Make the Auth prompt DOS protection a browser-element opt-in feature.

pull/7/head
wolfbeast 3 years ago committed by Roy Tam
parent 7b71e22bee
commit 1e6b075d1d
  1. 3
      application/basilisk/base/content/browser.xul
  2. 6
      application/basilisk/base/content/tabbrowser.xml
  3. 3
      application/palemoon/base/content/browser.xul
  4. 6
      application/palemoon/base/content/tabbrowser.xml
  5. 32
      toolkit/components/passwordmgr/nsLoginManagerPrompter.js
  6. 4
      toolkit/content/widgets/browser.xml

@ -999,7 +999,8 @@
contentcontextmenu="contentAreaContextMenu"
autocompletepopup="PopupAutoComplete"
selectmenulist="ContentSelectDropdown"
datetimepicker="DateTimePickerPanel"/>
datetimepicker="DateTimePickerPanel"
authdosprotected="true" />
</vbox>
<vbox id="browser-border-end" hidden="true" layer="true"/>
</hbox>

@ -25,7 +25,7 @@
<xul:vbox flex="1" class="browserContainer">
<xul:stack flex="1" class="browserStack" anonid="browserStack">
<xul:browser anonid="initialBrowser" type="content-primary" message="true" messagemanagergroup="browsers"
xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker"/>
xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker,authdosprotected"/>
</xul:stack>
</xul:vbox>
</xul:hbox>
@ -1952,6 +1952,10 @@
if (this.hasAttribute("datetimepicker")) {
b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
}
if (this.hasAttribute("authdosprotected")) {
b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
}
b.setAttribute("autoscrollpopup", this._autoScrollPopup.id);

@ -965,7 +965,8 @@
tabcontainer="tabbrowser-tabs"
contentcontextmenu="contentAreaContextMenu"
autocompletepopup="PopupAutoComplete"
datetimepicker="DateTimePickerPanel"/>
datetimepicker="DateTimePickerPanel"
authdosprotected="true"/>
<chatbar id="pinnedchats" layer="true" mousethrough="always" hidden="true"/>
<statuspanel id="statusbar-display" inactive="true"/>
</vbox>

@ -30,7 +30,7 @@
<xul:vbox flex="1" class="browserContainer">
<xul:stack flex="1" class="browserStack" anonid="browserStack">
<xul:browser anonid="initialBrowser" type="content-primary" message="true" disablehistory="true"
xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker"/>
xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker,authdosprotected"/>
</xul:stack>
</xul:vbox>
</xul:hbox>
@ -1588,6 +1588,10 @@
if (this.hasAttribute("datetimepicker")) {
b.setAttribute("datetimepicker", this.getAttribute("datetimepicker"));
}
if (this.hasAttribute("authdosprotected")) {
b.setAttribute("authdosprotected", this.getAttribute("authdosprotected"));
}
// Create the browserStack container
var stack = document.createElementNS(NS_XUL, "stack");

@ -103,7 +103,7 @@ LoginManagerPromptFactory.prototype = {
// cancel the prompt until we stop showing it.
let browser = prompter._browser;
let baseDomain = null;
if (browser) {
if (browser && browser.isAuthDOSProtected) {
try {
baseDomain = Services.eTLD.getBaseDomainFromHost(hostname);
} catch (e) {
@ -145,7 +145,7 @@ LoginManagerPromptFactory.prototype = {
prompt.inProgress = false;
self._asyncPromptInProgress = false;
if (browser) {
if (browser && browser.isAuthDOSProtected) {
// Reset the counter state if the user replied to a prompt and actually
// tried to login (vs. simply clicking any button to get out).
if (ok && (prompt.authInfo.username || prompt.authInfo.password)) {
@ -177,15 +177,27 @@ LoginManagerPromptFactory.prototype = {
var cancelDialogLimit = Services.prefs.getIntPref("prompts.authentication_dialog_abuse_limit");
let cancelationCounter = browser.authPromptCounter[baseDomain];
this.log("cancelationCounter =", cancelationCounter);
if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
delete this._asyncPrompts[hashKey];
// just make the runnable cancel all consumers
runnable.cancel = true;
// Block the auth prompt if:
// - There is an attached browser element
// - The browser element has opted-in to DOS protection
// - The dialog cancellation limit is not 0 (= feature disabled)
// - The amount of cancellations >= the set abuse limit
if (browser && browser.isAuthDOSProtected) {
let cancelationCounter = browser.authPromptCounter[baseDomain];
this.log("cancelationCounter =", cancelationCounter);
if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) {
this.log("Blocking auth dialog, due to exceeding dialog bloat limit");
delete this._asyncPrompts[hashKey];
// just make the runnable cancel all consumers
runnable.cancel = true;
} else {
this._asyncPromptInProgress = true;
prompt.inProgress = true;
}
} else {
// No DOS protection: prompt
this._asyncPromptInProgress = true;
prompt.inProgress = true;
}

@ -899,6 +899,10 @@
<field name="mIconURL">null</field>
<property name="isAuthDOSProtected"
onget="return (this.getAttribute('authdosprotected') == 'true');"
readonly="true"/>
<!-- This is managed by the tabbrowser -->
<field name="lastURI">null</field>

Loading…
Cancel
Save