diff options
author | Thomas Groman <tgroman@nuegia.net> | 2019-12-16 19:48:42 -0800 |
---|---|---|
committer | Thomas Groman <tgroman@nuegia.net> | 2019-12-16 19:48:42 -0800 |
commit | 4492b5f8e774bf3b4f21e4e468fc052cbcbb468a (patch) | |
tree | 37970571a7dcbeb6b58c991ce718ce7001ac97d6 /components/certerror | |
download | webbrowser-4492b5f8e774bf3b4f21e4e468fc052cbcbb468a.tar webbrowser-4492b5f8e774bf3b4f21e4e468fc052cbcbb468a.tar.gz webbrowser-4492b5f8e774bf3b4f21e4e468fc052cbcbb468a.tar.lz webbrowser-4492b5f8e774bf3b4f21e4e468fc052cbcbb468a.tar.xz webbrowser-4492b5f8e774bf3b4f21e4e468fc052cbcbb468a.zip |
initial commit
Diffstat (limited to 'components/certerror')
-rw-r--r-- | components/certerror/content/aboutCertError.css | 17 | ||||
-rw-r--r-- | components/certerror/content/aboutCertError.xhtml | 247 | ||||
-rw-r--r-- | components/certerror/jar.mn | 7 | ||||
-rw-r--r-- | components/certerror/moz.build | 7 |
4 files changed, 278 insertions, 0 deletions
diff --git a/components/certerror/content/aboutCertError.css b/components/certerror/content/aboutCertError.css new file mode 100644 index 0000000..059d812 --- /dev/null +++ b/components/certerror/content/aboutCertError.css @@ -0,0 +1,17 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* Logical CSS rules belong here, but presentation & theming rules + should live in the CSS of the appropriate theme */ + +#technicalContentText { + overflow: auto; + white-space: pre-wrap; +} + +.expander[hidden], +.expander[hidden] + *, +.expander[collapsed] + * { + display: none; +} diff --git a/components/certerror/content/aboutCertError.xhtml b/components/certerror/content/aboutCertError.xhtml new file mode 100644 index 0000000..c8a7e44 --- /dev/null +++ b/components/certerror/content/aboutCertError.xhtml @@ -0,0 +1,247 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!DOCTYPE html [ + <!ENTITY % htmlDTD + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "DTD/xhtml1-strict.dtd"> + %htmlDTD; + <!ENTITY % globalDTD + SYSTEM "chrome://global/locale/global.dtd"> + %globalDTD; + <!ENTITY % certerrorDTD + SYSTEM "chrome://browser/locale/aboutCertError.dtd"> + %certerrorDTD; +]> + +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <title>&certerror.pagetitle;</title> + <link rel="stylesheet" href="chrome://browser/skin/aboutCertError.css" type="text/css" media="all" /> + <link rel="stylesheet" href="chrome://browser/content/certerror/aboutCertError.css" type="text/css" media="all" /> + <!-- This page currently uses the same favicon as neterror.xhtml. + If the location of the favicon is changed for both pages, the + FAVICON_ERRORPAGE_URL symbol in toolkit/components/places/src/nsFaviconService.h + should be updated. If this page starts using a different favicon + than neterror.xhtml nsFaviconService->SetAndLoadFaviconForPage + should be updated to ignore this one as well. --> + <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning-16.png"/> + + <script type="application/javascript"><![CDATA[ + // Error url MUST be formatted like this: + // about:certerror?e=error&u=url&d=desc + + // Note that this file uses document.documentURI to get + // the URL (with the format from above). This is because + // document.location.href gets the current URI off the docshell, + // which is the URL displayed in the location bar, i.e. + // the URI that the user attempted to load. + + function getCSSClass() + { + var url = document.documentURI; + var matches = url.match(/s\=([^&]+)\&/); + // s is optional, if no match just return nothing + if (!matches || matches.length < 2) + return ""; + + // parenthetical match is the second entry + return decodeURIComponent(matches[1]); + } + + function getDescription() + { + var url = document.documentURI; + var desc = url.search(/d\=/); + + // desc == -1 if not found; if so, return an empty string + // instead of what would turn out to be portions of the URI + if (desc == -1) + return ""; + + return decodeURIComponent(url.slice(desc + 2)); + } + + function initPage() + { + // Replace the "#1" string in the intro with the hostname. Trickier + // than it might seem since we want to preserve the <b> tags, but + // not allow for any injection by just using innerHTML. Instead, + // just find the right target text node. + var intro = document.getElementById('introContentP1'); + function replaceWithHost(node) { + if (node.textContent == "#1") + node.textContent = location.host; + else + for(var i = 0; i < node.childNodes.length; i++) + replaceWithHost(node.childNodes[i]); + }; + replaceWithHost(intro); + + if (getCSSClass() == "expertBadCert") { + toggle('technicalContent'); + toggle('expertContent'); + } + + // Disallow overrides if this is a Strict-Transport-Security + // host and the cert is bad (STS Spec section 7.3) or if the + // certerror is in a frame (bug 633691). + if (getCSSClass() == "badStsCert" || window != top) + document.getElementById("expertContent").setAttribute("hidden", "true"); + + var tech = document.getElementById("technicalContentText"); + if (tech) + tech.textContent = getDescription(); + + addDomainErrorLink(); + } + + /* In the case of SSL error pages about domain mismatch, see if + we can hyperlink the user to the correct site. We don't want + to do this generically since it