Fix possible referrer spoofing b=363179 r=IanN sr=jag

2024-10-27 20:25:44 +00:00 · 2006-12-16 20:10:37 +00:00 · 2006-12-16 20:10:37 +00:00 · 26000a28a6
commit 26000a28a6
parent 3390a3b656
3 changed files with 30 additions and 31 deletions
--- a/suite/common/contentAreaClick.js
+++ b/suite/common/contentAreaClick.js
@ -178,7 +178,7 @@
    if (ceParams) {
      var href = ceParams.href;
      if (isKeyCommand) {
-        openNewTabWith(href, true, event.shiftKey);
+        openNewTabWith(href, event.target.ownerDocument, event.shiftKey);
        event.stopPropagation();
      }
      else {
@ -236,18 +236,18 @@
    return false;
  }

-  function openNewTabOrWindow(event, href, sendReferrer)
+  function openNewTabOrWindow(event, href, doc)
  {
    // should we open it in a new tab?
    if (pref && pref.getBoolPref("browser.tabs.opentabfor.middleclick")) {
-      openNewTabWith(href, sendReferrer, event.shiftKey);
+      openNewTabWith(href, doc, event.shiftKey);
      event.stopPropagation();
      return true;
    }

    // should we open it in a new window?
    if (pref && pref.getBoolPref("middlemouse.openNewWindow")) {
-      openNewWindowWith(href, sendReferrer);
+      openNewWindowWith(href, doc);
      event.stopPropagation();
      return true;
    }
@ -258,13 +258,13 @@

  function handleLinkClick(event, href, linkNode)
  {
-    // Make sure we are allowed to open this URL
-    urlSecurityCheck(href, document);
+    // Checking to make sure we are allowed to open this URL
+    // (call to urlSecurityCheck) is now done within openNew... functions

    switch (event.button) {                                   
      case 0:                                                         // if left button clicked
        if (event.metaKey || event.ctrlKey) {                         // and meta or ctrl are down
-          if (openNewTabOrWindow(event, href, true))
+          if (openNewTabOrWindow(event, href, linkNode.ownerDocument))
            return true;
        } 
        var saveModifier = true;
@ -278,15 +278,15 @@
        saveModifier = saveModifier ? event.shiftKey : event.altKey;
          
        if (saveModifier) {                                           // if saveModifier is down
-          saveURL(href, linkNode ? gatherTextUnder(linkNode) : "",
-                  "SaveLinkTitle", false, getReferrer(document));
+          saveURL(href, gatherTextUnder(linkNode), "SaveLinkTitle",
+                  false, getReferrer(linkNode.ownerDocument));
          return true;
        }
        if (event.altKey)                                             // if alt is down
          return true;                                                // do nothing
        return false;
      case 1:                                                         // if middle button clicked
-        if (openNewTabOrWindow(event, href, true))
+        if (openNewTabOrWindow(event, href, linkNode.ownerDocument))
          return true;
        break;
    }
@ -311,7 +311,7 @@

      url = gURIFixup.createFixupURI(url, nsIURIFixup.FIXUP_FLAGS_MAKE_ALTERNATE_URI).spec;

-      return openNewTabOrWindow(event, url, false);
+      return openNewTabOrWindow(event, url, null);
    }

    // If ctrl wasn't down, then just load the url in the targeted win/tab.
--- a/suite/common/contentAreaUtils.js
+++ b/suite/common/contentAreaUtils.js
@ -82,11 +82,14 @@ function getContentFrameDocument(aFocusedWindow)

 function getReferrer(doc)
 {
-  var focusedWindow = doc.commandDispatcher.focusedWindow;
-  var sourceDocument = getContentFrameDocument(focusedWindow);
+  if (!doc)
+    return null;
+
+  if (doc == document) // compatibility
+    doc = getContentFrameDocument(document.commandDispatcher.focusedWindow);

  try {
-    return makeURI(sourceDocument.location.href, sourceDocument.characterSet);
+    return makeURI(doc.location.href, doc.characterSet);
  } catch (e) {
    return null;
  }
@ -95,30 +98,28 @@ function getReferrer(doc)
 function openAsExternal(aURL)
 {
  openNewTabWindowOrExistingWith(pref.getIntPref("browser.link.open_external"),
-                                 aURL, false, false);
+                                 aURL, null, false);
 }

