diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index 0fbc68c7c..2aa249123 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -680,7 +680,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, nsAutoCString targetScheme; nsresult rv = targetBaseURI->GetScheme(targetScheme); if (NS_FAILED(rv)) return rv; - + //-- Some callers do not allow loading javascript: if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) && targetScheme.EqualsLiteral("javascript")) @@ -688,6 +688,202 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, return NS_ERROR_DOM_BAD_URI; } + // TenFourFox issue 469 + // determine if this is a script we want to block + if (mIsTenFourFoxAdBlockEnabled && + (targetScheme.EqualsLiteral("http") || targetScheme.EqualsLiteral("https"))) { + nsAutoCString hostname; + if (NS_SUCCEEDED(targetBaseURI->GetHost(hostname))) { + ToLowerCase(hostname); +#define BLOK(q) hostname.EqualsLiteral(q) + if (0 || + // This is used as a data source by a lot of UIs, + // so we shouldn't block it (e.g., nytimes). + // Probably also shouldn't block googletagmanager.com + // for the same reasons. + //BLOK("www.googletagservices.com") || + + BLOK("c.amazon-adsystem.com") || + + BLOK("www.google-analytics.com") || + BLOK("tpc.googlesyndication.com") || + BLOK("pagead.googlesyndication.com") || + BLOK("pagead2.googlesyndication.com") || + + BLOK("adservice.google.com") || + + BLOK("p.adrta.com") || + BLOK("q.adrta.com") || + BLOK("cdn.adrta.com") || + BLOK("ipv6.adrta.com") || + BLOK("adrta.com") || + + BLOK("ib.adnxs.com") || + BLOK("acdn.adnxs.com") || + BLOK("secure.adnxs.com") || + BLOK("sharethrough.adnxs.com") || + + BLOK("c2.taboola.com") || + BLOK("nr.taboola.com") || + BLOK("cdn.taboola.com") || + + BLOK("b.scorecardresearch.com") || + BLOK("sb.scorecardresearch.com") || + + BLOK("securepubads.g.doubleclick.net") || + BLOK("stats.g.doubleclick.net") || + BLOK("ad.doubleclick.net") || + + BLOK("at.atwola.com") || + + BLOK("pixel.advertising.com") || + BLOK("dtm.advertising.com") || + + BLOK("sp.analytics.yahoo.com") || + BLOK("ads.yap.yahoo.com") || + + BLOK("cdn.gotraffic.net") || + + BLOK("cdn.rta247.com") || + + BLOK("widget.perfectmarket.com") || + + BLOK("cdn.doubleverify.com") || + BLOK("rtb0.doubleverify.com") || + BLOK("rtbcdn.doubleverify.com") || + + BLOK("cdn.flashtalking.com") || + BLOK("servedby.flashtalking.com") || + + BLOK("a.postrelease.com") || + BLOK("jadserve.postrelease.com") || + + BLOK("native.sharethrough.com") || + + BLOK("static.chartbeat.com") || + + BLOK("edge.quantserve.com") || + BLOK("secure.quantserve.com") || + + BLOK("rules.quantcount.com") || + + BLOK("api.viglink.com") || + BLOK("cdn.viglink.com") || + + BLOK("xcp.go.sonobi.com") || + + BLOK("s.ntv.io") || + + BLOK("cdn.segment.com") || + + BLOK("cdn-gl.imrworldwide.com") || + BLOK("secure-dcr.imrworldwide.com") || + + BLOK("labs-cdn.revcontent.com") || + BLOK("trends.revcontent.com") || + BLOK("cdn.revcontent.com") || + + BLOK("static.criteo.net") || + + BLOK("jsc.idealmedia.com") || + BLOK("servicer.idealmedia.com") || + + BLOK("js-agent.newrelic.com") || + BLOK("bam.nr-data.net") || + + BLOK("widgets.outbrain.com") || + BLOK("amplify.outbrain.com") || + + BLOK("cdn.krxd.net") || + BLOK("beacon.krxd.net") || + + BLOK("scdn.cxense.com") || + BLOK("rscdn.cxense.com") || + + BLOK("z.moatads.com") || + BLOK("s-jsonp.moatads.com") || + + BLOK("static.yieldmo.com") || + + BLOK("ads.rubiconproject.com") || + + BLOK("cdn.engine.4dsply.com") || + + BLOK("as-sec.casalemedia.com") || + + BLOK("loadm.exelator.com") || + + BLOK("sdk.streamrail.com") || + + BLOK("cdn.lockerdome.com") || + BLOK("cdn2.lockerdome.com") || + + BLOK("pi.pardot.com") || + + BLOK("js-sec.indexww.com") || + + BLOK("tags.tiqcdn.com") || + + BLOK("tag.bounceexchange.com") || + BLOK("api.bounceexchange.com") || + + BLOK("www.npttech.com") || + + BLOK("cdn.adsafeprotected.com") || + + BLOK("aka-cdn.adtechus.com") || + BLOK("adserver.adtechus.com") || + + BLOK("r.skimresources.com") || + BLOK("s.skimresources.com") || + BLOK("t.skimresources.com") || + + BLOK("contextual.media.net") || + + BLOK("edge.simplereach.com") || + + BLOK("js.adsrvr.org") || + + BLOK("script.crazyegg.com") || + + BLOK("launch.newsinc.com") || + + BLOK("c.go-mpulse.net") || + + BLOK("cdn5.userzoom.com") || + + BLOK("dx.steelhousemedia.com") || + BLOK("px.steelhousemedia.com") || + BLOK("ww.steelhousemedia.com") || + + BLOK("nexus.ensighten.com") || + + BLOK("cdn.mediavoice.com") || + BLOK("plugin.mediavoice.com") || + + BLOK("segment-data.zqtk.net") || + + BLOK("d.turn.com") || + + BLOK("i.yldbt.com") || + BLOK("cdn.yldbt.com") || + + BLOK("pippio.com") || + + BLOK("cdn.quantummetric.com") || + 0) { +#undef BLOK + // Yup. +#ifndef DEBUG + if (mIsTenFourFoxAdBlockLoggingEnabled) +#endif + fprintf(stderr, "Warning: TenFourFox basic adblock intercepted script from %s.