Block http auth prompt for cross-origin image subresources by default.
This commit is contained in:
parent
ebf9351ec5
commit
274a0f654a
|
@ -1995,6 +1995,13 @@ pref("network.generic-ntlm-auth.workstation", "WORKSTATION");
|
|||
// 2 - allow the cross-origin authentication as well.
|
||||
pref("network.auth.subresource-http-auth-allow", 2);
|
||||
|
||||
// Sub-resources HTTP-authentication for cross-origin images:
|
||||
// true - presenting the http auth. dialog for cross-origin images is allowed.
|
||||
// false - suppress the http auth. dialog for cross-origin images.
|
||||
// If network.auth.subresource-http-auth-allow has a value of 0 or 1, this pref
|
||||
// does not have any effect.
|
||||
pref("network.auth.subresource-http-img-XO-auth", false);
|
||||
|
||||
// This preference controls whether to allow sending default credentials (SSO) to
|
||||
// NTLM/Negotiate servers allowed in the "trusted uri" list when navigating them
|
||||
// in a Private Browsing window.
|
||||
|
|
|
@ -95,6 +95,8 @@ nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
|
|||
uint32_t nsHttpChannelAuthProvider::sAuthAllowPref =
|
||||
SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL;
|
||||
|
||||
bool nsHttpChannelAuthProvider::sImgCrossOriginAuthAllowPref = false;
|
||||
|
||||
void
|
||||
nsHttpChannelAuthProvider::InitializePrefs()
|
||||
{
|
||||
|
@ -102,6 +104,9 @@ nsHttpChannelAuthProvider::InitializePrefs()
|
|||
mozilla::Preferences::AddUintVarCache(&sAuthAllowPref,
|
||||
"network.auth.subresource-http-auth-allow",
|
||||
SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL);
|
||||
mozilla::Preferences::AddBoolVarCache(&sImgCrossOriginAuthAllowPref,
|
||||
"network.auth.subresource-http-img-XO-auth",
|
||||
false);
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
|
@ -867,15 +872,15 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
|
|||
else if (authFlags & nsIHttpAuthenticator::IDENTITY_ENCRYPTED)
|
||||
level = nsIAuthPrompt2::LEVEL_PW_ENCRYPTED;
|
||||
|
||||
// Depending on the pref setting, the authentication dialog may be
|
||||
// Depending on the pref settings, the authentication dialog may be
|
||||
// blocked for all sub-resources, blocked for cross-origin
|
||||
// sub-resources, or always allowed for sub-resources.
|
||||
// For more details look at the bug 647010.
|
||||
// BlockPrompt will set mCrossOrigin parameter as well.
|
||||
// If always allowed, image prompts may still be blocked by pref.
|
||||
// BlockPrompt() will set the mCrossOrigin parameter as well.
|
||||
if (BlockPrompt()) {
|
||||
LOG(("nsHttpChannelAuthProvider::GetCredentialsForChallenge: "
|
||||
"Prompt is blocked [this=%p pref=%d]\n",
|
||||
this, sAuthAllowPref));
|
||||
"Prompt is blocked [this=%p pref=%d img-pref=%d]\n",
|
||||
this, sAuthAllowPref, sImgCrossOriginAuthAllowPref));
|
||||
return NS_ERROR_ABORT;
|
||||
}
|
||||
|
||||
|
@ -983,7 +988,15 @@ nsHttpChannelAuthProvider::BlockPrompt()
|
|||
// the sub-resources only if they are not cross-origin.
|
||||
return !topDoc && !xhr && mCrossOrigin;
|
||||
case SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL:
|
||||
// Allow the http-authentication dialog.
|
||||
// Allow the http-authentication dialog for subresources.
|
||||
// If the pref network.auth.subresource-http-img-XO-auth is set to false,
|
||||
// the http authentication dialog for image subresources is still blocked.
|
||||
if (!sImgCrossOriginAuthAllowPref &&
|
||||
loadInfo &&
|
||||
((loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGE) ||
|
||||
(loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGESET))) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
default:
|
||||
// This is an invalid value.
|
||||
|
|
|
@ -179,10 +179,11 @@ private:
|
|||
|
||||
RefPtr<nsHttpHandler> mHttpHandler; // keep gHttpHandler alive
|
||||
|
||||
// A variable holding the preference settings to whether to open HTTP
|
||||
// Variables holding the preference settings for whether to open HTTP
|
||||
// authentication credentials dialogs for sub-resources and cross-origin
|
||||
// sub-resources.
|
||||
static uint32_t sAuthAllowPref;
|
||||
static bool sImgCrossOriginAuthAllowPref;
|
||||
nsCOMPtr<nsICancelable> mGenerateCredentialsCancelable;
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue