RandomHuman
/
Mypal
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Block http auth prompt for cross-origin image subresources by default.

This commit is contained in:
Fedor 2019-08-01 03:18:42 +03:00
parent ebf9351ec5
commit 274a0f654a
3 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/libpref/init/all.js
View File

@ -1995,6 +1995,13 @@ pref("network.generic-ntlm-auth.workstation", "WORKSTATION");
// 2 - allow the cross-origin authentication as well.
pref("network.auth.subresource-http-auth-allow", 2);
// Sub-resources HTTP-authentication for cross-origin images:
// true - presenting the http auth. dialog for cross-origin images is allowed.
// false - suppress the http auth. dialog for cross-origin images.
// If network.auth.subresource-http-auth-allow has a value of 0 or 1, this pref
// does not have any effect.
pref("network.auth.subresource-http-img-XO-auth", false);
// This preference controls whether to allow sending default credentials (SSO) to
// NTLM/Negotiate servers allowed in the "trusted uri" list when navigating them
// in a Private Browsing window.

25
netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
View File

@ -95,6 +95,8 @@ nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
uint32_t nsHttpChannelAuthProvider::sAuthAllowPref =
SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL;
bool nsHttpChannelAuthProvider::sImgCrossOriginAuthAllowPref = false;
void
nsHttpChannelAuthProvider::InitializePrefs()
{
@ -102,6 +104,9 @@ nsHttpChannelAuthProvider::InitializePrefs()
mozilla::Preferences::AddUintVarCache(&sAuthAllowPref,
"network.auth.subresource-http-auth-allow",
SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL);
mozilla::Preferences::AddBoolVarCache(&sImgCrossOriginAuthAllowPref,
"network.auth.subresource-http-img-XO-auth",
false);
}
NS_IMETHODIMP
@ -867,15 +872,15 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
else if (authFlags & nsIHttpAuthenticator::IDENTITY_ENCRYPTED)
level = nsIAuthPrompt2::LEVEL_PW_ENCRYPTED;
// Depending on the pref setting, the authentication dialog may be
// Depending on the pref settings, the authentication dialog may be
// blocked for all sub-resources, blocked for cross-origin
// sub-resources, or always allowed for sub-resources.
// For more details look at the bug 647010.
// BlockPrompt will set mCrossOrigin parameter as well.
// If always allowed, image prompts may still be blocked by pref.
// BlockPrompt() will set the mCrossOrigin parameter as well.
if (BlockPrompt()) {
LOG(("nsHttpChannelAuthProvider::GetCredentialsForChallenge: "
"Prompt is blocked [this=%p pref=%d]\n",
this, sAuthAllowPref));
"Prompt is blocked [this=%p pref=%d img-pref=%d]\n",
this, sAuthAllowPref, sImgCrossOriginAuthAllowPref));
return NS_ERROR_ABORT;
}
@ -983,7 +988,15 @@ nsHttpChannelAuthProvider::BlockPrompt()
// the sub-resources only if they are not cross-origin.
return !topDoc && !xhr && mCrossOrigin;
case SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL:
// Allow the http-authentication dialog.
// Allow the http-authentication dialog for subresources.
// If the pref network.auth.subresource-http-img-XO-auth is set to false,
// the http authentication dialog for image subresources is still blocked.
if (!sImgCrossOriginAuthAllowPref &&
loadInfo &&
((loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGE) ||
(loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGESET))) {
return true;
}
return false;
default:
// This is an invalid value.

3
netwerk/protocol/http/nsHttpChannelAuthProvider.h
View File

@ -179,10 +179,11 @@ private:
RefPtr<nsHttpHandler> mHttpHandler; // keep gHttpHandler alive
// A variable holding the preference settings to whether to open HTTP
// Variables holding the preference settings for whether to open HTTP
// authentication credentials dialogs for sub-resources and cross-origin
// sub-resources.
static uint32_t sAuthAllowPref;
static bool sImgCrossOriginAuthAllowPref;
nsCOMPtr<nsICancelable> mGenerateCredentialsCancelable;
};