Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-08 12:37:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
198,281 Commits 615 Branches 98 Tags 5.9 GiB
d897bc426d
Commit Graph

80 Commits

Author SHA1 Message Date
Blake Kaplan
d897bc426d Bug 396851 - Check to see if we're UniversalXPConnect-enabled to allow privileged web pages to unwrap XOWs. r+sr=bzbarsky 2008-10-22 13:15:22 -07:00
jonas@sicking.cc
ab63fc8524 Followup patch to bug 425201. Make sure to throw if xhr.open is called with an illegal uri. Also restore the nsIScriptSecurityManager.CheckConnect API as soap still uses it 2008-04-18 10:35:55 -07:00
jonas@sicking.cc
ec7a19c8b9 Allow XMLHttpRequest and document.load load files from subdirectories. r/sr=dveditz 2008-04-08 17:38:12 -07:00
bzbarsky@mit.edu
94a044f0b1 Finally kill off CheckSameOriginPrincipal, fix remaining callers to do the checks they really want to be doing. Fix screw-up in nsPrincipal::Equals if one principal has a cert and the other does not. Bug 418996, r=mrbkap,dveditz, sr=jst 2008-03-18 14:14:49 -07:00
jst@mozilla.org
f0f4a78cce Fixing bug 410851. Expose a faster way of getting the subject principal, and use that from performance critical code. r+sr=mrbkap@gmail.com 2008-01-04 15:59:12 -08:00
jonas@sicking.cc
4c1a3910ac bug 394390: Don't report bogus warnings to the error console when using cross-site xmlhttprequest. Patch by Surya Ismail <suryaismail@gmail.com>, r/sr=sicking 2007-10-26 18:46:09 -07:00
bzbarsky@mit.edu
647cbff151 Make security manager API more useful from script. Make more things 
scriptable, and add a scriptable method for testing whether a given principal
is the system principal.  Bug 383783, r=dveditz, sr=jst
 2007-06-18 08:12:09 -07:00
bzbarsky%mit.edu
8a1b6c5e34 Make the redirect check get principals the same way we get them elsewhere. 
Clean up some code to use the new security manager method.  Bug 354693,
r=dveditz, sr=sicking
 2006-11-22 18:27:54 +00:00
bzbarsky%mit.edu
730516b0a1 Remove securityCompareURIs() from nsIScriptSecurityManager. Bug 327243, r+sr=jst 2006-11-14 22:46:45 +00:00
bzbarsky%mit.edu
0a3a624149 Make it possible for protocol handlers to configure how CheckLoadURI should 
treat them via their protocol flags.  Remove the protocol list we used before.
Bug 120373, r=dveditz, sr=darin
 2006-11-10 23:49:08 +00:00
bzbarsky%mit.edu
50e969de0c Introduce CheckLoadURIStrWithPrincipal(). Bug 348559, r=dveditz, sr=jst 2006-08-21 22:15:20 +00:00
bzbarsky%mit.edu
52c46b8f53 Make nsIPrincipal and some methods that use it scriptable. Bug 327242, r=jst, 
sr=dveditz
 2006-02-17 16:12:17 +00:00
bzbarsky%mit.edu
18fc300f0b Backing out since tree is closed. 2006-02-17 03:33:03 +00:00
bzbarsky%mit.edu
97bb5a58a9 Make nsIPrincipal and some methods that use it scriptable. Bug 327242, r=jst, 
sr=dveditz
 2006-02-17 03:26:03 +00:00
bzbarsky%mit.edu
10d1c576d9 Expose the subject name for the cert and an nsISupports pointer to the cert on 
nsIPrincipal that represents a certificate principal.  Change preference
storage to ensure matches in not only the fingerprint but also the subjectName
before applying privileges from preferences to a certificate principal.  Remove
possibility for creating certificate principals without a useful identifying
name and make sure that names don't get munged by being forced to ASCII.  Bug
240661, r=caillon, sr=dveditz, a=bsmedberg
 2005-07-22 19:05:42 +00:00
dbaron%dbaron.org
8ca0c03467 Cleaner fix for bug 290036. b=290949 r=dveditz sr=darin a=asa 2005-05-12 18:20:07 +00:00
jshin%mailaps.org
d30a1bda05 bug 280613 : checkLoadURIStr of nsIScriptSecurityManager should accept AUTF8String istead of string (for IDN), r=dveditz, sr=darin 2005-02-02 07:17:53 +00:00
bzbarsky%mit.edu
4ede76717e Add a version of CheckLoadURI that takes a source principal instead of a source 
URI.  Update a bunch of callers to use it.  Bug 233108, r=caillon, sr=dveditz
 2004-04-25 16:55:27 +00:00
gerv%gerv.net
9d2ee4928c Bug 236613: change to MPL/LGPL/GPL tri-license. 2004-04-17 21:52:36 +00:00
neil%parkwaycc.co.uk
6394a7f9f8 Bug 227758 make subjectPrincipalIsSystem unscriptable and checkSameOriginURI scriptable r=caillon sr=dveditz 2003-12-19 21:51:37 +00:00
caillon%returnzero.com
66caced69a Re-land patch for bug 83536, merging principal objects. 
