components/dragDropFilter.js

   1 /*************************************************************************
   2  * Drag and Drop Handler.
   3  *
   4  * Implements an observer that filters drag events to prevent OS
   5  * access to URLs (a potential proxy bypass vector).
   6  *************************************************************************/
   7
   8
   9 const { XPCOMUtils } = ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");
  10 const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
  11
  12 XPCOMUtils.defineLazyModuleGetters(this, {
  13   ComponentUtils: "resource://gre/modules/ComponentUtils.jsm",
  14 });
  15
  16 // Module specific constants
  17 const kMODULE_NAME = "Torbutton Drag and Drop Handler";
  18 const kCONTRACT_ID = "@torproject.org/torbutton-dragDropFilter;1";
  19 const kMODULE_CID = Components.ID("f605ec27-d867-44b5-ad97-2a29276642c3");
  20
  21 const kInterfaces = [Ci.nsIObserver, Ci.nsIClassInfo];
  22
  23 function DragDropFilter() {
  24   this.logger = Cc["@torproject.org/torbutton-logger;1"]
  25       .getService(Ci.nsISupports).wrappedJSObject;
  26   this.logger.log(3, "Component Load 0: New DragDropFilter.");
  27
  28   try {
  29     Services.obs.addObserver(this, "on-datatransfer-available");
  30   } catch (e) {
  31     this.logger.log(5, "Failed to register drag observer");
  32   }
  33 }
  34
  35 DragDropFilter.prototype =
  36 {
  37   QueryInterface: ChromeUtils.generateQI([Ci.nsIObserver]),
  38
  39   // make this an nsIClassInfo object
  40   flags: Ci.nsIClassInfo.DOM_OBJECT,
  41   classDescription: kMODULE_NAME,
  42   contractID: kCONTRACT_ID,
  43   classID: kMODULE_CID,
  44
  45   // method of nsIClassInfo
  46   getInterfaces: function(count) {
  47     count.value = kInterfaces.length;
  48     return kInterfaces;
  49   },
  50
  51   // method of nsIClassInfo
  52   getHelperForLanguage: function(count) { return null; },
  53
  54   // method of nsIObserver
  55   observe: function(subject, topic, data) {
  56     if (topic == "on-datatransfer-available") {
  57       this.logger.log(3, "The DataTransfer is available");
  58       return this.filterDataTransferURLs(subject);
  59     }
  60   },
  61
  62   filterDataTransferURLs: function(aDataTransfer) {
  63     var types = null;
  64     var type = "";
  65     var count = aDataTransfer.mozItemCount;
  66     var len = 0;
  67     for (var i = 0; i < count; ++i) {
  68       this.logger.log(3, "Inspecting the data transfer: " + i);
  69       types = aDataTransfer.mozTypesAt(i);
  70       len = types.length;
  71       for (var j = 0; j < len; ++j) {
  72         type = types[j];
  73         this.logger.log(3, "Type is: " + type);
  74         if (type == "text/x-moz-url" ||
  75             type == "text/x-moz-url-data" ||
  76             type == "text/uri-list" ||
  77             type == "application/x-moz-file-promise-url") {
  78           aDataTransfer.clearData(type);
  79           this.logger.log(3, "Removing " + type);
  80         }
  81       }
  82     }
  83   }
  84 };
  85
  86 // Assign factory to global object.
  87 const NSGetFactory = XPCOMUtils.generateNSGetFactory
  88   ? XPCOMUtils.generateNSGetFactory([DragDropFilter])
  89   : ComponentUtils.generateNSGetFactory([DragDropFilter]);