form action=javascript: shouldn't trigger the insecure submit warning (bug 182179). Patch by Iain MacDonnell, r=dveditz, sr=darin, a=asa

2024-10-14 13:55:43 +00:00 · 2005-07-31 19:06:27 +00:00 · 2005-07-31 19:06:27 +00:00 · 4cdd3ba458
commit 4cdd3ba458
parent 9096d968f8
2 changed files with 30 additions and 9 deletions
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
@ -1246,14 +1246,25 @@ nsSecureBrowserUIImpl::GetSSLStatus(nsISupports** _result)
 nsresult
 nsSecureBrowserUIImpl::IsURLHTTPS(nsIURI* aURL, PRBool* value)
 {
-	*value = PR_FALSE;
+  *value = PR_FALSE;

-	if (!aURL)
-		return NS_OK;
+  if (!aURL)
+    return NS_OK;

  return aURL->SchemeIs("https", value);
 }

+nsresult
+nsSecureBrowserUIImpl::IsURLJavaScript(nsIURI* aURL, PRBool* value)
+{
+  *value = PR_FALSE;
+
+  if (!aURL)
+    return NS_OK;
+
+  return aURL->SchemeIs("javascript", value);
+}
+
 void
 nsSecureBrowserUIImpl::GetBundleString(const PRUnichar* name,
                                       nsAString &outString)
@ -1265,9 +1276,9 @@ nsSecureBrowserUIImpl::GetBundleString(const PRUnichar* name,
      outString = ptrv;
    else
      outString.SetLength(0);
-    
+
    nsMemory::Free(ptrv);
-    
+
  } else {
    outString.SetLength(0);
  }
@ -1276,7 +1287,7 @@ nsSecureBrowserUIImpl::GetBundleString(const PRUnichar* name,
 nsresult
 nsSecureBrowserUIImpl::CheckPost(nsIURI *formURL, nsIURI *actionURL, PRBool *okayToPost)
 {
-  PRBool formSecure,actionSecure;
+  PRBool formSecure, actionSecure, actionJavaScript;
  *okayToPost = PR_TRUE;

  nsresult rv = IsURLHTTPS(formURL, &formSecure);
@ -1286,21 +1297,30 @@ nsSecureBrowserUIImpl::CheckPost(nsIURI *formURL, nsIURI *actionURL, PRBool *oka
  rv = IsURLHTTPS(actionURL, &actionSecure);
  if (NS_FAILED(rv))
    return rv;
-  
+
+  rv = IsURLJavaScript(actionURL, &actionJavaScript);
+  if (NS_FAILED(rv))
+    return rv;
+
  // If we are posting to a secure link, all is okay.
  // It doesn't matter whether the currently viewed page is secure or not,
  // because the data will be sent to a secure URL.
  if (actionSecure) {
    return NS_OK;
  }
-    
+
+  // Action is a JavaScript call, not an actual post. That's okay too.
+  if (actionJavaScript) {
+    return NS_OK;
+  }
+
  // posting to insecure webpage from a secure webpage.
  if (formSecure) {
    *okayToPost = ConfirmPostToInsecureFromSecure();
  } else {
    *okayToPost = ConfirmPostToInsecure();
  }
-  
+
  return NS_OK;
 }

--- a/security/manager/boot/src/nsSecureBrowserUIImpl.h
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.h
@ -132,6 +132,7 @@ protected:
  
  nsresult CheckPost(nsIURI *formURI, nsIURI *actionURL, PRBool *okayToPost);
  nsresult IsURLHTTPS(nsIURI* aURL, PRBool *value);
+  nsresult IsURLJavaScript(nsIURI* aURL, PRBool *value);

  PRBool ConfirmEnteringSecure();
  PRBool ConfirmEnteringWeak();