diff options
| author | Gaming4JC <g4jc@bulletmail.org> | 2019-03-17 18:30:53 -0400 |
|---|---|---|
| committer | Gaming4JC <g4jc@bulletmail.org> | 2019-03-17 18:30:53 -0400 |
| commit | 149fcd2c0941e3e06167750f99f1bff033b1c931 (patch) | |
| tree | 4e4a134e209012a4f64da2142fb4fb3334394dad | |
| parent | 6b5f2d2bc107d13b0730d0b2fd9a7036db8724c6 (diff) | |
| download | iceweasel-uxp-149fcd2c0941e3e06167750f99f1bff033b1c931.tar.gz | |
backport uxp #998: Update FE code with HTTP Auth DoS protection.
| -rw-r--r-- | app/profile/iceweasel-uxp.js | 8 | ||||
| -rwxr-xr-x | base/content/browser.js | 5 | ||||
| -rw-r--r-- | base/content/tabbrowser.xml | 5 | ||||
| -rw-r--r-- | base/content/urlbarBindings.xml | 3 |
4 files changed, 20 insertions, 1 deletions
diff --git a/app/profile/iceweasel-uxp.js b/app/profile/iceweasel-uxp.js index 72b68c1..3838887 100644 --- a/app/profile/iceweasel-uxp.js +++ b/app/profile/iceweasel-uxp.js @@ -1329,3 +1329,11 @@ pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // controlling validation are located in /services/sync/services-sync.js pref("services.sync.validation.enabled", true); #endif + +// When a user cancels this number of authentication dialogs coming from +// a single web page (eTLD+1) in a row, all following authentication dialogs +// will be blocked (automatically canceled) for that page. +// This counter is per-tab and per-domain to minimize false positives. +// The counter resets when the page is reloaded from the UI +// (content-reloads do NOT clear this to mitigate reloading tricks). +pref("prompts.authentication_dialog_abuse_limit", 3); diff --git a/base/content/browser.js b/base/content/browser.js index 169e866..3aa2099 100755 --- a/base/content/browser.js +++ b/base/content/browser.js @@ -3032,6 +3032,11 @@ function getWebNavigation() } function BrowserReloadWithFlags(reloadFlags) { + + // Reset DOS mitigation for auth prompts when user initiates a reload. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; + let url = gBrowser.currentURI.spec; if (gBrowser.updateBrowserRemotenessByURL(gBrowser.selectedBrowser, url)) { // If the remoteness has changed, the new browser doesn't have any diff --git a/base/content/tabbrowser.xml b/base/content/tabbrowser.xml index 8a6d252..287e402 100644 --- a/base/content/tabbrowser.xml +++ b/base/content/tabbrowser.xml @@ -2947,7 +2947,10 @@ <parameter name="aTab"/> <body> <![CDATA[ - this.getBrowserForTab(aTab).reload(); + let browser = this.getBrowserForTab(aTab); + // Reset DOS mitigation for basic auth prompt + delete browser.authPromptCounter; + browser.reload(); ]]> </body> </method> diff --git a/base/content/urlbarBindings.xml b/base/content/urlbarBindings.xml index e89f6fb..b2a1f32 100644 --- a/base/content/urlbarBindings.xml +++ b/base/content/urlbarBindings.xml @@ -540,6 +540,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. Cu.reportError(ex); } + // Reset DOS mitigations for the basic auth prompt. + delete browser.authPromptCounter; + let params = { postData, allowThirdPartyFixup: true, |