From c60a1c0deda5074289c62d9ffe725602488fa8ff Mon Sep 17 00:00:00 2001 From: "mstoltz%netscape.com" Date: Tue, 17 Apr 2001 05:22:55 +0000 Subject: [PATCH] Temporary fix for 66938 (wiretap exploit), previously reviewed for checkin on NS6.01 branch. Limiting DOM access for scripts in mail messages to prevent stealing forwarded mail content. --- modules/libpref/src/init/all.js | 51 +++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/modules/libpref/src/init/all.js b/modules/libpref/src/init/all.js index baa003c2ed9e..7870e74e8dbf 100644 --- a/modules/libpref/src/init/all.js +++ b/modules/libpref/src/init/all.js @@ -165,21 +165,54 @@ pref("capability.policy.default.location.search.write", "allAccess"); pref("capability.policy.default.navigator.preference.read", "UniversalPreferencesRead"); pref("capability.policy.default.navigator.preference.write", "UniversalPreferencesWrite"); +pref("capability.policy.default.windowinternal.blur", "allAccess"); pref("capability.policy.default.windowinternal.close", "allAccess"); +pref("capability.policy.default.windowinternal.focus", "allAccess"); pref("capability.policy.default.windowinternal.location.write", "allAccess"); -pref("capability.policy.mailnews.sites", "mailbox: imap: news: pop: pop3:"); - -pref("capability.policy.mailnews.domexception.tostring", "noAccess"); -pref("capability.policy.mailnews.htmldocument.domain", "noAccess"); -pref("capability.policy.mailnews.htmldocument.url", "noAccess"); -pref("capability.policy.mailnews.nsdocument.location", "noAccess"); -pref("capability.policy.mailnews.window.name.write", "noAccess"); -pref("capability.policy.mailnews.windowinternal.location", "noAccess"); - // window.openDialog is insecure and must be made inaccessible from web scripts - see bug 56009 pref("capability.policy.default.windowinternal.opendialog", "noAccess"); +// Mailnews DOM restrictions - see bug 66938 +pref("capability.policy.mailnews.characterdata.data", "noAccess"); +pref("capability.policy.mailnews.characterdata.substringdata", "noAccess"); +pref("capability.policy.mailnews.element.getattribute", "noAccess"); +pref("capability.policy.mailnews.element.getattributenode", "noAccess"); +pref("capability.policy.mailnews.element.getattributenodens", "noAccess"); +pref("capability.policy.mailnews.element.getattributens", "noAccess"); +pref("capability.policy.mailnews.htmlanchorelement.href", "noAccess"); +pref("capability.policy.mailnews.htmlareaelement.href", "noAccess"); +pref("capability.policy.mailnews.htmlbaseelement.href", "noAccess"); +pref("capability.policy.mailnews.htmlblockquoteelement.cite", "noAccess"); +pref("capability.policy.mailnews.domexception.tostring", "noAccess"); +pref("capability.policy.mailnews.htmldocument.domain", "noAccess"); +pref("capability.policy.mailnews.htmldocument.url", "noAccess"); +pref("capability.policy.mailnews.htmlelement.innerhtml", "noAccess"); +pref("capability.policy.mailnews.htmlimageelement.src", "noAccess"); +pref("capability.policy.mailnews.image.lowsrc", "noAccess"); +pref("capability.policy.mailnews.node.attributes", "noAccess"); +pref("capability.policy.mailnews.node.nodevalue", "noAccess"); +pref("capability.policy.mailnews.nsdocument.location", "noAccess"); +pref("capability.policy.mailnews.window.name.write", "noAccess"); +pref("capability.policy.mailnews.windowinternal.location", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.hash", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.host", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.hostname", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.pathname", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.port", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.protocol", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.search", "noAccess"); +pref("capability.policy.mailnews.nshtmlanchorelement.text", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.hash", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.host", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.hostname", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.pathname", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.port", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.protocol", "noAccess"); +pref("capability.policy.mailnews.nshtmlareaelement.search", "noAccess"); +pref("capability.policy.mailnews.range.tostring", "noAccess"); +pref("capability.policy.mailnews.sites", "mailbox: imap: news: pop: pop3:"); + pref("javascript.enabled", true); pref("javascript.allow.mailnews", false); pref("javascript.options.strict", false);