| blob | 2abe74bfbb9bcbcd43358945ae26a7d2bfd1aa9a |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is Mozilla Communicator client code, released
15 * March 31, 1998.
16 *
17 * The Initial Developer of the Original Code is
18 * Netscape Communications Corporation.
19 * Portions created by the Initial Developer are Copyright (C) 1998
20 * the Initial Developer. All Rights Reserved.
21 *
22 * Contributor(s):
23 * Dave Townsend <dtownsend@oxymoronical.com>
24 *
25 * Alternatively, the contents of this file may be used under the terms of
26 * either of the GNU General Public License Version 2 or later (the "GPL"),
27 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
28 * in which case the provisions of the GPL or the LGPL are applicable instead
29 * of those above. If you wish to allow use of your version of this file only
30 * under the terms of either the GPL or the LGPL, and not to allow others to
31 * use your version of this file under the terms of the MPL, indicate your
32 * decision by deleting the provisions above and replace them with the notice
33 * and other provisions required by the GPL or the LGPL. If you do not delete
34 * the provisions above, a recipient may use your version of this file under
35 * the terms of any one of the MPL, the GPL or the LGPL.
36 *
37 * ***** END LICENSE BLOCK ***** */
74 {
76 }
79 {
80 }
84 nsIScriptObjectOwner,
85 nsIDOMInstallTriggerGlobal,
86 nsIContentHandler)
89 NS_IMETHODIMP
91 {
96 {
101 }
105 }
107 NS_IMETHODIMP
109 {
112 }
117 NS_IMETHODIMP
121 {
127 {
128 // We only support content-type application/x-xpinstall
130 }
132 // Save the URI so nsXPInstallManager can re-load it later
134 nsCAutoString urispec;
137 {
141 }
148 // Save the referrer if any, for permission checks
155 {
156 // Get the referrer from the channel properties if we can (not all
157 // channels support our internal-referrer property).
158 //
159 // It's possible docshell explicitly set a null referrer in the case
160 // of typed, pasted, or bookmarked URLs and the like. In such a case
161 // we get a success return value with null pointer.
162 //
163 // A null referrer is automatically whitelisted as an explicit user
164 // action (though they'll still get the confirmation dialog). For a
165 // missing referrer we go to our fall-back plan of using the XPI
166 // location for whitelisting purposes.
172 }
174 // Cancel the current request. nsXPInstallManager restarts the download
175 // under its control (shared codepath with InstallTrigger)
179 // Get the global object of the target window for StartSoftwareUpdate
191 {
192 // easiest and most common case: base decision on the page that
193 // contained the link
194 //
195 // NOTE: the XPI itself may be from elsewhere; the user can decide if
196 // they trust the actual source when they get the install confirmation
197 // dialog. The decision we're making here is whether the triggering
198 // site is one which is allowed to annoy the user with modal dialogs.
201 }
202 else
203 {
204 // Now we're stumbing in the dark. In the most likely case the user
205 // simply clicked on an FTP link (no referrer) and it's perfectly
206 // sane to use the current window.
207 //
208 // On the other hand the user might be opening a non-http XPI link
209 // in an unrelated existing window (typed in location bar, bookmark,
210 // dragged link ...) in which case the current window is irrelevant.
211 // If we knew it was one of these explicit user actions we'd like to
212 // allow it, but we have no way of knowing that here.
213 //
214 // But there's no way to distinguish the innocent cases from a clever
215 // malicious site. If we used the target window then evil.com could
216 // embed a presumed allowed site (e.g. mozilla.org) in a frame, then
217 // change the location to the XPI and trigger the install. Or evil.com
218 // could do the same thing in a new window (more work to get around
219 // popup blocking, but possible).
220 //
221 // Our choices appear to be block this type of load entirely or to
222 // trust only the install URI. The former is unacceptably restrictive,
223 // the latter allows malicious sites to pester people with modal
224 // dialogs. As long as the trusted sites don't host bad content that's
225 // no worse than an endless stream of alert()s -- already possible.
226 // If the trusted sites don't even have an ftp server then even this
227 // level of annoyance is not possible.
228 //
229 // If a trusted site hosts an install with an exploitable flaw it
230 // might be possible that a malicious site would attempt to trick
231 // people into installing it, hoping to turn around and exploit it.
232 // This is not entirely far-fetched (it's been done with ActiveX
233 // controls) and will require community policing of the default
234 // trusted sites.
237 }
241 nsnull));
243 {
244 // trigger will own the item now
250 {
251 // From here trigger is owned by installInfo until passed on to nsXPInstallManager
254 {
256 }
257 else
258 {
263 nsnull);
265 }
266 }
267 }
269 }
272 // updateWhitelist
273 //
274 // Helper function called by nsInstallTrigger::AllowInstall().
275 // Interprets the pref as a comma-delimited list of hosts and adds each one
276 // to the permission manager using the given action. Clear pref when done.
278 PRUint32 aPermission,
281 {
284 nsXPIDLCString hostlist;
287 {
288 nsCAutoString host;
290 nsresult rv;
302 {
304 }
308 // save empty list, we don't need to do this again
310 }
311 }
314 // Check whether an Install is allowed. The launching URI can be null,
315 // in which case only the global pref-setting matters.
316 PRBool
318 {
319 // Check the global setting.
323 {
325 }
329 {
330 // globally turned off
332 }
335 // Check permissions for the launching host if we have one
340 {
346 // file: and chrome: don't need whitelisted hosts
348 {
349 // check prefs for permission updates before testing URI
367 {
369 }
372 {
374 }
375 }
376 }
379 }
382 NS_IMETHODIMP
384 {
389 // find the current site
393 {
398 }
400 }
402 NS_IMETHODIMP
403 nsInstallTrigger::UpdateEnabled(nsIScriptGlobalObject* aGlobalObject, PRBool aUseWhitelist, PRBool* aReturn)
404 {
409 }
411 NS_IMETHODIMP
413 {
414 // disallow unless we successfully find otherwise
418 {
419 // simple global pref check
423 }
425 {
427 }
430 }
433 NS_IMETHODIMP
435 {
441 {
446 }
447 else
448 {
450 }
451 }