allows MitM attacks to redirect + users to a site under attacker control, but in certain cases + it is safe (and helpful!) to do so. Bug 402210 + */ + function addDomainErrorLink() { + // Rather than textContent, we need to treat description as HTML + var sd = document.getElementById("technicalContentText"); + if (sd) { + var desc = getDescription(); + + // sanitize description text - see bug 441169 + + // First, find the index of the <a> tag we care about, being careful not to + // use an over-greedy regex + var re = /<a id="cert_domain_link" title="([^"]+)">/; + var result = re.exec(desc); + if(!result) + return; + + // Remove sd's existing children + sd.textContent = ""; + + // Everything up to the link should be text content + sd.appendChild(document.createTextNode(desc.slice(0, result.index))); + + // Now create the link itself + var anchorEl = document.createElement("a"); + anchorEl.setAttribute("id", "cert_domain_link"); + anchorEl.setAttribute("title", result[1]); + anchorEl.appendChild(document.createTextNode(result[1])); + sd.appendChild(anchorEl); + + // Finally, append text for anything after the closing </a> + sd.appendChild(document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length))); + } + + var link = document.getElementById('cert_domain_link'); + if (!link) + return; + + var okHost = link.getAttribute("title"); + var thisHost = document.location.hostname; + var proto = document.location.protocol; + + // If okHost is a wildcard domain ("*.example.com") let's + // use "www" instead. "*.example.com" isn't going to + // get anyone anywhere useful. bug 432491 + okHost = okHost.replace(/^\*\./, "www."); + + /* case #1: + * example.com uses an invalid security certificate. + * + * The certificate is only valid for www.example.com + * + * Make sure to include the "." ahead of thisHost so that + * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com" + * + * We'd normally just use a RegExp here except that we lack a + * library function to escape them properly (bug 248062), and + * domain names are famous for having '.' characters in them, + * which would allow spurious and possibly hostile matches. + */ + if (endsWith(okHost, "." + thisHost)) + link.href = proto + okHost; + + /* case #2: + * browser.garage.maemo.org uses an invalid security certificate. + * + * The certificate is only valid for garage.maemo.org + */ + if (endsWith(thisHost, "." + okHost)) + link.href = proto + okHost; + + // If we set a link, meaning there's something helpful for + // the user here, expand the section by default + if (link.href && getCSSClass() != "expertBadCert") + toggle("technicalContent"); + } + + function endsWith(haystack, needle) { + return haystack.slice(-needle.length) == needle; + } + + function toggle(id) { + var el = document.getElementById(id); + if (el.getAttribute("collapsed")) + el.removeAttribute("collapsed"); + else + el.setAttribute("collapsed", true); + } + ]]></script> + </head> + + <body dir="&locale.dir;"> + + <!-- PAGE CONTAINER (for styling purposes only) --> + <div id="errorPageContainer"> + + <!-- Error Title --> + <div id="errorTitle"> + <h1 id="errorTitleText">&certerror.longpagetitle;</h1> + </div> + + <!-- LONG CONTENT (the section most likely to require scrolling) --> + <div id="errorLongContent"> + <div id="introContent"> + <p id="introContentP1">&certerror.introPara1;</p> + <p>&certerror.introPara2;</p> + </div> + + <div id="whatShouldIDoContent"> + <h2>&certerror.whatShouldIDo.heading;</h2> + <div id="whatShouldIDoContentText"> + <p>&certerror.whatShouldIDo.content;</p> + <button id='getMeOutOfHereButton'>&certerror.getMeOutOfHere.label;</button> + </div> + </div> + + <!-- The following sections can be unhidden by default by setting the + "browser.xul.error_pages.expert_bad_cert" pref to true --> + <h2 id="technicalContent" class="expander" collapsed="true"> + <button onclick="toggle('technicalContent');">&certerror.technical.heading;</button> + </h2> + <p id="technicalContentText"/> + + <h2 id="expertContent" class="expander" collapsed="true"> + <button onclick="toggle('expertContent');">&certerror.expert.heading;</button> + </h2> + <div> + <p>&certerror.expert.content;</p> + <p>&certerror.expert.contentPara2;</p> + <button id='exceptionDialogButton'>&certerror.addException.label;</button> + </div> + </div> + </div> + + <!-- + - Note: It is important to run the script this way, instead of using + - an onload handler. This is because error pages are loaded as + - LOAD_BACKGROUND, which means that onload handlers will not be executed. + --> + <script type="application/javascript">initPage();</script> + + </body> +</html> diff --git a/components/certerror/jar.mn b/components/certerror/jar.mn new file mode 100644 index 0000000..08e0710 --- /dev/null +++ b/components/certerror/jar.mn @@ -0,0 +1,7 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +browser.jar: + content/browser/certerror/aboutCertError.xhtml (content/aboutCertError.xhtml) + content/browser/certerror/aboutCertError.css (content/aboutCertError.css) diff --git a/components/certerror/moz.build b/components/certerror/moz.build new file mode 100644 index 0000000..c97072b --- /dev/null +++ b/components/certerror/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file |