ma1 pushed to branch mullvad-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Mullvad Browser

Commits: 955c81f6 by Tara at 2025-03-03T10:15:09+01:00 Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]

Differential Revision: https://phabricator.services.mozilla.com/D236606

- - - - - 7377c502 by John Schanck at 2025-03-03T10:15:10+01:00 Bug 1922357 - disallow the fido: URI scheme. a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D237313

Differential Revision: https://phabricator.services.mozilla.com/D238681 - - - - - bddb7190 by Jeff Boek at 2025-03-03T10:15:11+01:00 Bug 1928334 - Handles animating activities a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D238342

Differential Revision: https://phabricator.services.mozilla.com/D238845 - - - - - 43064cfd by Tom Schuster at 2025-03-03T10:15:12+01:00 Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop

Differential Revision: https://phabricator.services.mozilla.com/D234507 - - - - - 64d9c395 by Tom Schuster at 2025-03-03T10:15:13+01:00 Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs

Differential Revision: https://phabricator.services.mozilla.com/D234508 - - - - -

11 changed files:

- browser/components/privatebrowsing/content/aboutPrivateBrowsing.html - browser/components/protections/content/protections.html - mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt - mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt - mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt - mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt - mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt - mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java - mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java

Changes:

===================================== browser/components/privatebrowsing/content/aboutPrivateBrowsing.html ===================================== @@ -10,7 +10,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; img-src chrome: blob:; object-src 'none';" /> <meta name="color-scheme" content="light dark" /> <link rel="icon" href="chrome://browser/skin/privatebrowsing/favicon.svg" />

===================================== browser/components/protections/content/protections.html ===================================== @@ -8,7 +8,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; object-src 'none'" /> <meta name="color-scheme" content="light dark" /> <link rel="localization" href="branding/brand.ftl" />

===================================== mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt ===================================== @@ -1818,7 +1818,7 @@ class GeckoEngineSession( internal const val ABOUT_BLANK = "about:blank" internal const val JS_SCHEME = "javascript" internal val BLOCKED_SCHEMES = - listOf("file", "resource", JS_SCHEME) // See 1684761 and 1684947 + listOf("file", "resource", "fido", JS_SCHEME) // See 1684761 and 1684947

/** * Provides an ErrorType corresponding to the error code provided.

===================================== mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt ===================================== @@ -631,6 +631,11 @@ class GeckoEngineSessionTest { engineSession.loadUrl("RESOURCE://package/test.text") verify(geckoSession, never()).load(GeckoSession.Loader().uri("resource://package/test.text")) verify(geckoSession, never()).load(GeckoSession.Loader().uri("RESOURCE://package/test.text")) + + engineSession.loadUrl("fido:/12345678") + engineSession.loadUrl("FIDO:/12345678") + verify(geckoSession, never()).load(GeckoSession.Loader().uri("fido:/12345678")) + verify(geckoSession, never()).load(GeckoSession.Loader().uri("FIDO:/12345678")) }

@Test

===================================== mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt ===================================== @@ -313,6 +313,7 @@ class AppLinksUseCases( "https", "moz-extension", "moz-safe-about", "resource", "view-source", "ws", "wss", "blob", )

- internal val ALWAYS_DENY_SCHEMES: Set<String> = setOf("jar", "file", "javascript", "data", "about", "content") + internal val ALWAYS_DENY_SCHEMES: Set<String> = + setOf("jar", "file", "javascript", "data", "about", "content", "fido") } }

===================================== mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt ===================================== @@ -47,6 +47,7 @@ class AppLinksUseCasesTest { private val javascriptUrl = "javascript:'hello, world'" private val jarUrl = "jar:file://some/path/test.html" private val contentUrl = "content://media/external_primary/downloads/12345" + private val fidoPath = "fido:12345678" private val fileType = "audio/mpeg" private val layerUrl = "https://example.com" private val layerPackage = "com.example.app" @@ -215,6 +216,15 @@ class AppLinksUseCasesTest { assertFalse(redirect.isRedirect()) }

+ @Test + fun `A fido url is not an app link`() { + val context = createContext(Triple(fidoPath, appPackage, "")) + val subject = AppLinksUseCases(context, { true }) + + val redirect = subject.interceptedAppLinkRedirect(fidoPath) + assertFalse(redirect.isRedirect()) + } + @Test fun `Will not redirect app link if browser option set to false and scheme is supported`() { val context = createContext(Triple(appUrl, appPackage, ""))

===================================== mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt ===================================== @@ -9,6 +9,7 @@ import android.content.Intent import androidx.annotation.VisibleForTesting import androidx.annotation.VisibleForTesting.Companion.PRIVATE import androidx.core.view.isVisible +import androidx.fragment.app.DialogFragment import androidx.fragment.app.Fragment import androidx.fragment.app.FragmentManager import kotlinx.coroutines.CoroutineScope @@ -1094,7 +1095,15 @@ class PromptFeature private constructor( emitPromptDismissedFact(promptName = promptRequest::class.simpleName.ifNullOrEmpty { "" }) }

+ @VisibleForTesting + internal fun redirectDialogFragmentIsActive() = + (fragmentManager.findFragmentByTag("SHOULD_OPEN_APP_LINK_PROMPT_DIALOG") as? DialogFragment) != null + private fun canShowThisPrompt(promptRequest: PromptRequest): Boolean { + if (redirectDialogFragmentIsActive()) { + return false + } + return when (promptRequest) { is SingleChoice, is MultipleChoice,

===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt ===================================== @@ -798,7 +798,7 @@ open class HomeActivity : LocaleAwareAppCompatActivity(), NavHostActivity { return false }

- final override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { ProfilerMarkers.addForDispatchTouchEvent(components.core.engine.profiler, ev) return super.dispatchTouchEvent(ev) }

===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt ===================================== @@ -7,6 +7,7 @@ package org.mozilla.fenix.customtabs import android.app.assist.AssistContent import android.net.Uri import android.os.Build +import android.view.MotionEvent import androidx.annotation.RequiresApi import androidx.annotation.VisibleForTesting import mozilla.components.browser.state.selector.findCustomTab @@ -24,6 +25,8 @@ const val EXTRA_IS_SANDBOX_CUSTOM_TAB = "org.mozilla.fenix.customtabs.EXTRA_IS_S */ @Suppress("TooManyFunctions") open class ExternalAppBrowserActivity : HomeActivity() { + var isFinishedAnimating = false + override fun onResume() { super.onResume()

@@ -74,4 +77,17 @@ open class ExternalAppBrowserActivity : HomeActivity() { val currentTabUrl = getExternalTab()?.content?.url outContent?.webUri = currentTabUrl?.let { Uri.parse(it) } } + + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + if (!isFinishedAnimating) { + return true + } + + return super.dispatchTouchEvent(ev) + } + + override fun onEnterAnimationComplete() { + super.onEnterAnimationComplete() + isFinishedAnimating = true + } }

===================================== mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java ===================================== @@ -76,6 +76,10 @@ public class IntentUtils { return getSafeIntent(aUri) != null; }

+ if ("fido".equals(scheme)) { + return false; + } + return true; }

===================================== mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java ===================================== @@ -63,4 +63,10 @@ public class IntentUtilsTest { final String uri = "intent:non_scheme_intent#Intent;end"; assertTrue(IntentUtils.isUriSafeForScheme(uri)); } + + @Test + public void unsafeFidoUri() { + final String uri = "fido:/12345678"; + assertFalse(IntentUtils.isUriSafeForScheme(uri)); + } }

View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/cd9...