Bug 1226490 - Allow administrators to prevent users from ignoring Safe Browsing warnings. r=gcp,r=smaug

2024-09-13 09:24:08 -07:00 · 2015-11-23 13:34:31 -08:00 · 2015-11-23 13:34:31 -08:00 · a9b5f99b6a
commit a9b5f99b6a
parent 2bcef10cbc
5 changed files with 41 additions and 10 deletions
--- a/browser/base/content/blockedSite.xhtml
+++ b/browser/base/content/blockedSite.xhtml
@ -22,8 +22,9 @@

    <script type="application/javascript"><![CDATA[
      // Error url MUST be formatted like this:
-      //   about:blocked?e=error_code&u=url
-      
+      //   about:blocked?e=error_code&u=url(&o=1)?
+      //     (o=1 when user overrides are allowed)
+
      // Note that this file uses document.documentURI to get
      // the URL (with the format from above). This is because
      // document.location.href gets the current URI off the docshell,
@ -55,7 +56,18 @@
          url = url.slice(12);
        return url;
      }
-      
+
+      /**
+       * Check whether this warning page should be overridable or whether
+       * the "ignore warning" button should be hidden.
+       */
+      function getOverride()
+      {
+        var url = document.documentURI;
+        var match = url.match(/&o=1&/);
+        return !!match;
+      }
+
      /**
       * Attempt to get the hostname via document.location.  Fail back
       * to getURL so that we always return something meaningful.
@ -135,6 +147,13 @@
        document.title = document.getElementById("errorTitleText_" + error)
                                 .innerHTML;

+        if (!getOverride()) {
+          var btn = document.getElementById("ignoreWarningButton");
+          if (btn) {
+            btn.parentNode.removeChild(btn);
+          }
+        }
+
        // Inform the test harness that we're done loading the page
        var event = new CustomEvent("AboutBlockedLoaded");
        document.dispatchEvent(event);
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -2994,10 +2994,12 @@ var BrowserOnClick = {
        break;

      case "ignoreWarningButton":
-        if (sendTelemetry) {
-          secHistogram.add(nsISecTel[bucketName + "IGNORE_WARNING"]);
+        if (gPrefService.getBoolPref("browser.safebrowsing.allowOverride")) {
+          if (sendTelemetry) {
+            secHistogram.add(nsISecTel[bucketName + "IGNORE_WARNING"]);
+          }
+          this.ignoreWarningButton(reason);
        }
-        this.ignoreWarningButton(reason);
        break;
    }
  },
--- a/browser/components/safebrowsing/content/test/browser_bug400731.js
+++ b/browser/components/safebrowsing/content/test/browser_bug400731.js
@ -33,7 +33,9 @@ function testMalware(event) {
  
  var style = content.getComputedStyle(el, null);
  is(style.display, "inline-block", "Ignore Warning button should be display:inline-block for malware");
-  
+
+  Services.prefs.setBoolPref("browser.safebrowsing.allowOverride", false);
+
  // Now launch the unwanted software test
  window.addEventListener("DOMContentLoaded", testUnwanted, true);
  content.location = "http://www.itisatrap.org/firefox/unwanted.html";
@ -48,10 +50,9 @@ function testUnwanted(event) {

  // Confirm that "Ignore this warning" is visible - bug 422410
  var el = content.document.getElementById("ignoreWarningButton");
-  ok(el, "Ignore warning button should be present for unwanted software");
+  ok(!el, "Ignore warning button should be missing for unwanted software");

-  var style = content.getComputedStyle(el, null);
-  is(style.display, "inline-block", "Ignore Warning button should be display:inline-block for unwanted software");
+  Services.prefs.setBoolPref("browser.safebrowsing.allowOverride", true);

  // Now launch the phishing test
  window.addEventListener("DOMContentLoaded", testPhishing, true);
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -5131,6 +5131,8 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
  return NS_OK;
 }

+#define PREF_SAFEBROWSING_ALLOWOVERRIDE "browser.safebrowsing.allowOverride"
+
 NS_IMETHODIMP
 nsDocShell::LoadErrorPage(nsIURI* aURI, const char16_t* aURL,
                          const char* aErrorPage,
@ -5209,6 +5211,10 @@ nsDocShell::LoadErrorPage(nsIURI* aURI, const char16_t* aURL,
  errorPageUrl.AppendASCII(escapedError.get());
  errorPageUrl.AppendLiteral("&u=");
  errorPageUrl.AppendASCII(escapedUrl.get());
+  if ((strcmp(aErrorPage, "blocked") == 0) &&
+      Preferences::GetBool(PREF_SAFEBROWSING_ALLOWOVERRIDE, true)) {
+    errorPageUrl.AppendLiteral("&o=1");
+  }
  if (!escapedCSSClass.IsEmpty()) {
    errorPageUrl.AppendLiteral("&s=");
    errorPageUrl.AppendASCII(escapedCSSClass.get());
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -4852,6 +4852,9 @@ pref("browser.safebrowsing.provider.mozilla.lists.mozstd.description", "mozstdDe
 pref("browser.safebrowsing.provider.mozilla.lists.mozfull.name", "mozfullName");
 pref("browser.safebrowsing.provider.mozilla.lists.mozfull.description", "mozfullDesc");

+// Allow users to ignore Safe Browsing warnings.
+pref("browser.safebrowsing.allowOverride", true);
+
 // Turn off Spatial navigation by default.
 pref("snav.enabled", false);