Bug 402287 - register{Protocol,Content}Handler should only be allowed from same host as handler. r=gavin, a=blocking1.9+

This commit is contained in:
florian@queze.net 2008-02-08 15:04:30 -08:00
parent 0aae0a8949
commit 94d31a377c
2 changed files with 16 additions and 4 deletions

View File

@ -542,6 +542,9 @@ pref("gecko.handlerService.defaultHandlersVersion", "0");
pref("gecko.handlerService.schemes.webcal.0.name", "WebCal Test Handler");
pref("gecko.handlerService.schemes.webcal.0.uriTemplate", "http://handler-test.mozilla.org/webcal?url=%s");
// By default, we don't want protocol/content handlers to be registered from a different host, see bug 402287
pref("gecko.handlerService.allowRegisterFromDifferentHost", false);
#ifdef MOZ_SAFE_BROWSING
// Safe browsing does nothing unless both these prefs are set.
pref("browser.safebrowsing.enabled", true);

View File

@ -62,6 +62,7 @@ const PREF_CONTENTHANDLERS_BRANCH = "browser.contentHandlers.types.";
const PREF_SELECTED_WEB = "browser.feeds.handlers.webservice";
const PREF_SELECTED_ACTION = "browser.feeds.handler";
const PREF_SELECTED_READER = "browser.feeds.handler.default";
const PREF_ALLOW_DIFFERENT_HOST = "gecko.handlerService.allowRegisterFromDifferentHost";
const STRING_BUNDLE_URI = "chrome://browser/locale/feeds/subscribe.properties";
@ -346,7 +347,7 @@ WebContentConverterRegistrar.prototype = {
},
_checkAndGetURI:
function WCCR_checkAndGetURI(aURIString)
function WCCR_checkAndGetURI(aURIString, aContentWindow)
{
try {
var uri = this._makeURI(aURIString);
@ -355,13 +356,21 @@ WebContentConverterRegistrar.prototype = {
return;
}
// For security reasons we reject non-http(s) urls (see bug Bug 354316),
// For security reasons we reject non-http(s) urls (see bug 354316),
// we may need to revise this once we support more content types
// XXX this should be a "security exception" according to spec, but that
// isn't defined yet.
if (uri.scheme != "http" && uri.scheme != "https")
throw("Permission denied to add " + uri.spec + " as a content or protocol handler");
// We also reject handlers registered from a different host (see bug 402287)
// The pref allows us to test the feature
var pb = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
if ((!pb.prefHasUserValue(PREF_ALLOW_DIFFERENT_HOST) ||
!pb.getBoolPref(PREF_ALLOW_DIFFERENT_HOST)) &&
aContentWindow.location.hostname != uri.host)
throw("Permision denied to add " + uri.spec + " as a content or protocol handler");
// If the uri doesn't contain '%s', it won't be a good handler
if (uri.spec.indexOf("%s") < 0)
throw NS_ERROR_DOM_SYNTAX_ERR;
@ -413,7 +422,7 @@ WebContentConverterRegistrar.prototype = {
throw("Permission denied to add " + aURIString + "as a protocol handler");
}
var uri = this._checkAndGetURI(aURIString);
var uri = this._checkAndGetURI(aURIString, aContentWindow);
var buttons, message;
if (this._protocolHandlerRegistered(aProtocol, uri.spec))
@ -489,7 +498,7 @@ WebContentConverterRegistrar.prototype = {
if (contentType != TYPE_MAYBE_FEED)
return;
var uri = this._checkAndGetURI(aURIString);
var uri = this._checkAndGetURI(aURIString, aContentWindow);
var browserWindow = this._getBrowserWindowForContentWindow(aContentWindow);
var browserElement = this._getBrowserForContentWindow(browserWindow, aContentWindow);