summaryrefslogtreecommitdiffstats
path: root/browser/app
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2021-03-11 04:07:20 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2021-03-11 04:07:20 +0000
commita7c8db0d7d4a7493e340a0cd3a41da435ef45823 (patch)
treec3d79096d0a92925e4d9a7878128ad775c4086b5 /browser/app
parentInitial commit. (diff)
downloadfirefox-esr-a7c8db0d7d4a7493e340a0cd3a41da435ef45823.tar.xz
firefox-esr-a7c8db0d7d4a7493e340a0cd3a41da435ef45823.zip
Adding upstream version 78.7.0esr.upstream/78.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'browser/app')
-rw-r--r--browser/app/Makefile.in107
-rw-r--r--browser/app/firefox.exe.manifest53
-rw-r--r--browser/app/macbuild/Contents/Info.plist.in263
-rw-r--r--browser/app/macbuild/Contents/MacOS-files-copy.in11
-rw-r--r--browser/app/macbuild/Contents/MacOS-files.in20
-rw-r--r--browser/app/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in5
-rw-r--r--browser/app/macversion.py46
-rw-r--r--browser/app/module.ver8
-rw-r--r--browser/app/moz.build145
-rw-r--r--browser/app/no-pie/NoPie.c26
-rw-r--r--browser/app/no-pie/moz.build28
-rw-r--r--browser/app/nsBrowserApp.cpp351
-rw-r--r--browser/app/permissions26
-rw-r--r--browser/app/profile/channel-prefs.js9
-rw-r--r--browser/app/profile/firefox.js2400
-rw-r--r--browser/app/splash.rc21
-rw-r--r--browser/app/winlauncher/DllBlocklistInit.cpp204
-rw-r--r--browser/app/winlauncher/DllBlocklistInit.h25
-rw-r--r--browser/app/winlauncher/ErrorHandler.cpp758
-rw-r--r--browser/app/winlauncher/ErrorHandler.h51
-rw-r--r--browser/app/winlauncher/LaunchUnelevated.cpp175
-rw-r--r--browser/app/winlauncher/LaunchUnelevated.h30
-rw-r--r--browser/app/winlauncher/LauncherProcessWin.cpp410
-rw-r--r--browser/app/winlauncher/LauncherProcessWin.h39
-rw-r--r--browser/app/winlauncher/NtLoaderAPI.cpp49
-rw-r--r--browser/app/winlauncher/ProcThreadAttributes.h159
-rw-r--r--browser/app/winlauncher/SameBinary.h142
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.cpp389
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.h38
-rw-r--r--browser/app/winlauncher/freestanding/Freestanding.h66
-rw-r--r--browser/app/winlauncher/freestanding/FunctionTableResolver.cpp113
-rw-r--r--browser/app/winlauncher/freestanding/FunctionTableResolver.h60
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp280
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.h62
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp129
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.h90
-rw-r--r--browser/app/winlauncher/freestanding/SafeThreadLocal.h96
-rw-r--r--browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py30
-rw-r--r--browser/app/winlauncher/freestanding/moz.build56
-rw-r--r--browser/app/winlauncher/freestanding/ntdll_freestanding.def25
-rw-r--r--browser/app/winlauncher/moz.build51
-rw-r--r--browser/app/winlauncher/test/TestSafeThreadLocal.cpp72
-rw-r--r--browser/app/winlauncher/test/TestSameBinary.cpp253
-rw-r--r--browser/app/winlauncher/test/moz.build29
44 files changed, 7400 insertions, 0 deletions
diff --git a/browser/app/Makefile.in b/browser/app/Makefile.in
new file mode 100644
index 0000000000..1aec6541fc
--- /dev/null
+++ b/browser/app/Makefile.in
@@ -0,0 +1,107 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+dist_dest = $(DIST)/$(MOZ_MACBUNDLE_NAME)
+
+# hardcode en-US for the moment
+AB_CD = en-US
+
+# Build a binary bootstrapping with XRE_main
+
+ifndef MOZ_WINCONSOLE
+ifneq (,$(MOZ_DEBUG)$(MOZ_ASAN))
+MOZ_WINCONSOLE = 1
+else
+MOZ_WINCONSOLE = 0
+endif
+endif
+
+include $(topsrcdir)/config/config.mk
+
+# If we are trying to show an error dialog about the lack of SSE2 support,
+# make sure that code itself doesn't use SSE2.
