XForms Bug 284519 - Need preference for whitelisting submission, instance loading, etc.. r=allan/smaug a=mkaply

2024-11-26 14:22:01 +00:00 · 2005-06-28 16:30:50 +00:00 · 2005-06-28 16:30:50 +00:00 · 963838e2d3
commit 963838e2d3
parent 6705cf2d0e
14 changed files with 424 additions and 10 deletions
--- a/extensions/xforms/Makefile.in
+++ b/extensions/xforms/Makefile.in
@ -70,6 +70,7 @@ REQUIRES	= \
 		transformiix \
 		schemavalidation \
 		intl \
 		pref \
 		$(NULL)
 XPIDLSRCS	= \
--- a/extensions/xforms/jar.mn
+++ b/extensions/xforms/jar.mn
@ -1,6 +1,14 @@
 xforms.jar:
-	content/xforms/contents.rdf
+% overlay	chrome://browser/content/preferences/preferences.xul	chrome://xforms/content/xforms-prefs.xul
-	content/xforms/xforms.xml
+% content	xforms	%content/xforms/
-*	content/xforms/xforms.css
+% locale	xforms	en-US	%locale/en-US/xforms/
  content/xforms/contents.rdf                  (resources/content/contents.rdf)
 * content/xforms/xforms.css                    (resources/content/xforms.css)
 * content/xforms/xforms-prefs.xul              (resources/content/xforms-prefs.xul)
 * content/xforms/xforms-prefs-ui.xul           (resources/content/xforms-prefs-ui.xul)
 * content/xforms/xforms-prefs.js               (resources/content/xforms-prefs.js)
 	content/xforms/xforms.xml                    (resources/content/xforms.xml)
 * locale/en-US/xforms/contents.rdf             (resources/locale/en-US/contents.rdf)
  locale/en-US/xforms/xforms.properties        (resources/locale/en-US/xforms.properties)
  locale/en-US/xforms/xforms.dtd               (resources/locale/en-US/xforms.dtd)
--- a/extensions/xforms/nsXFormsSubmissionElement.cpp
+++ b/extensions/xforms/nsXFormsSubmissionElement.cpp
@ -89,6 +89,9 @@
 #include "nsNetUtil.h"
 #include "nsXFormsUtils.h"
 #include "nsIDOMNamedNodeMap.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 // namespace literals
 #define NAMESPACE_XML_SCHEMA \
@ -811,20 +814,70 @@ nsXFormsSubmissionElement::SerializeDataXML(nsIDOMNode *data,
 PRBool
 nsXFormsSubmissionElement::CheckSameOrigin(nsIURI *aBaseURI, nsIURI *aTestURI)
 {
  PRBool result = PR_TRUE;
  // We require same-origin for replace="instance" or XML submission
  if (mFormat & (ENCODING_XML | ENCODING_MULTIPART_RELATED) || mIsReplaceInstance) {
-    // if we don't replace the instance, we allow file:// to send the data
+    // if we don't replace the instance, we allow file:// or sites whitelisted
-    PRBool schemeIsFile = PR_FALSE;
+    // to submit data
    if (!mIsReplaceInstance) {
-      aBaseURI->SchemeIs("file", &schemeIsFile);
+      aBaseURI->SchemeIs("file", &result);
      // lets check the permission manager
      if (!result) {
        result = CheckPermissionManager(aBaseURI);
      }
    }
-    if (!schemeIsFile)
+    if (!result) {
-      return nsXFormsUtils::CheckSameOrigin(aBaseURI, aTestURI);
+      result = nsXFormsUtils::CheckSameOrigin(aBaseURI, aTestURI);
    }
  }
-  return PR_TRUE;
+
  return result;
 }
 PRBool
 nsXFormsSubmissionElement::CheckPermissionManager(nsIURI *aBaseURI)
 {
  PRBool result = PR_FALSE;
  nsresult rv;
  nsCOMPtr<nsIPrefBranch> prefBranch =
    do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
  PRUint32 permission = nsIPermissionManager::UNKNOWN_ACTION;
  if (NS_SUCCEEDED(rv) && prefBranch) {
    // check if the user has enabled the xforms cross domain preference
    PRBool checkPermission = PR_FALSE;
    prefBranch->GetBoolPref("xforms.crossdomain.enabled", &checkPermission);
    if (checkPermission) {
      // if the user enabled the cross domain check, query the permission
      // manager with the URI.  It will return 1 if the URI was allowed by the
      // user.
