#469: script blocking (plus blacklist a couple fonts on LATimes)

caps/nsScriptSecurityManager.cpp

@@ -680,7 +680,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     nsAutoCString targetScheme;
     nsresult rv = targetBaseURI->GetScheme(targetScheme);
     if (NS_FAILED(rv)) return rv;
-
+    
     //-- Some callers do not allow loading javascript:
     if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
          targetScheme.EqualsLiteral("javascript"))
@@ -688,6 +688,202 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
        return NS_ERROR_DOM_BAD_URI;
     }
 
+    // TenFourFox issue 469
+    // determine if this is a script we want to block
+    if (mIsTenFourFoxAdBlockEnabled &&
+            (targetScheme.EqualsLiteral("http") || targetScheme.EqualsLiteral("https"))) {
+        nsAutoCString hostname;
+        if (NS_SUCCEEDED(targetBaseURI->GetHost(hostname))) {
+            ToLowerCase(hostname);
+#define BLOK(q) hostname.EqualsLiteral(q)
+            if (0 ||
+                // This is used as a data source by a lot of UIs,
+                // so we shouldn't block it (e.g., nytimes).
+                // Probably also shouldn't block googletagmanager.com
+                // for the same reasons.
+                //BLOK("www.googletagservices.com") ||
+
+                BLOK("c.amazon-adsystem.com") ||
+
+                BLOK("www.google-analytics.com") ||
+                BLOK("tpc.googlesyndication.com") ||
+                BLOK("pagead.googlesyndication.com") ||
+                BLOK("pagead2.googlesyndication.com") ||
+                
+                BLOK("adservice.google.com") ||
+                
+                BLOK("p.adrta.com") ||
+                BLOK("q.adrta.com") ||
+                BLOK("cdn.adrta.com") ||
+                BLOK("ipv6.adrta.com") ||
+                BLOK("adrta.com") ||
+
+                BLOK("ib.adnxs.com") ||
+                BLOK("acdn.adnxs.com") ||
+                BLOK("secure.adnxs.com") ||
+                BLOK("sharethrough.adnxs.com") ||
+
+                BLOK("c2.taboola.com") ||
+                BLOK("nr.taboola.com") ||
+                BLOK("cdn.taboola.com") ||
+
+                BLOK("b.scorecardresearch.com") ||
+                BLOK("sb.scorecardresearch.com") ||
+
+                BLOK("securepubads.g.doubleclick.net") ||
+                BLOK("stats.g.doubleclick.net") ||
+                BLOK("ad.doubleclick.net") ||
+                
+                BLOK("at.atwola.com") ||
+                
+                BLOK("pixel.advertising.com") ||
+                BLOK("dtm.advertising.com") ||
+                
+                BLOK("sp.analytics.yahoo.com") ||                
+                BLOK("ads.yap.yahoo.com") ||
+                
+                BLOK("cdn.gotraffic.net") ||
+                
+                BLOK("cdn.rta247.com") ||
+
+                BLOK("widget.perfectmarket.com") ||
+
+                BLOK("cdn.doubleverify.com") ||
+                BLOK("rtb0.doubleverify.com") ||
+                BLOK("rtbcdn.doubleverify.com") ||
+
+                BLOK("cdn.flashtalking.com") ||
+                BLOK("servedby.flashtalking.com") ||
+
+                BLOK("a.postrelease.com") ||
+                BLOK("jadserve.postrelease.com") ||
+
+                BLOK("native.sharethrough.com") ||
+
+                BLOK("static.chartbeat.com") ||
+
+                BLOK("edge.quantserve.com") ||
+                BLOK("secure.quantserve.com") ||
+                
+                BLOK("rules.quantcount.com") ||
+                
+                BLOK("api.viglink.com") ||
+                BLOK("cdn.viglink.com") ||
+                
+                BLOK("xcp.go.sonobi.com") ||
+                
+                BLOK("s.ntv.io") ||
+                
+                BLOK("cdn.segment.com") ||
+                
+                BLOK("cdn-gl.imrworldwide.com") ||
+                BLOK("secure-dcr.imrworldwide.com") ||
+                
+                BLOK("labs-cdn.revcontent.com") ||
+                BLOK("trends.revcontent.com") ||
+                BLOK("cdn.revcontent.com") ||
+                
+                BLOK("static.criteo.net") ||
+                
+                BLOK("jsc.idealmedia.com") ||
+                BLOK("servicer.idealmedia.com") ||
+                
+                BLOK("js-agent.newrelic.com") ||
+                BLOK("bam.nr-data.net") ||
+                
+                BLOK("widgets.outbrain.com") ||
+                BLOK("amplify.outbrain.com") ||
+                
+                BLOK("cdn.krxd.net") ||
+                BLOK("beacon.krxd.net") ||
+                
+                BLOK("scdn.cxense.com") ||
+                BLOK("rscdn.cxense.com") ||
+                
+                BLOK("z.moatads.com") ||
+                BLOK("s-jsonp.moatads.com") ||
+                
+                BLOK("static.yieldmo.com") ||
+                
+                BLOK("ads.rubiconproject.com") ||
+                
+                BLOK("cdn.engine.4dsply.com") ||
+                
+                BLOK("as-sec.casalemedia.com") ||
+                
+                BLOK("loadm.exelator.com") ||
+                
+                BLOK("sdk.streamrail.com") ||
+                
+                BLOK("cdn.lockerdome.com") ||
+                BLOK("cdn2.lockerdome.com") ||
+                
+                BLOK("pi.pardot.com") ||
+                
+                BLOK("js-sec.indexww.com") ||
+                
+                BLOK("tags.tiqcdn.com") ||
+                
+                BLOK("tag.bounceexchange.com") ||
+                BLOK("api.bounceexchange.com") ||
+                
+                BLOK("www.npttech.com") ||
+                
+                BLOK("cdn.adsafeprotected.com") ||
+                
+                BLOK("aka-cdn.adtechus.com") ||
+                BLOK("adserver.adtechus.com") ||
+                
+                BLOK("r.skimresources.com") ||
+                BLOK("s.skimresources.com") ||
+                BLOK("t.skimresources.com") ||
+                
+                BLOK("contextual.media.net") ||
+                
+                BLOK("edge.simplereach.com") ||
+                
+                BLOK("js.adsrvr.org") ||
+                
+                BLOK("script.crazyegg.com") ||
+                
+                BLOK("launch.newsinc.com") ||
+                
+                BLOK("c.go-mpulse.net") ||
+                
+                BLOK("cdn5.userzoom.com") ||
+                
+                BLOK("dx.steelhousemedia.com") ||
+                BLOK("px.steelhousemedia.com") ||
+                BLOK("ww.steelhousemedia.com") ||
+                
+                BLOK("nexus.ensighten.com") ||
+                
+                BLOK("cdn.mediavoice.com") ||
+                BLOK("plugin.mediavoice.com") ||
+                
+                BLOK("segment-data.zqtk.net") ||
+                
+                BLOK("d.turn.com") ||
+                
+                BLOK("i.yldbt.com") ||
+                BLOK("cdn.yldbt.com") ||
+                
+                BLOK("pippio.com") ||
+                
+                BLOK("cdn.quantummetric.com") ||
+                    0) {
+#undef BLOK
+                // Yup.
+#ifndef DEBUG
+                if (mIsTenFourFoxAdBlockLoggingEnabled)
+#endif
+                fprintf(stderr, "Warning: TenFourFox basic adblock intercepted script from %s.\n",
+                    hostname.get());
+                return NS_ERROR_DOM_BAD_URI;
+            }
+        }
+    }
+
     NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError");
     bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
 