+ifdef MOZ_LINUX_32_SSE2_STARTUP_ERROR
+CXX := $(filter-out -march=% -msse -msse2 -mfpmath=sse,$(CXX))
+CXX += -march=pentiumpro
+endif
+
+ifeq ($(OS_ARCH),WINNT)
+# Rebuild firefox.exe if the manifest changes - it's included by splash.rc.
+# (this dependency should really be just for firefox.exe, not other targets)
+# Note the manifest file exists in the tree, so we use the explicit filename
+# here.
+EXTRA_DEPS += $(srcdir)/firefox.exe.manifest
+endif
+
+PROGRAMS_DEST = $(DIST)/bin
+
+include $(topsrcdir)/config/rules.mk
+
+ifneq (,$(filter-out WINNT,$(OS_ARCH)))
+
+ifdef COMPILE_ENVIRONMENT
+ifndef MOZ_NO_PIE_COMPAT
+libs::
+ cp -p $(DIST)/bin/$(MOZ_APP_NAME)$(BIN_SUFFIX) $(DIST)/bin/$(MOZ_APP_NAME)-bin$(BIN_SUFFIX)
+endif
+endif
+
+GARBAGE += $(addprefix $(FINAL_TARGET)/defaults/pref/, firefox.js)
+
+endif
+
+# channel-prefs.js is handled separate from other prefs due to bug 756325
+# DO NOT change the content of channel-prefs.js without taking the appropriate
+# steps. See bug 1431342.
+libs:: $(srcdir)/profile/channel-prefs.js
+ $(NSINSTALL) -D $(DIST)/bin/defaults/pref
+ $(call py_action,preprocessor,-Fsubstitution $(PREF_PPFLAGS) $(ACDEFINES) $^ -o $(DIST)/bin/defaults/pref/channel-prefs.js)
+
+ifeq (cocoa,$(MOZ_WIDGET_TOOLKIT))
+
+MAC_APP_NAME = $(MOZ_APP_DISPLAYNAME)
+
+ifdef MOZ_DEBUG
+MAC_APP_NAME := $(MAC_APP_NAME)Debug
+endif
+
+AB_CD = $(MOZ_UI_LOCALE)
+
+ifeq (zh-TW,$(AB_CD))
+LPROJ_ROOT := $(subst -,_,$(AB_CD))
+else
+LPROJ_ROOT := $(firstword $(subst -, ,$(AB_CD)))
+endif
+LPROJ := Contents/Resources/$(LPROJ_ROOT).lproj
+
+clean clobber repackage::
+ $(RM) -r $(dist_dest)
+
+MAC_BUNDLE_VERSION = $(shell $(PYTHON3) $(srcdir)/macversion.py --version=$(MOZ_APP_VERSION) --buildid=$(DEPTH)/buildid.h)
+
+.PHONY: repackage
+tools repackage:: $(DIST)/bin/$(MOZ_APP_NAME)
+ rm -rf $(dist_dest)
+ $(MKDIR) -p '$(dist_dest)/Contents/MacOS'
+ $(MKDIR) -p '$(dist_dest)/$(LPROJ)'
+ rsync -a --exclude '*.in' $(srcdir)/macbuild/Contents '$(dist_dest)' --exclude English.lproj
+ rsync -a --exclude '*.in' $(srcdir)/macbuild/Contents/Resources/English.lproj/ '$(dist_dest)/$(LPROJ)'
+ sed -e 's/%APP_VERSION%/$(MOZ_APP_VERSION)/' -e 's/%MAC_APP_NAME%/$(MAC_APP_NAME)/' -e 's/%MOZ_MACBUNDLE_ID%/$(MOZ_MACBUNDLE_ID)/' -e 's/%MAC_BUNDLE_VERSION%/$(MAC_BUNDLE_VERSION)/' -e 's|%MOZ_DEVELOPER_REPO_PATH%|$(topsrcdir)|' -e 's|%MOZ_DEVELOPER_OBJ_PATH%|$(topobjdir)|' $(srcdir)/macbuild/Contents/Info.plist.in > '$(dist_dest)/Contents/Info.plist'
+ sed -e 's/%MAC_APP_NAME%/$(MAC_APP_NAME)/' $(srcdir)/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in | iconv -f UTF-8 -t UTF-16 > '$(dist_dest)/$(LPROJ)/InfoPlist.strings'
+ rsync -a --exclude-from='$(srcdir)/macbuild/Contents/MacOS-files.in' $(DIST)/bin/ '$(dist_dest)/Contents/Resources'
+ rsync -a --include-from='$(srcdir)/macbuild/Contents/MacOS-files.in' --exclude '*' $(DIST)/bin/ '$(dist_dest)/Contents/MacOS'
+ # MacOS-files-copy.in is a list of files that should be copies rather
+ # than symlinks and placed in .app/Contents/MacOS.