Also includes fixes from bug 216041.
r=bzbarsky
sr=jst
 2003-10-21 22:11:49 +00:00
brendan%mozilla.org
4038563cd9 Expose nsIScriptSecurityManager::SecurityCompareURIs for use by nsGlobalWindow::SetNewDocument, to avoid spurious window.open same-origin violation errors (220421, r=caillon, sr=bzbarsky). 2003-09-28 04:22:01 +00:00
caillon%returnzero.com
f8e8aed8a7 Backing out the patch to bug 83536. 
I will reland this when 1.6a re-opens.
r+sr=jst@netscape.com
a=chofmann
 2003-08-22 03:06:53 +00:00
caillon%returnzero.com
91b7c60bee Bug 83536. 
Merge script principal implementations into one class.
Should reduce footprint, speed up calls to caps a little bit, and fixes several memory leaks.
Also fixes bugs 211174 and 211263
r=jst@netscape.com
sr=bzbarsky@mit.edu
moa=mstoltz@netscape.com (he looked at an earlier patch and said it looked fine, and will do a retroactive review when he returns from vacation as well)
 2003-07-24 05:15:20 +00:00
dougt%meer.net
a069087dd4 Disallowing javascript or data schemes in a redirect. r=mstoltz, sr=brendan, a=rjesup, b=195201 2003-05-29 21:56:38 +00:00
dougt%meer.net
e3a6a4edfc Disallowing javascript or data schemes in a redirect. r=mstoltz, sr=brendan, a=rjesup, b=195201 2003-05-29 21:51:34 +00:00
mstoltz%netscape.com
d0f045a722 Bug 168316 - When calling from Java into JS, add a "dummy" JS stack frame with 
principal information for the security manager. r=dveditz, sr=jst, a=chofmann.
 2002-10-30 03:15:59 +00:00
sicking%bigfoot.com
39c966dd38 Use principals instead of URIs for same-origin checks. 
b=159348, r=bz, sr=jst, a=asa
 2002-07-30 21:26:32 +00:00
mstoltz%netscape.com
6f5d99be4c 133170 - Need to re-check host for security on a redirect after a call to 
XMLHttpRequest.open(). For xmlextras, r=heikki, sr=jband. For caps,
r=bzbarsky, sr=jst
147754 - Add same-origin check to XMLSerializer. Patch by jst. r=mstoltz,
sr=jband
113351 - Add same-origin check to XSL Include. Patch by peterv and jst,
r=mstoltz, sr=rpotts
135267 - Add same-origin check to stylesheets included via LINK tags.
r=dveditz, sr=scc
 2002-06-14 23:54:18 +00:00
mstoltz%netscape.com
03fe97372a A bunch of fixes in caps: 
128697 - Added a pref listener for changes to capability.policy prefs,
removed profile-change listener
131025 - Removed insecure "trusted codebase principals" feature
131340 - Make nsCodebasePrincipal::Equals handle jar URLs correctly
131342 - Clean up privilege-grant dialog code
128861 - class policy hashtables allocated only when needed; avoids
PLDHash memory-use warning
Fixed comparison of -1 and 80 ports (Can't find the bug # right now)

All r=harishd, sr=jst, a=asa.
 2002-03-20 05:53:46 +00:00
mstoltz%netscape.com
18c8067fae Bug 127938 - chrome scripts should be exempt from the security check put in for 
bug 105050, on access to the opener property when the opener is a mail window.
r=pavlov, sr=jst, a=leaf.
 2002-02-28 00:22:59 +00:00
mstoltz%netscape.com
75f6bd3583 partially backing out my last change - weird dependency problem 2002-02-26 05:28:26 +00:00
mstoltz%netscape.com
82659b14ca 32571, present confirmation dialog before allowing scripts to close windows. 
105050, pass null window.opener when opener is a mail window.
both r=heikki, sr=jst, a=asa.
Backed out previously because of tinderbox problem, which should be fixed now.
