Bug 32571 - add disabling pref and JS console message to window.close security check. r=heikki, sr=jst.

2024-10-10 11:55:49 +00:00 · 2002-12-04 01:55:56 +00:00 · 2002-12-04 01:55:56 +00:00 · b37c501c58
commit b37c501c58
parent 3fe1e83681
3 changed files with 39 additions and 8 deletions
--- a/dom/resources/locale/dom.properties
+++ b/dom/resources/locale/dom.properties
@ -1 +1,2 @@
 JSURLLoadBlockedWarning=Attempt to load a javascript: URL from one host\nin a window displaying content from another host\nwas blocked by the security manager.
+WindowCloseBlockedWarning=Scripts may not close windows that were not opened by script.
--- a/dom/src/base/nsGlobalWindow.cpp
+++ b/dom/src/base/nsGlobalWindow.cpp
@ -174,7 +174,7 @@ static NS_DEFINE_CID(kCStringBundleServiceCID, NS_STRINGBUNDLESERVICE_CID);
 static const char *sJSStackContractID = "@mozilla.org/js/xpc/ContextStack;1";

 static const char *kDOMBundleURL = "chrome://global/locale/commonDialogs.properties";
-
+static const char *kDOMSecurityWarningsBundleURL = "chrome://communicator/locale/dom/dom.properties";

 static const char * const kCryptoContractID = NS_CRYPTO_CONTRACTID;
 static const char * const kPkcs11ContractID = NS_PKCS11_CONTRACTID;
@ -3041,14 +3041,42 @@ GlobalWindowImpl::Close()
  // that were not opened by script
  nsresult rv;
  if (!mOpener) {
-      nsCOMPtr<nsIScriptSecurityManager> secMan(
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv));
-      if (NS_SUCCEEDED(rv)) {
-          PRBool inChrome = PR_TRUE;
-          rv = secMan->SubjectPrincipalIsSystem(&inChrome);
-          if (NS_SUCCEEDED(rv) && !inChrome)
-              return NS_OK;
+    nsCOMPtr<nsIScriptSecurityManager> secMan(
+      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv));
+    if (NS_SUCCEEDED(rv)) {
+      PRBool inChrome = PR_TRUE;
+      rv = secMan->SubjectPrincipalIsSystem(&inChrome);
+      if (NS_SUCCEEDED(rv) && !inChrome) {
+        PRBool allowClose = PR_TRUE;
+        gPrefBranch->GetBoolPref("dom.allow_scripts_to_close_windows",
+                                 &allowClose);
+        if (!allowClose) {
+          // We're blocking the close operation
+          // report localized error msg in JS console
+          nsCOMPtr<nsIStringBundleService> stringBundleService(
+            do_GetService(kCStringBundleServiceCID));
+          if (stringBundleService) {
+            nsCOMPtr<nsIStringBundle> stringBundle;
+            rv = stringBundleService->CreateBundle(
+                                        kDOMSecurityWarningsBundleURL,
+                                        getter_AddRefs(stringBundle));
+            if (NS_SUCCEEDED(rv) && stringBundle) {
+              nsXPIDLString errorMsg;
+              rv = stringBundle->GetStringFromName(
+                                   NS_LITERAL_STRING("WindowCloseBlockedWarning").get(),
+                                   getter_Copies(errorMsg));
+              if (NS_SUCCEEDED(rv)) {
+                nsCOMPtr<nsIConsoleService> console(
+                  do_GetService("@mozilla.org/consoleservice;1"));
+                if (console)
+                  console->LogStringMessage(errorMsg.get());
+              }
+            }
+          }
+          return NS_OK;
+        }
      }
+    }
  }

  // Fire a DOM event notifying listeners that this window is about to
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@ -445,6 +445,8 @@ pref("dom.disable_window_open_feature.scrollbars",  false);
 pref("dom.disable_window_open_feature.resizable",   false);
 pref("dom.disable_window_open_feature.minimizable", false);
 pref("dom.disable_window_open_feature.status",      false);
+
+pref("dom.allow_scripts_to_close_windows",          false);

 pref("javascript.enabled",                  true);
 pref("javascript.allow.mailnews",           false);