+ rsync -aL --include-from='$(srcdir)/macbuild/Contents/MacOS-files-copy.in' --exclude '*' $(DIST)/bin/ '$(dist_dest)/Contents/MacOS'
+ $(RM) '$(dist_dest)/Contents/MacOS/$(MOZ_APP_NAME)'
+ rsync -aL $(DIST)/bin/$(MOZ_APP_NAME) '$(dist_dest)/Contents/MacOS'
+ cp -RL $(topsrcdir)/$(MOZ_BRANDING_DIRECTORY)/firefox.icns '$(dist_dest)/Contents/Resources/firefox.icns'
+ cp -RL $(topsrcdir)/$(MOZ_BRANDING_DIRECTORY)/document.icns '$(dist_dest)/Contents/Resources/document.icns'
+ $(MKDIR) -p '$(dist_dest)/Contents/Library/LaunchServices'
+ifdef MOZ_UPDATER
+ mv -f '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater' '$(dist_dest)/Contents/Library/LaunchServices'
+ ln -s ../../../../Library/LaunchServices/org.mozilla.updater '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater'
+endif
+ printf APPLMOZB > '$(dist_dest)/Contents/PkgInfo'
+endif
diff --git a/browser/app/firefox.exe.manifest b/browser/app/firefox.exe.manifest
new file mode 100644
index 0000000000..1e1d6f651d
--- /dev/null
+++ b/browser/app/firefox.exe.manifest
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+<assemblyIdentity
+ version="1.0.0.0"
+ processorArchitecture="*"
+ name="Firefox"
+ type="win32"
+/>
+<description>Firefox</description>
+<dependency>
+ <dependentAssembly>
+ <assemblyIdentity
+ type="win32"
+ name="Microsoft.Windows.Common-Controls"
+ version="6.0.0.0"
+ processorArchitecture="*"
+ publicKeyToken="6595b64144ccf1df"
+ language="*"
+ />
+ </dependentAssembly>
+</dependency>
+<dependency>
+ <dependentAssembly>
+ <assemblyIdentity
+ type="win32"
+ name="mozglue"
+ version="1.0.0.0"
+ language="*"
+ />
+ </dependentAssembly>
+</dependency>
+<ms_asmv3:trustInfo xmlns:ms_asmv3="urn:schemas-microsoft-com:asm.v3">
+ <ms_asmv3:security>
+ <ms_asmv3:requestedPrivileges>
+ <ms_asmv3:requestedExecutionLevel level="asInvoker" uiAccess="false" />
+ </ms_asmv3:requestedPrivileges>
+ </ms_asmv3:security>
+</ms_asmv3:trustInfo>
+ <ms_asmv3:application xmlns:ms_asmv3="urn:schemas-microsoft-com:asm.v3">
+ <ms_asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
+ <dpiAware>True/PM</dpiAware>
+ <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2,PerMonitor</dpiAwareness>
+ </ms_asmv3:windowsSettings>
+ </ms_asmv3:application>
+ <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
+ <application>
+ <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
+ <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
+ <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
+ <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
+ </application>
+ </compatibility>
+</assembly>
diff --git a/browser/app/macbuild/Contents/Info.plist.in b/browser/app/macbuild/Contents/Info.plist.in
new file mode 100644
index 0000000000..f6791ea481
--- /dev/null
+++ b/browser/app/macbuild/Contents/Info.plist.in
@@ -0,0 +1,263 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>CFBundleDevelopmentRegion</key>
+ <string>English</string>
+ <key>CFBundleDocumentTypes</key>
+ <array>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>html</string>
+ <string>htm</string>
+ <string>shtml</string>
+ <string>xht</string>
+ <string>xhtml</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeName</key>
+ <string>HTML Document</string>
+ <key>CFBundleTypeOSTypes</key>
+ <array>
+ <string>HTML</string>
+ </array>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>json</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeMIMETypes</key>
+ <array>
+ <string>application/json</string>
+ </array>
+ <key>CFBundleTypeName</key>
+ <string>JSON File</string>
+ <key>CFBundleTypeOSTypes</key>
+ <array>
+ <string>TEXT</string>
+ </array>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>svg</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeMIMETypes</key>
+ <array>
+ <string>image/svg+xml</string>
