mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-31 14:15:30 +00:00
bug 284627 need checkLoadURI for sidebar panels. patch by mconnor,r=bz,r=bryner,sr=dveditz
This commit is contained in:
parent
2ea52f6980
commit
0059837e51
@ -4647,7 +4647,7 @@ function asyncOpenWebPanel(event)
|
||||
break;
|
||||
}
|
||||
if (linkNode) {
|
||||
var wrapper = new XPCNativeWrapper(linkNode, "href", "getAttribute()");
|
||||
var wrapper = new XPCNativeWrapper(linkNode, "href", "getAttribute()", "ownerDocument");
|
||||
if (event.button == 0 && !event.ctrlKey && !event.shiftKey &&
|
||||
!event.altKey && !event.metaKey) {
|
||||
// A Web panel's links should target the main content area. Do this
|
||||
@ -4655,13 +4655,24 @@ function asyncOpenWebPanel(event)
|
||||
// _main (the IE convention) or _content (the Mozilla convention).
|
||||
// The only reason we field _main and _content here is for the markLinkVisited
|
||||
// hack.
|
||||
target = linkNode.getAttribute("target");
|
||||
target = wrapper.getAttribute("target");
|
||||
if (fieldNormalClicks &&
|
||||
(!target || target == "_content" || target == "_main"))
|
||||
// IE uses _main, SeaMonkey uses _content, we support both
|
||||
{
|
||||
if (!wrapper.href) return true;
|
||||
if (linkNode.getAttribute("onclick")) return true;
|
||||
if (!wrapper.href)
|
||||
return true;
|
||||
if (wrapper.getAttribute("onclick"))
|
||||
return true;
|
||||
// javascript links should be executed in the current browser
|
||||
if (wrapper.href.substr(0, 11) === "javascript:")
|
||||
return true;
|
||||
|
||||
var docWrapper = new XPCNativeWrapper(wrapper.ownerDocument, "location");
|
||||
var locWrapper = new XPCNativeWrapper(docWrapper.location, "href");
|
||||
if (!webPanelSecurityCheck(locWrapper.href, wrapper.href))
|
||||
return false;
|
||||
|
||||
var postData = { };
|
||||
var url = getShortcutOrURI(wrapper.href, postData);
|
||||
if (!url)
|
||||
|
@ -140,6 +140,21 @@ function urlSecurityCheck(url, doc)
|
||||
}
|
||||
}
|
||||
|
||||
function webPanelSecurityCheck(aSourceURL, aDestURL) {
|
||||
var sourceURI = makeURI(aSourceURL);
|
||||
var destURI = makeURI(aDestURL);
|
||||
|
||||
const nsIScriptSecurityManager = Components.interfaces.nsIScriptSecurityManager;
|
||||
var secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
|
||||
.getService(nsIScriptSecurityManager);
|
||||
try {
|
||||
secMan.checkLoadURI(sourceURI, destURI, nsIScriptSecurityManager.STANDARD);
|
||||
} catch (e) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function isContentFrame(aFocusedWindow)
|
||||
{
|
||||
if (!aFocusedWindow)
|
||||
|
Loading…
Reference in New Issue
Block a user