-function openNewWindowWith(aURL, aSendReferrer)
+function openNewWindowWith(aURL, aDoc)
 {
-  openNewTabWindowOrExistingWith(kNewWindow, aURL, aSendReferrer, false);
+  openNewTabWindowOrExistingWith(kNewWindow, aURL, aDoc, false);
 }

-function openNewTabWith(aURL, aSendReferrer, aReverseBackgroundPref)
+function openNewTabWith(aURL, aDoc, aReverseBackgroundPref)
 {
-  openNewTabWindowOrExistingWith(kNewTab, aURL, aSendReferrer, aReverseBackgroundPref);
+  openNewTabWindowOrExistingWith(kNewTab, aURL, aDoc, aReverseBackgroundPref);
 }

-function openNewTabWindowOrExistingWith(aType, aURL, aSendReferrer, aReverseBackgroundPref)
+function openNewTabWindowOrExistingWith(aType, aURL, aDoc, aReverseBackgroundPref)
 {
  // Make sure we are allowed to open this url
  urlSecurityCheck(aURL, document);

  // get referrer, if as external should be null
-  var referrer = aSendReferrer ? getReferrer(document) : null;
+  var referrer = getReferrer(aDoc);

-  var browser;
  var browserWin;
-
  // if we're not opening a new window, try and find existing window
  if (aType != kNewWindow)
    browserWin = getTopWin();
@ -143,7 +144,7 @@ function openNewTabWindowOrExistingWith(aType, aURL, aSendReferrer, aReverseBack
  }

  // Get the existing browser object
-  browser = browserWin.getBrowser();
+  var browser = browserWin.getBrowser();

  // Open link in an existing window.
  if (aType == kExistingWindow) {
--- a/suite/common/nsContextMenu.js
+++ b/suite/common/nsContextMenu.js
@ -600,17 +600,17 @@ nsContextMenu.prototype = {
    // Open linked-to URL in a new window.
    openLink : function () {
        // Determine linked-to URL.
-        openNewWindowWith( this.linkURL(), true );
+        openNewWindowWith( this.linkURL(), this.target.ownerDocument );
    },
    // Open linked-to URL in a new tab.
    openLinkInTab : function ( reverseBackgroundPref ) {
        // Determine linked-to URL.
-        openNewTabWith( this.linkURL(), true, reverseBackgroundPref );
+        openNewTabWith( this.linkURL(), this.target.ownerDocument, reverseBackgroundPref );
    },
    // Open frame in a new tab.
    openFrameInTab : function ( reverseBackgroundPref ) {
        // Determine linked-to URL.
-        openNewTabWith( this.target.ownerDocument.location.href, true, reverseBackgroundPref );
+        openNewTabWith( this.target.ownerDocument.location.href, this.target.ownerDocument, reverseBackgroundPref );
    },
    // Reload clicked-in frame.
    reloadFrame : function () {
@ -706,14 +706,12 @@ nsContextMenu.prototype = {
    // Save URL of clicked-on link.
    saveLink : function () {
        saveURL( this.linkURL(), this.linkText(), null, true,
-                 getReferrer(document) );
+                 getReferrer(this.target.ownerDocument) );
    },
    // Save URL of clicked-on image.
    saveImage : function () {
-        // Note: getReferrer wants our chrome document, not the actual
-        // target document; it handles getting that itself.
        saveImageURL( this.imageURL, null, "SaveImageTitle", false,
-                      getReferrer(document) );
+                      getReferrer(this.target.ownerDocument) );
    },
    // Generate email address.
    getEmail : function () {