head	1.3;
access;
symbols
	RELEASE_8_0_0:1.2
	RELEASE_7_2_0:1.2;
locks; strict;
comment	@# @;


1.3
date	2010.02.07.21.48.43;	author beat;	state dead;
branches;
next	1.2;

1.2
date	2009.02.15.18.20.47;	author marcus;	state Exp;
branches;
next	1.1;

1.1
date	2009.02.15.18.20.11;	author marcus;	state Exp;
branches;
next	;


desc
@@


1.3
log
@- Update to 3.6

What's new in Firefox 3.6:

  * Support for the HTML5 File API
  * A change to how third-party software integrates with Firefox to
    increase stability.
  * The ability to run scripts asynchronously to speed up page load times.
  * A mechanism to prevent incompatible software from crashing Firefox.
  * Users can now change their browser's appearance with a single click,
    with built in support for Personas.
  * Firefox 3.6 will alert users about out of date plugins to keep them
    safe.
  * Open, native video can now be displayed full screen, and supports
    poster frames.
  * Support for the WOFF font format.
  * Improved JavaScript performance, overall browser responsiveness and
    startup time.
  * Support for new CSS, DOM and HTML5 web technologies.

Thanks to:	Andreas Tobler, Florian Smeets, nox@@, miwi@@ and all testers
@
text
@--- .pc/380418-candidate.patch/content/base/src/nsXMLHttpRequest.cpp	2009-01-05 03:48:53.000000000 +0100
+++ content/base/src/nsXMLHttpRequest.cpp	2009-01-05 03:54:08.000000000 +0100
@@@@ -762,16 +762,28 @@@@ nsXMLHttpRequest::GetAllResponseHeaders(
 /* ACString getResponseHeader (in AUTF8String header); */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
                                     nsACString& _retval)
 {
   nsresult rv = NS_OK;
   _retval.Truncate();
 
+  // See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
+  PRBool chrome = PR_FALSE; // default to false in case IsCapabilityEnabled fails
+  nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
+  secMan->IsCapabilityEnabled("UniversalXPConnect", &chrome);
+  if (!chrome &&
+       (header.LowerCaseEqualsASCII("set-cookie") ||
+        header.LowerCaseEqualsASCII("set-cookie2"))) {
+    NS_WARNING("blocked access to response header");
+    _retval.SetIsVoid(PR_TRUE);
+    return NS_OK;
+  }
+
   nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();
 
   if (!mDenyResponseDataAccess && httpChannel) {
     rv = httpChannel->GetResponseHeader(header, _retval);
   }
 
   if (rv == NS_ERROR_NOT_AVAILABLE) {
     // Means no header
@@@@ -2183,20 +2195,30 @@@@ nsXMLHttpRequest::AppendReachableList(ns
 }
 
 
 NS_IMPL_ISUPPORTS1(nsXMLHttpRequest::nsHeaderVisitor, nsIHttpHeaderVisitor)
 
 NS_IMETHODIMP nsXMLHttpRequest::
 nsHeaderVisitor::VisitHeader(const nsACString &header, const nsACString &value)
 {
-    mHeaders.Append(header);
-    mHeaders.Append(": ");
-    mHeaders.Append(value);
-    mHeaders.Append('\n');
+    // See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
+    PRBool chrome = PR_FALSE; // default to false in case IsCapabilityEnabled fails
+    nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
+    secMan->IsCapabilityEnabled("UniversalXPConnect", &chrome);
+    if (!chrome &&
+         (header.LowerCaseEqualsASCII("set-cookie") ||
+          header.LowerCaseEqualsASCII("set-cookie2"))) {
+        NS_WARNING("blocked access to response header");
+    } else {
+        mHeaders.Append(header);
+        mHeaders.Append(": ");
+        mHeaders.Append(value);
+        mHeaders.Append('\n');
+    }
     return NS_OK;
 }
 
 // DOM event class to handle progress notifications
 nsXMLHttpProgressEvent::nsXMLHttpProgressEvent(nsIDOMEvent * aInner, PRUint64 aCurrentProgress, PRUint64 aMaxProgress)
 {
   mInner = aInner; 
   mCurProgress = aCurrentProgress;
@


1.2
log
@Forced commit to note these patches were obtained from Mozilla Bugzilla.
@
text
@@


1.1
log
@Backport patches for the following security bugs:

CVE-2009-0355
CVE-2009-0356
CVE-2009-0357

This allows Firefox 2 to be unforbidden for the time being.
@
text
@@