      nsCOMPtr<nsIPermissionManager> permissionManager =
        do_GetService("@mozilla.org/permissionmanager;1");
      nsCOMPtr<nsIDOMDocument> domDoc;
      mElement->GetOwnerDocument(getter_AddRefs(domDoc));
      nsCOMPtr<nsIDocument> doc = do_QueryInterface(domDoc);
      NS_ENSURE_STATE(doc);
      permissionManager->TestPermission(doc->GetDocumentURI(),
                                       "xforms-xd", &permission);
    }
  }
  if (permission == nsIPermissionManager::ALLOW_ACTION) {
    // not in the permission manager
    result = PR_TRUE;
  }
  return result;
 }
 nsresult
--- a/extensions/xforms/nsXFormsSubmissionElement.h
+++ b/extensions/xforms/nsXFormsSubmissionElement.h
@ -126,6 +126,7 @@ private:
   * there is no need for a same origin check.
   */
  PRBool CheckSameOrigin(nsIURI *aBaseURI, nsIURI *aTestURI);
  PRBool CheckPermissionManager(nsIURI *aBaseURI);
  nsresult AddNameSpaces(nsIDOMElement* aTarget, nsIDOMNode* aSource);
 };
--- a/extensions/xforms/package/Makefile.in
+++ b/extensions/xforms/package/Makefile.in
@ -69,6 +69,7 @@ xpi:
 	$(NSINSTALL) -D stage
 	$(PERL) $(topsrcdir)/xpinstall/packager/pkgcp.pl -o $(PKGCP_PLATFORM) -s $(DIST)/bin -d stage -f $(srcdir)/$(PACKAGE_FILE) -v
 	$(NSINSTALL) $(srcdir)/install.rdf stage/xforms
 	$(NSINSTALL) $(srcdir)/chrome.manifest stage/xforms
 	@echo Creating install.js...
 	rm -f xforms.js
 	$(PERL) $(topsrcdir)/toolkit/mozapps/installer/makejs.pl $(srcdir)/xforms.jst $(PACKAGE_VERSION) stage/xforms
--- a/extensions/xforms/package/chrome.manifest
+++ b/extensions/xforms/package/chrome.manifest
@ -0,0 +1,4 @@
 overlay	chrome://browser/content/preferences/preferences.xul	chrome://xforms/content/xforms-prefs.xul
 content	xforms	jar:chrome/xforms.jar!/content/xforms/
 locale	xforms	en-US	jar:chrome/xforms.jar!/locale/en-US/xforms/
--- a/extensions/xforms/resources/content/contents.rdf
+++ b/extensions/xforms/resources/content/contents.rdf
@ -0,0 +1,49 @@
 <?xml version="1.0"?>
 <!-- ***** BEGIN LICENSE BLOCK *****
   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
   -
   - The contents of this file are subject to the Mozilla Public License Version
   - 1.1 (the "License"); you may not use this file except in compliance with
   - the License. You may obtain a copy of the License at
   - http://www.mozilla.org/MPL/
   -
   - Software distributed under the License is distributed on an "AS IS" basis,
   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
   - for the specific language governing rights and limitations under the
   - License.
   -
   - The Original Code is Mozilla XForms code.
   -
   - The Initial Developer of the Original Code is
   - IBM Corporation
   - Portions created by the Initial Developer are Copyright (C) 2005
   - the Initial Developer. All Rights Reserved.
