ma1 pushed to branch mullvad-browser-140.2.0esr-15.0-1 at The Tor Project / Applications / Mullvad Browser Commits: da03dd1c by Tom Schuster at 2025-08-18T13:24:08+02:00 Bug 672618 - Don't execute javascript: URLs on CTRL+click, middle-click etc. r=dao Differential Revision: https://phabricator.services.mozilla.com/D256648 - - - - - 2d0f5cb1 by Tom Schuster at 2025-08-18T13:24:10+02:00 Bug 1701974 - Use x-kde-passwordManagerHint when copying private data to the clipboard. r=stransky Differential Revision: https://phabricator.services.mozilla.com/D256781 - - - - - f7cb2840 by Tom Schuster at 2025-08-18T13:24:11+02:00 Bug 1973900 - Remove support for the codebase attribute from <object>. r=farre,dom-core Differential Revision: https://phabricator.services.mozilla.com/D254958 - - - - - 11 changed files: - browser/actors/ClickHandlerChild.sys.mjs - browser/app/profile/firefox.js - browser/base/content/test/general/browser_modifiedclick_inherit_principal.js - browser/base/content/test/linkHandling/browser.toml - browser/base/content/test/linkHandling/browser_contentAreaClick_subframe_javascript.js - + browser/base/content/test/linkHandling/browser_javascript_links.js - + browser/base/content/test/linkHandling/file_javascript_links_subframe.html - dom/base/nsObjectLoadingContent.cpp - modules/libpref/init/StaticPrefList.yaml - testing/web-platform/tests/html/semantics/embedded-content/the-object-element/historical.html - widget/gtk/nsClipboard.cpp Changes: ===================================== browser/actors/ClickHandlerChild.sys.mjs ===================================== @@ -12,12 +12,26 @@ ChromeUtils.defineESModuleGetters(lazy, { E10SUtils: "resource://gre/modules/E10SUtils.sys.mjs", }); +XPCOMUtils.defineLazyPreferenceGetter( + lazy, + "autoscrollEnabled", + "general.autoScroll", + true +); + +XPCOMUtils.defineLazyPreferenceGetter( + lazy, + "blockJavascript", + "browser.link.alternative_click.block_javascript", + true +); + export class MiddleMousePasteHandlerChild extends JSWindowActorChild { handleEvent(clickEvent) { if ( clickEvent.defaultPrevented || clickEvent.button != 1 || - MiddleMousePasteHandlerChild.autoscrollEnabled + lazy.autoscrollEnabled ) { return; } @@ -34,13 +48,6 @@ export class MiddleMousePasteHandlerChild extends JSWindowActorChild { } } -XPCOMUtils.defineLazyPreferenceGetter( - MiddleMousePasteHandlerChild, - "autoscrollEnabled", - "general.autoScroll", - true -); - export class ClickHandlerChild extends JSWindowActorChild { handleEvent(wrapperEvent) { this.handleClickEvent(wrapperEvent.sourceEvent); @@ -112,6 +119,14 @@ export class ClickHandlerChild extends JSWindowActorChild { }; if (href && !isFromMiddleMousePasteHandler) { + if ( + lazy.blockJavascript && + Services.io.extractScheme(href) == "javascript" + ) { + // We don't want to open new tabs or windows for javascript: links. + return; + } + try { Services.scriptSecurityManager.checkLoadURIStrWithPrincipal( principal, ===================================== browser/app/profile/firefox.js ===================================== @@ -907,6 +907,9 @@ pref("browser.link.open_newwindow.restriction", 2); pref("browser.link.open_newwindow.disabled_in_fullscreen", false); #endif +// If true, opening javscript: URLs using middle-click, CTRL+click etc. are blocked. +pref("browser.link.alternative_click.block_javascript", true); + // Tabbed browser pref("browser.tabs.closeTabByDblclick", false); pref("browser.tabs.closeWindowWithLastTab", true); ===================================== browser/base/content/test/general/browser_modifiedclick_inherit_principal.js ===================================== @@ -10,6 +10,10 @@ const kURL = * we use the correct principal, and we don't clear the URL bar. */ add_task(async function () { + await SpecialPowers.pushPrefEnv({ + set: [["browser.link.alternative_click.block_javascript", false]], + }); + await