@@ -728,6 +924,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
         NS_ENSURE_SUCCESS(rv, rv);
 
         if (hasFlags) {
+#if(0) // no B2G
             // Let apps load the whitelisted theme resources even if they don't
             // have the webapps-manage permission but have the themeable one.
             // Resources from the theme origin are also allowed to load from
@@ -744,6 +941,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
                         ? NS_OK : NS_ERROR_DOM_BAD_URI;
                 }
             }
+#endif
             // In this case, we allow opening only if the source and target URIS
             // are on the same domain, or the opening URI has the webapps
             // permision granted
@@ -1246,6 +1444,7 @@ static const char* kObservedPrefs[] = {
   sJSEnabledPrefName,
   sFileOriginPolicyPrefName,
   "capability.policy.",
+  "tenfourfox.adblock.",
   nullptr
 };
 
@@ -1264,6 +1463,8 @@ nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic,
 nsScriptSecurityManager::nsScriptSecurityManager(void)
     : mPrefInitialized(false)
     , mIsJavaScriptEnabled(false)
+    , mIsTenFourFoxAdBlockEnabled(false)
+    , mIsTenFourFoxAdBlockLoggingEnabled(false)
 {
     static_assert(sizeof(intptr_t) == sizeof(void*),
                   "intptr_t and void* have different lengths on this platform. "
@@ -1400,6 +1601,10 @@ nsScriptSecurityManager::ScriptSecurityPrefChanged()
         Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
     sStrictFileOriginPolicy =
         Preferences::GetBool(sFileOriginPolicyPrefName, false);
+    mIsTenFourFoxAdBlockEnabled =
+        Preferences::GetBool("tenfourfox.adblock.enabled", mIsTenFourFoxAdBlockEnabled);
+    mIsTenFourFoxAdBlockLoggingEnabled =
+        Preferences::GetBool("tenfourfox.adblock.logging.enabled", mIsTenFourFoxAdBlockLoggingEnabled);
 
     //
     // Rebuild the set of principals for which we allow file:// URI loads. This

caps/nsScriptSecurityManager.h

@@ -123,6 +123,8 @@ private:
     nsCOMPtr<nsIPrincipal> mSystemPrincipal;
     bool mPrefInitialized;
     bool mIsJavaScriptEnabled;
+    bool mIsTenFourFoxAdBlockEnabled;
+    bool mIsTenFourFoxAdBlockLoggingEnabled;
     nsTArray<nsCOMPtr<nsIURI>> mFileURIWhitelist;
 
     // This machinery controls new-style domain policies. The old-style

gfx/thebes/gfxPlatformMac.cpp

@@ -259,6 +259,10 @@ gfxPlatformMac::IsFontFormatSupported(nsIURI *aFontURI, uint32_t aFormatFlags)
     } else
         failed = true;
     if (failed ||
+	spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Bold.woff") ||
+	spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Bold.woff2") ||
+	spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Roman.woff") ||
+	spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Roman.woff2") ||
 	spec.Equals("https://cdn-static-1.medium.com/_/fp/fonts/charter-nonlatin.b-nw7PXlIqmGHGmHvkDiTw.woff") ||
 	spec.Equals("http://typeface.nytimes.com/fonts/nyt-cheltenham-200-normal.woff") ||
 	spec.Equals("https://typeface.nyt.com/fonts/nyt-cheltenham-200-normal.woff") ||

modules/libpref/init/all.js

@@ -5132,3 +5132,6 @@ pref("dom.mozKillSwitch.enabled", false);
 pref("toolkit.pageThumbs.screenSizeDivisor", 7);
 pref("toolkit.pageThumbs.minWidth", 0);
 pref("toolkit.pageThumbs.minHeight", 0);
+
+pref("tenfourfox.adblock.enabled", false);
+pref("tenfourfox.adblock.logging.enabled", true);