   -
   - Contributor(s):
   -
   - Alternatively, the contents of this file may be used under the terms of
   - either the GNU General Public License Version 2 or later (the "GPL"), or
   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
   - in which case the provisions of the GPL or the LGPL are applicable instead
   - of those above. If you wish to allow use of your version of this file only
   - under the terms of either the GPL or the LGPL, and not to allow others to
   - use your version of this file under the terms of the MPL, indicate your
   - decision by deleting the provisions above and replace them with the notice
   - and other provisions required by the LGPL or the GPL. If you do not delete
   - the provisions above, a recipient may use your version of this file under
   - the terms of any one of the MPL, the GPL or the LGPL.
   -
   - ***** END LICENSE BLOCK ***** -->
 <RDF:RDF xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
         xmlns:chrome="http://www.mozilla.org/rdf/chrome#">
  <!-- list all the packages being supplied by this jar -->
  <RDF:Seq about="urn:mozilla:package:root">
    <RDF:li resource="urn:mozilla:package:xforms"/>
  </RDF:Seq>
  <!-- package information -->
  <RDF:Description about="urn:mozilla:package:xforms"
                   chrome:name="xforms"/>
 </RDF:RDF>
--- a/extensions/xforms/resources/content/xforms-prefs-ui.xul
+++ b/extensions/xforms/resources/content/xforms-prefs-ui.xul
@ -0,0 +1,74 @@
 <?xml version="1.0"?>
 <!-- ***** BEGIN LICENSE BLOCK *****
   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
   -
   - The contents of this file are subject to the Mozilla Public License Version
   - 1.1 (the "License"); you may not use this file except in compliance with
   - the License. You may obtain a copy of the License at
   - http://www.mozilla.org/MPL/
   -
   - Software distributed under the License is distributed on an "AS IS" basis,
   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
   - for the specific language governing rights and limitations under the
   - License.
   -
   - The Original Code is Mozilla XForms Support.
   -
   - The Initial Developer of the Original Code is
   - IBM Corportation.
   - Portions created by the Initial Developer are Copyright (C) 2005
   - the Initial Developer. All Rights Reserved.
   -
   - Contributor(s):
   -
   - Alternatively, the contents of this file may be used under the terms of
   - either the GNU General Public License Version 2 or later (the "GPL"), or
   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
   - in which case the provisions of the GPL or the LGPL are applicable instead
   - of those above. If you wish to allow use of your version of this file only
   - under the terms of either the GPL or the LGPL, and not to allow others to
   - use your version of this file under the terms of the MPL, indicate your
   - decision by deleting the provisions above and replace them with the notice
   - and other provisions required by the LGPL or the GPL. If you do not delete
   - the provisions above, a recipient may use your version of this file under
   - the terms of any one of the MPL, the GPL or the LGPL.
   -
   - ***** END LICENSE BLOCK ***** -->
 <!DOCTYPE overlay [
 <!ENTITY % xformsDTD SYSTEM "chrome://xforms/locale/xforms.dtd">
 <!ENTITY % contentDTD SYSTEM "chrome://browser/locale/preferences/content.dtd">
  %xformsDTD;
  %contentDTD;
 ]>
 <overlay id="XFormsContentPaneOverlayUI"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
 <prefwindow id="BrowserPreferences">
  <prefpane id="paneContent">
    <preferences id="contentPreferences">
      <preference id="xforms.crossdomain.enabled" name="xforms.crossdomain.enabled" type="bool"/>
    </preferences>
    <groupbox id="contentGroupbox">
      <grid id="contentGrid">
        <rows id="contentRows-1">
          <row insertafter="enableSoftwareInstallRow">
            <vbox align="start">
              <checkbox id="xformsCrossDomain" preference="xforms.crossdomain.enabled"
                        label="&xforms.crossdomain.ui.label;"
                        accesskey="&xforms.crossdomain.ui.accesskey;"
                        onpreferenceread="return gContentPane.updateButtons('xformsCrossDomainButton', 'xforms.crossdomain.enabled');"/>
            </vbox>
            <button id="xformsCrossDomainButton" label="&allowedSites.label;"
                    oncommand="loadXFormsPermission()"/>
          </row>
        </rows>
      </grid>
    </groupbox>
  </prefpane>
 </prefwindow>
 </overlay>
--- a/extensions/xforms/resources/content/xforms-prefs.js
+++ b/extensions/xforms/resources/content/xforms-prefs.js
@ -0,0 +1,87 @@
 /* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is Mozilla XForms Support.
