[tbb-commits] [tor-browser/tor-browser-60.1.0esr-8.0-1] Bug 27082: enable a limited UITour
gk at torproject.org
gk at torproject.org
Wed Aug 15 19:28:49 UTC 2018
commit 99042436bbdae4d849902ddf49bb5e89311a5121
Author: Kathy Brade <brade at pearlcrescent.com>
Date: Wed Aug 8 11:34:40 2018 -0400
Bug 27082: enable a limited UITour
Disallow access to UITour functionality from all pages other than
about:home, about:newtab, and about:tor.
Implement a whitelist mechanism for page actions.
---
browser/app/permissions | 6 +-----
browser/components/uitour/UITour.jsm | 13 ++++++++++---
browser/components/uitour/content-UITour.js | 25 ++-----------------------
3 files changed, 13 insertions(+), 31 deletions(-)
diff --git a/browser/app/permissions b/browser/app/permissions
index bda2a9f4e1db..b4b166c755ae 100644
--- a/browser/app/permissions
+++ b/browser/app/permissions
@@ -7,13 +7,9 @@
# See nsPermissionManager.cpp for more...
# UITour
-origin uitour 1 https://www.mozilla.org
-origin uitour 1 https://screenshots.firefox.com
-origin uitour 1 https://support.mozilla.org
-origin uitour 1 https://addons.mozilla.org
-origin uitour 1 https://discovery.addons.mozilla.org
origin uitour 1 about:home
origin uitour 1 about:newtab
+origin uitour 1 about:tor
# XPInstall
origin install 1 https://addons.mozilla.org
diff --git a/browser/components/uitour/UITour.jsm b/browser/components/uitour/UITour.jsm
index 136bd6db78b7..fcce372db422 100644
--- a/browser/components/uitour/UITour.jsm
+++ b/browser/components/uitour/UITour.jsm
@@ -41,6 +41,10 @@ ChromeUtils.defineModuleGetter(this, "UpdateUtils",
const PREF_LOG_LEVEL = "browser.uitour.loglevel";
const PREF_SEENPAGEIDS = "browser.uitour.seenPageIDs";
+const TOR_BROWSER_PAGE_ACTIONS_ALLOWED = new Set([
+ // Add page actions used by Tor Browser's new user/feature onboarding here.
+]);
+
const BACKGROUND_PAGE_ACTIONS_ALLOWED = new Set([
"forceShowReaderIcon",
"getConfiguration",
@@ -376,6 +380,11 @@ var UITour = {
return false;
}
+ if (!TOR_BROWSER_PAGE_ACTIONS_ALLOWED.has(action)) {
+ log.warn("Ignoring disallowed action:", action);
+ return false;
+ }
+
switch (action) {
case "registerPageID": {
if (typeof data.pageID != "string") {
@@ -930,9 +939,7 @@ var UITour = {
// This function is copied to UITourListener.
isSafeScheme(aURI) {
- let allowedSchemes = new Set(["https", "about"]);
- if (!Services.prefs.getBoolPref("browser.uitour.requireSecure"))
- allowedSchemes.add("http");
+ let allowedSchemes = new Set(["about"]);
if (!allowedSchemes.has(aURI.scheme)) {
log.error("Unsafe scheme:", aURI.scheme);
diff --git a/browser/components/uitour/content-UITour.js b/browser/components/uitour/content-UITour.js
index 100aa4dc2255..be51b8383d6b 100644
--- a/browser/components/uitour/content-UITour.js
+++ b/browser/components/uitour/content-UITour.js
@@ -26,30 +26,9 @@ var UITourListener = {
});
},
- isTestingOrigin(aURI) {
- if (Services.prefs.getPrefType(PREF_TEST_WHITELIST) != Services.prefs.PREF_STRING) {
- return false;
- }
-
- // Add any testing origins (comma-seperated) to the whitelist for the session.
- for (let origin of Services.prefs.getCharPref(PREF_TEST_WHITELIST).split(",")) {
- try {
- let testingURI = Services.io.newURI(origin);
- if (aURI.prePath == testingURI.prePath) {
- return true;
- }
- } catch (ex) {
- Cu.reportError(ex);
- }
- }
- return false;
- },
-
// This function is copied from UITour.jsm.
isSafeScheme(aURI) {
- let allowedSchemes = new Set(["https", "about"]);
- if (!Services.prefs.getBoolPref("browser.uitour.requireSecure"))
- allowedSchemes.add("http");
+ let allowedSchemes = new Set(["about"]);
if (!allowedSchemes.has(aURI.scheme))
return false;
@@ -73,7 +52,7 @@ var UITourListener = {
if (permission == Services.perms.ALLOW_ACTION)
return true;
- return this.isTestingOrigin(uri);
+ return false;
},
receiveMessage(aMessage) {
More information about the tbb-commits
mailing list