Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-01-26 06:38:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Temporary fix for 66938 (wiretap exploit), previously reviewed for checkin on NS6.01 branch.

Browse Source 
Limiting DOM access for scripts in mail messages to prevent stealing forwarded mail content.
This commit is contained in:
mstoltz%netscape.com 2001-04-17 05:22:55 +00:00
parent 8ee1febf8f
commit c60a1c0ded
1 changed files with 42 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
modules/libpref/src/init/all.js
View File

@ -165,21 +165,54 @@ pref("capability.policy.default.location.search.write", "allAccess");
pref("capability.policy.default.navigator.preference.read", "UniversalPreferencesRead");
pref("capability.policy.default.navigator.preference.write", "UniversalPreferencesWrite");
pref("capability.policy.default.windowinternal.blur", "allAccess");
pref("capability.policy.default.windowinternal.close", "allAccess");
pref("capability.policy.default.windowinternal.focus", "allAccess");
pref("capability.policy.default.windowinternal.location.write", "allAccess");
pref("capability.policy.mailnews.sites", "mailbox: imap: news: pop: pop3:");
pref("capability.policy.mailnews.domexception.tostring", "noAccess");
pref("capability.policy.mailnews.htmldocument.domain", "noAccess");
pref("capability.policy.mailnews.htmldocument.url", "noAccess");
pref("capability.policy.mailnews.nsdocument.location", "noAccess");
pref("capability.policy.mailnews.window.name.write", "noAccess");
pref("capability.policy.mailnews.windowinternal.location", "noAccess");
// window.openDialog is insecure and must be made inaccessible from web scripts - see bug 56009
pref("capability.policy.default.windowinternal.opendialog", "noAccess");
// Mailnews DOM restrictions - see bug 66938
pref("capability.policy.mailnews.characterdata.data", "noAccess");
pref("capability.policy.mailnews.characterdata.substringdata", "noAccess");
pref("capability.policy.mailnews.element.getattribute", "noAccess");
pref("capability.policy.mailnews.element.getattributenode", "noAccess");
pref("capability.policy.mailnews.element.getattributenodens", "noAccess");
pref("capability.policy.mailnews.element.getattributens", "noAccess");
pref("capability.policy.mailnews.htmlanchorelement.href", "noAccess");
pref("capability.policy.mailnews.htmlareaelement.href", "noAccess");
pref("capability.policy.mailnews.htmlbaseelement.href", "noAccess");
pref("capability.policy.mailnews.htmlblockquoteelement.cite", "noAccess");
pref("capability.policy.mailnews.domexception.tostring", "noAccess");
pref("capability.policy.mailnews.htmldocument.domain", "noAccess");
pref("capability.policy.mailnews.htmldocument.url", "noAccess");
pref("capability.policy.mailnews.htmlelement.innerhtml", "noAccess");
pref("capability.policy.mailnews.htmlimageelement.src", "noAccess");
pref("capability.policy.mailnews.image.lowsrc", "noAccess");
pref("capability.policy.mailnews.node.attributes", "noAccess");
pref("capability.policy.mailnews.node.nodevalue", "noAccess");
pref("capability.policy.mailnews.nsdocument.location", "noAccess");
pref("capability.policy.mailnews.window.name.write", "noAccess");
pref("capability.policy.mailnews.windowinternal.location", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.hash", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.host", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.hostname", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.pathname", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.port", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.protocol", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.search", "noAccess");
pref("capability.policy.mailnews.nshtmlanchorelement.text", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.hash", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.host", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.hostname", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.pathname", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.port", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.protocol", "noAccess");
pref("capability.policy.mailnews.nshtmlareaelement.search", "noAccess");
pref("capability.policy.mailnews.range.tostring", "noAccess");
pref("capability.policy.mailnews.sites", "mailbox: imap: news: pop: pop3:");
pref("javascript.enabled", true);
pref("javascript.allow.mailnews", false);
pref("javascript.options.strict", false);