 *
 * The Initial Developer of the Original Code is
 * IBM Corportation.
 * Portions created by the Initial Developer are Copyright (C) 2005
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
 function loadXFormsPermission() {
  var bundlePreferences = document.getElementById("bundlePreferences");
  var params = {
                 blockVisible: false,
                 sessionVisible: false,
                 allowVisible: true,
                 prefilledHost: "",
                 permissionType: "xforms-xd"
               };
  // get the localized strings
  var strbundle = document.getElementById("xforms-stringbundle");
  params.windowTitle = strbundle.getString("xformsXDPermissionDialogTitle");
  params.introText = strbundle.getString("xformsXDPermissionDialogIntro");
  document.documentElement.openWindow("Browser:Permissions",
                                      "chrome://browser/content/preferences/permissions.xul",
                                      "", params);
 }
 var XFormsLoadObserver = {
  observe: function (aSubject, aTopic, aData)
  {
    // overlay is loaded, initialize it
    document.getElementById("xforms.crossdomain.enabled").updateElements();
  }
 }
 function XFormsUIClass() {
 }
 XFormsUIClass.prototype.pageLoad = function(aEvent) {
  var pane = document.getElementById("paneContent");
  if (pane.loaded) {
    xformsUI.loadOverlay();
  } else {
    pane.addEventListener("paneload", xformsUI.loadOverlay, false);
  }
 }
 XFormsUIClass.prototype.loadOverlay = function() {
 document.loadOverlay("chrome://xforms/content/xforms-prefs-ui.xul", XFormsLoadObserver);
 }
 var xformsUI = new XFormsUIClass();
 window.addEventListener("load", xformsUI.pageLoad, false);
--- a/extensions/xforms/resources/content/xforms-prefs.xul
+++ b/extensions/xforms/resources/content/xforms-prefs.xul
@ -0,0 +1,54 @@
 <?xml version="1.0"?>
 <!-- ***** BEGIN LICENSE BLOCK *****
   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
   -
   - The contents of this file are subject to the Mozilla Public License Version
   - 1.1 (the "License"); you may not use this file except in compliance with
   - the License. You may obtain a copy of the License at
   - http://www.mozilla.org/MPL/
   -
   - Software distributed under the License is distributed on an "AS IS" basis,
   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
   - for the specific language governing rights and limitations under the
   - License.
   -
   - The Original Code is Mozilla XForms Support.
   -
   - The Initial Developer of the Original Code is
   - IBM Corportation.
   - Portions created by the Initial Developer are Copyright (C) 2005
   - the Initial Developer. All Rights Reserved.
   -
   - Contributor(s):
   -
   - Alternatively, the contents of this file may be used under the terms of
   - either the GNU General Public License Version 2 or later (the "GPL"), or
   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
   - in which case the provisions of the GPL or the LGPL are applicable instead
   - of those above. If you wish to allow use of your version of this file only
   - under the terms of either the GPL or the LGPL, and not to allow others to
   - use your version of this file under the terms of the MPL, indicate your
   - decision by deleting the provisions above and replace them with the notice
   - and other provisions required by the LGPL or the GPL. If you do not delete
   - the provisions above, a recipient may use your version of this file under
   - the terms of any one of the MPL, the GPL or the LGPL.