BrowserTestUtils.withNewTab(kURL, async function (browser) { let newTabPromise = BrowserTestUtils.waitForNewTab(gBrowser); await SpecialPowers.spawn(browser, [], async function () { ===================================== browser/base/content/test/linkHandling/browser.toml ===================================== @@ -2,3 +2,8 @@ support-files = [ "file_contentAreaClick_subframe_javascript.html" ] + +["browser_javascript_links.js"] +support-files = [ + "file_javascript_links_subframe.html" +] ===================================== browser/base/content/test/linkHandling/browser_contentAreaClick_subframe_javascript.js ===================================== @@ -5,6 +5,10 @@ const gExampleComRoot = getRootDirectory(gTestPath).replace( const IFRAME_FILE = "file_contentAreaClick_subframe_javascript.html"; add_task(async function () { + await SpecialPowers.pushPrefEnv({ + set: [["browser.link.alternative_click.block_javascript", false]], + }); + await BrowserTestUtils.withNewTab( `data:text/html,<iframe src="${gExampleComRoot + IFRAME_FILE}"></iframe>`, async browser => { ===================================== browser/base/content/test/linkHandling/browser_javascript_links.js ===================================== @@ -0,0 +1,88 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const TEST_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content/", + "https://example.com/" +); +const IFRAME_PATH = TEST_PATH + "file_javascript_links_subframe.html"; + +add_setup(async function () { + await SpecialPowers.pushPrefEnv({ + set: [ + ["browser.link.alternative_click.block_javascript", true], + ["browser.tabs.opentabfor.middleclick", true], + ["middlemouse.paste", false], + ["middlemouse.contentLoadURL", false], + ["general.autoScroll", false], + ], + }); +}); + +add_task(async function () { + await BrowserTestUtils.withNewTab( + `data:text/html,<a href="javascript:alert(1);">click me`, + async browser => { + await BrowserTestUtils.synthesizeMouseAtCenter( + "a", + { button: 0, ctrlKey: true, metaKey: true }, + browser + ); + is( + gBrowser.tabs.length, + 2, + "Accel+click on javascript: link shouldn't open a new tab" + ); + + await BrowserTestUtils.synthesizeMouseAtCenter( + "a", + { button: 1 }, + browser + ); + is( + gBrowser.tabs.length, + 2, + "Middle click on javascript: link shouldn't open a new tab" + ); + + await BrowserTestUtils.synthesizeMouseAtCenter( + "a", + { button: 0, shiftKey: true }, + browser + ); + // This is fragile and might miss the new window, but the test will fail + // anyway when finishing with an extra window left behind. + // eslint-disable-next-line mozilla/no-arbitrary-setTimeout + await new Promise(resolve => setTimeout(resolve, 200)); + is( + BrowserWindowTracker.windowCount, + 1, + "Shift+click on javascript: link shouldn't open a new window" + ); + } + ); +}); + +add_task(async function iframe_link() { + await BrowserTestUtils.withNewTab( + `data:text/html,<iframe src="${IFRAME_PATH}"></iframe>`, + async browser => { + // ctrl/cmd-click the link in the subframe. + await BrowserTestUtils.synthesizeMouseAtCenter( + "a", + { ctrlKey: true, metaKey: true }, + browser.browsingContext.children[0] + ); + + // eslint-disable-next-line mozilla/no-arbitrary-setTimeout + await new Promise(resolve => setTimeout(resolve, 200)); + is( + gBrowser.tabs.length, + 2, + "Click on javascript: link in iframe shouldn't open a new tab" + ); + } + ); +}); ===================================== browser/base/content/test/linkHandling/file_javascript_links_subframe.html ===================================== @@ -0,0 +1,2 @@ +<!DOCTYPE html> +<a href="javascript:alert(1)">click me ===================================== dom/base/nsObjectLoadingContent.cpp ===================================== @@ -73,6 +73,7 @@ #include "mozilla/PresShell.h" #include "mozilla/ProfilerLabels.h" #include "mozilla/StaticPrefs_browser.h" +#include "mozilla/StaticPrefs_dom.h" #include "nsChannelClassifier.h" #include "nsFocusManager.h" #include "ReferrerInfo.h" @@ -736,11 +737,12 @@ nsObjectLoadingContent::UpdateObjectParameters() { /// Codebase /// - nsAutoString codebaseStr; nsIURI* docBaseURI = el->GetBaseURI(); - el->GetAttr(nsGkAtoms::codebase, codebaseStr); - if (!codebaseStr.IsEmpty()) { + nsAutoString codebaseStr; + el->GetAttr(nsGkAtoms::codebase, codebaseStr); + if (StaticPrefs::dom_object_embed_codebase_enabled() && + !codebaseStr.IsEmpty()) { rv = nsContentUtils::NewURIWithDocumentCharset( getter_AddRefs(newBaseURI), codebaseStr, el->OwnerDoc(), docBaseURI); if (NS_FAILED(rv)) { ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -3633,6 +3633,12 @@ value: true mirror: always +# Whether the codebase attribute in an <object> is used as the base URI. +- name: dom.object_embed.codebase.enabled + type: bool + value: false + mirror: always + # Whether origin trials are enabled. - name: dom.origin-trials.enabled type: bool ===================================== testing/web-platform/tests/html/semantics/embedded-content/the-object-element/historical.html ===================================== @@ -30,4 +30,17 @@ async_test(t => { obj.onerror = t.unreached_func(); document.body.appendChild(obj); }, "object's typemustmatch content attribute should not be supported"); + +async_test(t => { + const obj = document.createElement("object"); + t.add_cleanup(() => obj.remove()); + obj.setAttribute("data", "/common/blank.html"); + obj.setAttribute("codebase", "https://test.invalid/"); + obj.onload = t.step_func_done(() => { + assert_not_equals(obj.contentDocument, null, "/common/blank.html should be loaded"); + assert_equals(obj.contentDocument.location.origin, location.origin, "document should be loaded with current origin as base"); + }); + obj.onerror = t.unreached_func(); + document.body.appendChild(obj); +}, "object's codebase content attribute should not be supported"); </script> ===================================== widget/gtk/nsClipboard.cpp ===================================== @@ -66,6 +66,10 @@ static const char kHTMLMarkupPrefix[] = static const char kURIListMime[] = "text/uri-list"; +// MIME to exclude sensitive data (password) from the clipboard history on not +// just KDE. +static const char kKDEPasswordManagerHintMime[] = "x-kde-passwordManagerHint"; + MOZ_CONSTINIT ClipboardTargets nsRetrievalContext::sClipboardTargets; MOZ_CONSTINIT ClipboardTargets nsRetrievalContext::sPrimaryTargets; @@ -313,6 +317,12 @@ nsClipboard::SetNativeClipboardData(nsITransferable* aTransferable, gtk_target_list_add(list, atom, 0, 0); } + // Try to exclude private data from clipboard history. + if (aTransferable->GetIsPrivateData()) { + GdkAtom atom = gdk_atom_intern(kKDEPasswordManagerHintMime, FALSE); + gtk_target_list_add(list, atom, 0, 0); + } + // Get GTK clipboard (CLIPBOARD or PRIMARY) GtkClipboard* gtkClipboard = gtk_clipboard_get(GetSelectionAtom(aWhichClipboard)); @@ -1228,6 +1238,22 @@ void nsClipboard::SelectionGetEvent(GtkClipboard* aClipboard, return; } + if (selectionTarget == gdk_atom_intern(kKDEPasswordManagerHintMime, FALSE)) { + if (!trans->GetIsPrivateData()) { + MOZ_CLIPBOARD_LOG( + " requested %s, but the data isn't actually private!\n", + kKDEPasswordManagerHintMime); + return; + } + + static const char* kSecret = "secret"; + MOZ_CLIPBOARD_LOG(" Setting data to '%s' for %s\n", kSecret, + kKDEPasswordManagerHintMime); + gtk_selection_data_set(aSelectionData, selectionTarget, 8, + (const guchar*)kSecret, strlen(kSecret)); + return; + } + MOZ_CLIPBOARD_LOG(" Try if we have anything at GetTransferData() for %s\n", GUniquePtr<gchar>(gdk_atom_name(selectionTarget)).get()); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/ed7... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/ed7... You're receiving this email because of your account on gitlab.torproject.org.