref for overriding the dictionary +pref("spellchecker.dictionary.override", ""); + // Prefs used by libeditor. Prefs specific to seamonkey composer // belong in comm-central/editor/ui/composer.js -- cgit v1.2.3 From 100db2d197aac98e3e9e0f59e4cbe7d902373cba Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 11 Sep 2017 18:50:38 +0200 Subject: Switch GeoLocation to IP-API.com with minimal requests. --- browser/app/profile/firefox.js | 6 +---- dom/system/NetworkGeolocationProvider.js | 41 +++++++++++++++++++++++++------- 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 82f8e45a5..acb5cfa5d 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -1249,11 +1249,7 @@ pref("plain_text.wrap_long_lines", true); pref("dom.debug.propagate_gesture_events_through_content", false); // The request URL of the GeoLocation backend. -#ifdef RELEASE_OR_BETA -pref("geo.wifi.uri", "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%"); -#else -pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -#endif +pref("geo.wifi.uri", "http://ip-api.com/json/?fields=lat,lon,status,message"); #ifdef XP_MACOSX #ifdef RELEASE_OR_BETA diff --git a/dom/system/NetworkGeolocationProvider.js b/dom/system/NetworkGeolocationProvider.js index ea2abe55f..ad15ed802 100644 --- a/dom/system/NetworkGeolocationProvider.js +++ b/dom/system/NetworkGeolocationProvider.js @@ -219,9 +219,20 @@ WifiGeoCoordsObject.prototype = { QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPositionCoords]) }; -function WifiGeoPositionObject(lat, lng, acc) { +function WifiGeoPositionObject(lat, lng, acc, cc, tz, zip, city, rc, region, country, isp, org, as) { this.coords = new WifiGeoCoordsObject(lat, lng, acc, 0, 0); this.address = null; + this.countrycode = cc; + this.timezone = tz; + this.zipcode = zip; + this.postalcode = zip; + this.city = city; + this.regioncode = rc; + this.region = region; + this.country = country; + this.isp = isp; + this.org = org; + this.as = as; this.timestamp = Date.now(); } @@ -431,41 +442,54 @@ WifiGeoPositionProvider.prototype = { let xhr = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"] .createInstance(Ci.nsIXMLHttpRequest); - this.notifyListener("locationUpdatePending"); + // XXX: Dead code? + // this.notifyListener("locationUpdatePending"); try { - xhr.open("POST", url, true); + xhr.open("GET", url, true); xhr.channel.loadFlags = Ci.nsIChannel.LOAD_ANONYMOUS; } catch (e) { this.notifyListener("notifyError", [POSITION_UNAVAILABLE]); return; } - xhr.setRequestHeader("Content-Type", "application/json; charset=UTF-8"); xhr.responseType = "json"; xhr.mozBackgroundRequest = true; xhr.timeout = Services.prefs.getIntPref("geo.wifi.xhr.timeout"); + xhr.ontimeout = (function() { LOG("Location request XHR timed out.") this.notifyListener("notifyError", [POSITION_UNAVAILABLE]); }).bind(this); + xhr.onerror = (function() { this.notifyListener("notifyError", [POSITION_UNAVAILABLE]); }).bind(this); + xhr.onload = (function() { LOG("server returned status: " + xhr.status + " --> " + JSON.stringify(xhr.response)); if ((xhr.channel instanceof Ci.nsIHttpChannel && xhr.status != 200) || - !xhr.response || !xhr.response.location) { + !xhr.response || xhr.response.status == 'fail') { this.notifyListener("notifyError", [POSITION_UNAVAILABLE]); return; } - let newLocation = new WifiGeoPositionObject(xhr.response.location.lat, - xhr.response.location.lng, - xhr.response.accuracy); + let newLocation = new WifiGeoPositionObject(xhr.response.lat, + xhr.response.lon, + null, //accuracy not provided + xhr.response.countryCode, + xhr.response.timezone, + xhr.response.zip, + xhr.response.city, + xhr.response.region, + xhr.response.regionName, + xhr.response.country, + xhr.response.isp, + xhr.response.org, + xhr.response.as); this.notifyListener("update", [newLocation]); gCachedRequest = new CachedRequest(newLocation, data.cellTowers, data.wifiAccessPoints); @@ -478,6 +502,7 @@ WifiGeoPositionProvider.prototype = { notifyListener: function(listenerFunc, args) { args = args || []; + LOG("Notify listener " + listenerFunc); try { this.listener[listenerFunc].apply(this.listener, args); } catch(e) { -- cgit v1.2.3 From 8d29182cf055a03b37475f65a70b6abf321f96d9 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 27 Sep 2017 11:06:31 +0200 Subject: Add canvas data poisoning option. Tag #61. --- dom/canvas/CanvasRenderingContext2D.cpp | 73 ++++++++++++++++++++++++++------- modules/libpref/init/all.js | 4 ++ 2 files changed, 63 insertions(+), 14 deletions(-) diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp index 2ed39627e..b0a430fe4 100644 --- a/dom/canvas/CanvasRenderingContext2D.cpp +++ b/dom/canvas/CanvasRenderingContext2D.cpp @@ -68,6 +68,8 @@ #include "CanvasImageCache.h" #include +#include +#include #include "jsapi.h" #include "jsfriendapi.h" @@ -2083,6 +2085,18 @@ CanvasRenderingContext2D::GetInputStream(const char* aMimeType, return NS_ERROR_FAILURE; } + bool PoisonData = Preferences::GetBool("canvas.poisondata",false); + if (PoisonData) { + srand(time(NULL)); + // Image buffer is always a packed BGRA array (BGRX -> BGR[FF]) + // so always 4-byte pixels. + // GetImageBuffer => SurfaceToPackedBGRA [=> ConvertBGRXToBGRA] + for (int32_t j = 0; j < mWidth * mHeight * 4; ++j) { + if (imageBuffer[j] !