   -
   - ***** END LICENSE BLOCK ***** -->
 <overlay id="XFormsContentPaneOverlay"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
 <prefwindow id="BrowserPreferences">
  <prefpane id="paneContent">
    <preferences id="contentPreferences">
      <preference id="xforms.crossdomain.enabled" name="xforms.crossdomain.enabled" type="bool"/>
    </preferences>
    <stringbundle id="xforms-stringbundle" src="chrome://xforms/locale/xforms.properties"/>
    <script type="application/x-javascript" src="chrome://xforms/content/xforms-prefs.js"/>
  </prefpane>
 </prefwindow>
 </overlay>
--- a/extensions/xforms/resources/content/xforms.css
+++ b/extensions/xforms/resources/content/xforms.css
--- a/extensions/xforms/resources/content/xforms.xml
+++ b/extensions/xforms/resources/content/xforms.xml
--- a/extensions/xforms/resources/locale/en-US/xforms.dtd
+++ b/extensions/xforms/resources/locale/en-US/xforms.dtd
@ -0,0 +1,39 @@
 <!-- ***** BEGIN LICENSE BLOCK *****
   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
   -
   - The contents of this file are subject to the Mozilla Public License Version
   - 1.1 (the "License"); you may not use this file except in compliance with
   - the License. You may obtain a copy of the License at
   - http://www.mozilla.org/MPL/
   -
   - Software distributed under the License is distributed on an "AS IS" basis,
   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
   - for the specific language governing rights and limitations under the
   - License.
   -
   - The Original Code is Mozilla XForms Support.
   -
   - The Initial Developer of the Original Code is
   - IBM Corportation.
   - Portions created by the Initial Developer are Copyright (C) 2005
   - the Initial Developer. All Rights Reserved.
   -
   - Contributor(s):
   -
   - Alternatively, the contents of this file may be used under the terms of
   - either the GNU General Public License Version 2 or later (the "GPL"), or
   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
   - in which case the provisions of the GPL or the LGPL are applicable instead
   - of those above. If you wish to allow use of your version of this file only
   - under the terms of either the GPL or the LGPL, and not to allow others to
   - use your version of this file under the terms of the MPL, indicate your
   - decision by deleting the provisions above and replace them with the notice
   - and other provisions required by the LGPL or the GPL. If you do not delete
   - the provisions above, a recipient may use your version of this file under
   - the terms of any one of the MPL, the GPL or the LGPL.
   -
   - ***** END LICENSE BLOCK ***** -->
 <!ENTITY xforms.crossdomain.ui.label "Allow XForms to submit data to other domains">
 <!ENTITY xforms.crossdomain.ui.accesskey "X">
--- a/extensions/xforms/resources/locale/en-US/xforms.properties
+++ b/extensions/xforms/resources/locale/en-US/xforms.properties
@ -1,3 +1,41 @@
 # ***** BEGIN LICENSE BLOCK *****
 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
 # The contents of this file are subject to the Mozilla Public License Version
 # 1.1 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 # http://www.mozilla.org/MPL/
 #
 # Software distributed under the License is distributed on an "AS IS" basis,
 # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 # for the specific language governing rights and limitations under the
 # License.
 #
 # The Original Code is Mozilla XForms Support.
 #
 # The Initial Developer of the Original Code is
 # IBM Corporation.
 # Portions created by the Initial Developer are Copyright (C) 2005
 # the Initial Developer. All Rights Reserved.
 #
 # Contributor(s):
 #
 # Alternatively, the contents of this file may be used under the terms of
 # either the GNU General Public License Version 2 or later (the "GPL"), or
 # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 # in which case the provisions of the GPL or the LGPL are applicable instead
 # of those above. If you wish to allow use of your version of this file only
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 # Error Messages:
 missingTypeName      = XForms Error (1): type (%S) missing type name
 schemaProcessError   = XForms Error (2): Failed to process inline schema
 schemaLoadError      = XForms Error (3): Failed to load schema
@ -17,3 +55,8 @@ controlBindError     = XForms Error (16): Could not bind control to instance dat
 labelLinkLoadOrigin  = XForms Error (17): Security check failed! Trying to load label data from a different domain than document
 labelLink1Error      = XForms Error (18): External file (%S) for Label element not found
 labelLink2Error      = XForms Error (19): Failed to load Label element from external file: %S
 # XForms Permission Messages:
 xformsXDPermissionDialogTitle = Allowed Sites - XForms Cross Domain Access
 xformsXDPermissionDialogIntro = You can specify which web sites containing XForms may submit data to other domains.  Type the exact address of the site you want to allow and then press Allow.