\n", + hostname.get()); + return NS_ERROR_DOM_BAD_URI; + } + } + } + NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError"); bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS); @@ -728,6 +924,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, NS_ENSURE_SUCCESS(rv, rv); if (hasFlags) { +#if(0) // no B2G // Let apps load the whitelisted theme resources even if they don't // have the webapps-manage permission but have the themeable one. // Resources from the theme origin are also allowed to load from @@ -744,6 +941,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, ? NS_OK : NS_ERROR_DOM_BAD_URI; } } +#endif // In this case, we allow opening only if the source and target URIS // are on the same domain, or the opening URI has the webapps // permision granted @@ -1246,6 +1444,7 @@ static const char* kObservedPrefs[] = { sJSEnabledPrefName, sFileOriginPolicyPrefName, "capability.policy.", + "tenfourfox.adblock.", nullptr }; @@ -1264,6 +1463,8 @@ nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic, nsScriptSecurityManager::nsScriptSecurityManager(void) : mPrefInitialized(false) , mIsJavaScriptEnabled(false) + , mIsTenFourFoxAdBlockEnabled(false) + , mIsTenFourFoxAdBlockLoggingEnabled(false) { static_assert(sizeof(intptr_t) == sizeof(void*), "intptr_t and void* have different lengths on this platform. " @@ -1400,6 +1601,10 @@ nsScriptSecurityManager::ScriptSecurityPrefChanged() Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled); sStrictFileOriginPolicy = Preferences::GetBool(sFileOriginPolicyPrefName, false); + mIsTenFourFoxAdBlockEnabled = + Preferences::GetBool("tenfourfox.adblock.enabled", mIsTenFourFoxAdBlockEnabled); + mIsTenFourFoxAdBlockLoggingEnabled = + Preferences::GetBool("tenfourfox.adblock.logging.enabled", mIsTenFourFoxAdBlockLoggingEnabled); // // Rebuild the set of principals for which we allow file:// URI loads. This diff --git a/caps/nsScriptSecurityManager.h b/caps/nsScriptSecurityManager.h index 361879dc5..41b68e137 100644 --- a/caps/nsScriptSecurityManager.h +++ b/caps/nsScriptSecurityManager.h @@ -123,6 +123,8 @@ private: nsCOMPtr mSystemPrincipal; bool mPrefInitialized; bool mIsJavaScriptEnabled; + bool mIsTenFourFoxAdBlockEnabled; + bool mIsTenFourFoxAdBlockLoggingEnabled; nsTArray> mFileURIWhitelist; // This machinery controls new-style domain policies. The old-style diff --git a/gfx/thebes/gfxPlatformMac.cpp b/gfx/thebes/gfxPlatformMac.cpp index 9b1bc1db7..a7638f0bd 100644 --- a/gfx/thebes/gfxPlatformMac.cpp +++ b/gfx/thebes/gfxPlatformMac.cpp @@ -259,6 +259,10 @@ gfxPlatformMac::IsFontFormatSupported(nsIURI *aFontURI, uint32_t aFormatFlags) } else failed = true; if (failed || + spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Bold.woff") || + spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Bold.woff2") || + spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Roman.woff") || + spec.Equals("http://www.latimes.com/pb/resources/dist/la/latest/4dcd1b9d7833fcec708a/fonts/KisFBDisplay-Roman.woff2") || spec.Equals("https://cdn-static-1.medium.com/_/fp/fonts/charter-nonlatin.b-nw7PXlIqmGHGmHvkDiTw.woff") || spec.Equals("http://typeface.nytimes.com/fonts/nyt-cheltenham-200-normal.woff") || spec.Equals("https://typeface.nyt.com/fonts/nyt-cheltenham-200-normal.woff") || diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 6bc859de8..1d1f1474d 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -5132,3 +5132,6 @@ pref("dom.mozKillSwitch.enabled", false); pref("toolkit.pageThumbs.screenSizeDivisor", 7); pref("toolkit.pageThumbs.minWidth", 0); pref("toolkit.pageThumbs.minHeight", 0); + +pref("tenfourfox.adblock.enabled", false); +pref("tenfourfox.adblock.logging.enabled", true);