=0 && imageBuffer[j] != 255) + imageBuffer[j] += rand() % 3 - 1; + } + } + return ImageEncoder::GetInputStream(mWidth, mHeight, imageBuffer.get(), format, encoder, aEncoderOptions, aStream); @@ -5698,6 +5712,14 @@ CanvasRenderingContext2D::GetImageData(JSContext* aCx, double aSx, return imageData.forget(); } +inline uint8_t PoisonValue(uint8_t v) +{ + if (v==0 || v==255) + return v; //don't fuzz edges to prevent overflow/underflow + + return v + rand() %3 -1; +} + nsresult CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx, int32_t aX, @@ -5712,6 +5734,10 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx, MOZ_ASSERT(aWidth && aHeight); + bool PoisonData = Preferences::GetBool("canvas.poisondata",false); + if (PoisonData) + srand(time(NULL)); + CheckedInt len = CheckedInt(aWidth) * aHeight * 4; if (!len.isValid()) { return NS_ERROR_DOM_INDEX_SIZE_ERR; @@ -5784,21 +5810,31 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx, uint8_t* dst = data + dstWriteRect.y * (aWidth * 4) + dstWriteRect.x * 4; + uint8_t a,r,g,b; + if (mOpaque) { for (int32_t j = 0; j < dstWriteRect.height; ++j) { for (int32_t i = 0; i < dstWriteRect.width; ++i) { // XXX Is there some useful swizzle MMX we can use here? #if MOZ_LITTLE_ENDIAN - uint8_t b = *src++; - uint8_t g = *src++; - uint8_t r = *src++; + b = *src++; + g = *src++; + r = *src++; src++; #else src++; - uint8_t r = *src++; - uint8_t g = *src++; - uint8_t b = *src++; + r = *src++; + g = *src++; + b = *src++; #endif + + // Poison data for trackers if enabled + if (PoisonData) { + PoisonValue(r); + PoisonValue(g); + PoisonValue(b); + } + *dst++ = r; *dst++ = g; *dst++ = b; @@ -5812,16 +5848,25 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx, for (int32_t i = 0; i < dstWriteRect.width; ++i) { // XXX Is there some useful swizzle MMX we can use here? #if MOZ_LITTLE_ENDIAN - uint8_t b = *src++; - uint8_t g = *src++; - uint8_t r = *src++; - uint8_t a = *src++; + b = *src++; + g = *src++; + r = *src++; + a = *src++; #else - uint8_t a = *src++; - uint8_t r = *src++; - uint8_t g = *src++; - uint8_t b = *src++; + a = *src++; + r = *src++; + g = *src++; + b = *src++; #endif + + // Poison data for trackers if enabled + if (PoisonData) { + PoisonValue(a); + PoisonValue(r); + PoisonValue(g); + PoisonValue(b); + } + // Convert to non-premultiplied color *dst++ = gfxUtils::sUnpremultiplyTable[a * 256 + r]; *dst++ = gfxUtils::sUnpremultiplyTable[a * 256 + g]; diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 62aedead2..d51172f42 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -4448,6 +4448,10 @@ pref("image.multithreaded_decoding.limit", -1); // cache. pref("canvas.image.cache.limit", 0); +// Allow track-fobics to deliberately poison canvas data for +// toDataURL() and getImageData() +pref("canvas.poisondata", false); + // WebGL prefs #ifdef ANDROID // Disable MSAA on mobile. -- cgit v1.2.3 From 5e809640e3e3f291bc9b005af33590e167099fba Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 30 Sep 2017 13:29:49 +0200 Subject: Disable the add-ons "cache" for privacy reasons. --- browser/app/profile/firefox.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index acb5cfa5d..465b5349f 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -40,7 +40,7 @@ pref("extensions.checkCompatibility.temporaryThemeOverride_minAppVersion", "29.0 pref("xpinstall.customConfirmationUI", true); // Preferences for AMO integration -pref("extensions.getAddons.cache.enabled", true); +pref("extensions.getAddons.cache.enabled", false); pref("extensions.getAddons.maxResults", 15); pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%"); pref("extensions.getAddons.getWithPerformance.url", "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%&tMain=%TIME_MAIN%&tFirstPaint=%TIME_FIRST_PAINT%&tSessionRestored=%TIME_SESSION_RESTORED%"); -- cgit v1.2.3 From b80de6fe930792c94c9e64dd3867ffb1d663f16f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 6 Oct 2017 19:04:24 +0200 Subject: Disable window.showModalDialog. This is no longer in the spec. --- modules/libpref/init/all.js | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index d51172f42..0a92c6d17 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -1145,6 +1145,7 @@ pref("dom.disable_window_open_feature.menubar", false); pref("dom.disable_window_open_feature.resizable", true); pref("dom.disable_window_open_feature.minimizable", false); pref("dom.disable_window_open_feature.status", true); +pref("dom.disable_window_showModalDialog", true); pref("dom.allow_scripts_to_close_windows", false); -- cgit v1.2.3