diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-02-28 14:16:09 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-02-28 14:16:09 +0100 |
commit | f227feb6efbfa61c62cba88ab85df3c650311560 (patch) | |
tree | 1894f5e63b43ad6eca7270a0dedd7b0e678e403a | |
parent | c08b490c5c44f5f04049f408ad0848e9843f0702 (diff) | |
download | uxp-f227feb6efbfa61c62cba88ab85df3c650311560.tar.gz |
Update Basilisk FE code with HTTP Auth DoS protection.
-rw-r--r-- | application/basilisk/app/profile/basilisk.js | 8 | ||||
-rw-r--r-- | application/basilisk/base/content/browser.js | 5 | ||||
-rw-r--r-- | application/basilisk/base/content/tabbrowser.xml | 5 | ||||
-rw-r--r-- | application/basilisk/base/content/urlbarBindings.xml | 3 |
4 files changed, 20 insertions, 1 deletions
diff --git a/application/basilisk/app/profile/basilisk.js b/application/basilisk/app/profile/basilisk.js index 79d767851d..24f1c582cc 100644 --- a/application/basilisk/app/profile/basilisk.js +++ b/application/basilisk/app/profile/basilisk.js @@ -1438,3 +1438,11 @@ pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // controlling validation are located in /services/sync/services-sync.js pref("services.sync.validation.enabled", true); #endif + +// When a user cancels this number of authentication dialogs coming from +// a single web page (eTLD+1) in a row, all following authentication dialogs +// will be blocked (automatically canceled) for that page. +// This counter is per-tab and per-domain to minimize false positives. +// The counter resets when the page is reloaded from the UI +// (content-reloads do NOT clear this to mitigate reloading tricks). +pref("prompts.authentication_dialog_abuse_limit", 3); diff --git a/application/basilisk/base/content/browser.js b/application/basilisk/base/content/browser.js index 9fb997a429..336670fa04 100644 --- a/application/basilisk/base/content/browser.js +++ b/application/basilisk/base/content/browser.js @@ -3094,6 +3094,11 @@ function getWebNavigation() } function BrowserReloadWithFlags(reloadFlags) { + + // Reset DOS mitigation for auth prompts when user initiates a reload. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; + let url = gBrowser.currentURI.spec; if (gBrowser.updateBrowserRemotenessByURL(gBrowser.selectedBrowser, url)) { // If the remoteness has changed, the new browser doesn't have any diff --git a/application/basilisk/base/content/tabbrowser.xml b/application/basilisk/base/content/tabbrowser.xml index 0438380203..c84c333c46 100644 --- a/application/basilisk/base/content/tabbrowser.xml +++ b/application/basilisk/base/content/tabbrowser.xml @@ -2991,7 +2991,10 @@ <parameter name="aTab"/> <body> <![CDATA[ - this.getBrowserForTab(aTab).reload(); + let browser = this.getBrowserForTab(aTab); + // Reset DOS mitigation for basic auth prompt + delete browser.authPromptCounter; + browser.reload(); ]]> </body> </method> diff --git a/application/basilisk/base/content/urlbarBindings.xml b/application/basilisk/base/content/urlbarBindings.xml index ad11f7fdf8..b9c17818ab 100644 --- a/application/basilisk/base/content/urlbarBindings.xml +++ b/application/basilisk/base/content/urlbarBindings.xml @@ -540,6 +540,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. Cu.reportError(ex); } + // Reset DOS mitigations for the basic auth prompt. + delete browser.authPromptCounter; + let params = { postData, allowThirdPartyFixup: true, |