 2002-02-26 04:50:21 +00:00
mcafee%netscape.com
1a3a52cce7 Backing out mstoltz. r=dbaron,jrgm 2002-02-19 04:06:53 +00:00
mstoltz%netscape.com
cc94447571 Bug 105050 - return null window.opener to scripts if opener is a mail window. 
Bug 32571 - Prompt user before allowing scripts to close windows if opener is null.
both r=heikki, sr=jst.
 2002-02-19 01:09:45 +00:00
mstoltz%netscape.com
4756b7169c Bug 119646 - Rewrite of the security manager policy database for improved 
performance. r=jst, sr=jband.
 2002-02-13 04:20:46 +00:00
gerv%gerv.net
11248436dd License changes, take 2. Bug 98089. mozilla/config/, mozilla/caps/, mozilla/build/. 2001-09-25 01:03:58 +00:00
gerv%gerv.net
1856815ff1 Oops. 2001-09-20 00:02:59 +00:00
scc%mozilla.org
102170b2a0 bug #98089: ripped new license 2001-09-19 20:09:47 +00:00
mstoltz%netscape.com
f3d9b0caa1 Bug 77485 - defining a function in another window using a targeted javascript: 
link. Prevent running javascript: urls cross-domain and add a security check for adding
and removing properties. r=harishd, sr=jst.
 2001-07-13 07:08:26 +00:00
mstoltz%netscape.com
8c0cd58b30 Re-checking-in my fix for 47905, which was backed out last night because of a bug in some other code that was checked in along with it. This checkin was not causing the crasher and is unchanged. See earlier checkin comment - in short, this adds same-origin to XMLHttpRequest and cleans up some function calls in caps, removes some unnecessary parameters. r=vidur, sr=jst. 2001-05-19 00:33:51 +00:00
blizzard%redhat.com
678b80f10b Back out mstoltz because of blocker bug #81629. Original bugs were 47905 79775. 2001-05-18 17:41:23 +00:00
mstoltz%netscape.com
11f7b8f900 Bug 47905 - adding security check for XMLHttpRequest.open. 
Added nsIScriptSecurityManager::CheckConnect for this purpose.
Also cleaned up the security check API by removing some unnecessary
parameters. r=vidur@netscape.com, sr=jst@netscape.com

Bug 79775 - Forward button broken in main mail window. Making
WindowWatcher not call GetSubjectPrincipal if the URL to be loaded is
chrome, since the calling principal is superfluous in this case.
No one has been able to find the root cause of this problem, but
this checkin works around it, which is the best we can do for now.
r=ducarroz@netscape.com, sr=jst@netscape.com
 2001-05-18 06:56:29 +00:00
mstoltz%netscape.com
59c995612e Fixes for bugs 79796, 77203, and 54060. r=jband@netscape.com, 
sr=brendan@mozilla.org
 2001-05-11 00:43:27 +00:00
jst%netscape.com
f7460d0269 Landing the XPCDOM_20010329_BRANCH branch, changes mostly done by jband@netscape.com and jst@netscape.com, also some changes done by shaver@mozilla.org, peterv@netscape.com and markh@activestate.com. r= and sr= by vidur@netscape.com, jband@netscape.com, jst@netscpae.com, danm@netscape.com, hyatt@netscape.com, shaver@mozilla.org, dbradley@netscape.com, rpotts@netscape.com. 2001-05-08 16:46:42 +00:00
mstoltz%netscape.com
2b6e6516d2 More fixes for 55237, cleaned up CheckLoadURI and added a check on "Edit This Link." Also added error reporting (bug 40538). 
r=beard, sr=hyatt
 2001-04-17 01:21:44 +00:00
mstoltz%netscape.com
519500116e Bugs 55069, 70951 - JS-blocking APIs for mailnews and embedding. r=mscott, sr=attinasi. 
Bug 54237 - fix for event-capture bug, r=heikki, sr=jband.
 2001-03-23 04:22:56 +00:00
mstoltz%netscape.com
33c8110175 bug 47905, adding security check to XMLHttpRequest.open(). r=heikki, sr=brendan 2001-03-02 00:09:20 +00:00
mstoltz%netscape.com
e875395364 Fixing bugscape 3109, LiveConnect exploit. sr=jband, brendan. 
Fixing 58021, exploit in "open in new window," bug 55237. sr=brendan
 2000-11-07 01:14:08 +00:00
mstoltz%netscape.com
f1137e89ec Fixing 56009, exploit allowing XPConnect access. r,a=hyatt, sr=scc 2000-10-13 22:59:47 +00:00