Bug 672618 - Don't execute javascript: URLs on CTRL+click, middle-click etc. r=dao (1a4799d1) · Commits · The Tor Project / Applications / Mullvad Browser

browser/actors/ClickHandlerChild.sys.mjs

+23 −8

Original line number	Diff line number	Diff line
		@@ -12,12 +12,26 @@ ChromeUtils.defineESModuleGetters(lazy, {
		E10SUtils: "resource://gre/modules/E10SUtils.sys.mjs",
		});

		XPCOMUtils.defineLazyPreferenceGetter(
		lazy,
		"autoscrollEnabled",
		"general.autoScroll",
		true
		);

		XPCOMUtils.defineLazyPreferenceGetter(
		lazy,
		"blockJavascript",
		"browser.link.alternative_click.block_javascript",
		true
		);

		export class MiddleMousePasteHandlerChild extends JSWindowActorChild {
		handleEvent(clickEvent) {
		if (
		clickEvent.defaultPrevented \|\|
		clickEvent.button != 1 \|\|
		MiddleMousePasteHandlerChild.autoscrollEnabled
		lazy.autoscrollEnabled
		) {
		return;
		}
		@@ -34,13 +48,6 @@ export class MiddleMousePasteHandlerChild extends JSWindowActorChild {
		}
		}

		XPCOMUtils.defineLazyPreferenceGetter(
		MiddleMousePasteHandlerChild,
		"autoscrollEnabled",
		"general.autoScroll",
		true
		);

		export class ClickHandlerChild extends JSWindowActorChild {
		handleEvent(wrapperEvent) {
		this.handleClickEvent(wrapperEvent.sourceEvent);
		@@ -112,6 +119,14 @@ export class ClickHandlerChild extends JSWindowActorChild {
		};

		if (href && !isFromMiddleMousePasteHandler) {
		if (
		lazy.blockJavascript &&
		Services.io.extractScheme(href) == "javascript"
		) {
		// We don't want to open new tabs or windows for javascript: links.
		return;
		}

		try {
		Services.scriptSecurityManager.checkLoadURIStrWithPrincipal(
		principal,

+3 −0

Original line number	Diff line number	Diff line
		@@ -907,6 +907,9 @@ pref("browser.link.open_newwindow.restriction", 2);
		pref("browser.link.open_newwindow.disabled_in_fullscreen", false);
		#endif

		// If true, opening javscript: URLs using middle-click, CTRL+click etc. are blocked.
		pref("browser.link.alternative_click.block_javascript", true);

		// Tabbed browser
		pref("browser.tabs.closeTabByDblclick", false);
		pref("browser.tabs.closeWindowWithLastTab", true);

+4 −0

Original line number	Diff line number	Diff line
		@@ -10,6 +10,10 @@ const kURL =
		* we use the correct principal, and we don't clear the URL bar.
		*/
		add_task(async function () {
		await SpecialPowers.pushPrefEnv({
		set: [["browser.link.alternative_click.block_javascript", false]],
		});

		await BrowserTestUtils.withNewTab(kURL, async function (browser) {
		let newTabPromise = BrowserTestUtils.waitForNewTab(gBrowser);
		await SpecialPowers.spawn(browser, [], async function () {

+5 −0

Original line number	Diff line number	Diff line
		@@ -2,3 +2,8 @@
		support-files = [
		"file_contentAreaClick_subframe_javascript.html"
		]

		["browser_javascript_links.js"]
		support-files = [
		"file_javascript_links_subframe.html"
		]

+4 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,10 @@ const gExampleComRoot = getRootDirectory(gTestPath).replace(
		const IFRAME_FILE = "file_contentAreaClick_subframe_javascript.html";

		add_task(async function () {
		await SpecialPowers.pushPrefEnv({
		set: [["browser.link.alternative_click.block_javascript", false]],
		});

		await BrowserTestUtils.withNewTab(
		`data:text/html,<iframe src="${gExampleComRoot + IFRAME_FILE}"></iframe>`,
		async browser => {