+ </array>
+ <key>CFBundleTypeName</key>
+ <string>SVG document</string>
+ <key>CFBundleTypeOSTypes</key>
+ <array>
+ <string>TEXT</string>
+ </array>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ <key>NSDocumentClass</key>
+ <string>BrowserDocument</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>text</string>
+ <string>txt</string>
+ <string>js</string>
+ <string>log</string>
+ <string>css</string>
+ <string>xul</string>
+ <string>rdf</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeName</key>
+ <string>Text Document</string>
+ <key>CFBundleTypeOSTypes</key>
+ <array>
+ <string>TEXT</string>
+ <string>utxt</string>
+ </array>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>jpeg</string>
+ <string>jpg</string>
+ <string>png</string>
+ <string>gif</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>fileBookmark.icns</string>
+ <key>CFBundleTypeName</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeOSTypes</key>
+ <array>
+ <string>GIFf</string>
+ <string>JPEG</string>
+ <string>PNGf</string>
+ </array>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>oga</string>
+ <string>ogg</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeMIMETypes</key>
+ <array>
+ <string>audio/ogg</string>
+ </array>
+ <key>CFBundleTypeName</key>
+ <string>HTML5 Audio (Ogg)</string>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>ogv</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeMIMETypes</key>
+ <array>
+ <string>video/ogg</string>
+ </array>
+ <key>CFBundleTypeName</key>
+ <string>HTML5 Video (Ogg)</string>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ <dict>
+ <key>CFBundleTypeExtensions</key>
+ <array>
+ <string>webm</string>
+ </array>
+ <key>CFBundleTypeIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleTypeMIMETypes</key>
+ <array>
+ <string>video/webm</string>
+ </array>
+ <key>CFBundleTypeName</key>
+ <string>HTML5 Video (WebM)</string>
+ <key>CFBundleTypeRole</key>
+ <string>Viewer</string>
+ </dict>
+ </array>
+ <key>CFBundleExecutable</key>
+ <string>firefox</string>
+ <key>CFBundleGetInfoString</key>
+ <string>%MAC_APP_NAME% %APP_VERSION%</string>
+ <key>CFBundleIconFile</key>
+ <string>firefox.icns</string>
+ <key>CFBundleIdentifier</key>
+ <string>%MOZ_MACBUNDLE_ID%</string>
+ <key>CFBundleInfoDictionaryVersion</key>
+ <string>6.0</string>
+ <key>CFBundleName</key>
+ <string>%MAC_APP_NAME%</string>
+ <key>CFBundlePackageType</key>
+ <string>APPL</string>
+ <key>CFBundleShortVersionString</key>
+ <string>%APP_VERSION%</string>
+ <key>CFBundleSignature</key>
+ <string>MOZB</string>
+ <key>CFBundleURLTypes</key>
+ <array>
+ <dict>
+ <key>CFBundleURLIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleURLName</key>
+ <string>http URL</string>
+ <key>CFBundleURLSchemes</key>
+ <array>
+ <string>http</string>
+ </array>
+ </dict>
+ <dict>
+ <key>CFBundleURLIconFile</key>
+ <string>document.icns</string>
+ <key>CFBundleURLName</key>
+ <string>https URL</string>
+ <key>CFBundleURLSchemes</key>
+ <array>
+ <string>https</string>
+ </array>
+ </dict>
+ <dict>
+ <key>CFBundleURLName</key>
+ <string>ftp URL</string>
+ <key>CFBundleURLSchemes</key>
+ <array>
+ <string>ftp</string>
+ </array>
+ </dict>
+ <dict>
+ <key>CFBundleURLName</key>
+ <string>file URL</string>
+ <key>CFBundleURLSchemes</key>
+ <array>
+ <string>file</string>
+ </array>
+ </dict>
+ </array>
+ <key>CFBundleVersion</key>
+ <string>%MAC_BUNDLE_VERSION%</string>
+ <key>NSUserActivityTypes</key>
+ <array>
+ <string>NSUserActivityTypeBrowsingWeb</string>
+ </array>
+ <key>NSAppleScriptEnabled</key>
+ <true/>
+ <key>LSApplicationCategoryType</key>
+ <string>public.app-category.productivity</string>
+ <key>LSEnvironment</key>
+ <dict>
+ <key>MallocNanoZone</key>
+ <string>0</string>
+ </dict>
+ <key>LSFileQuarantineEnabled</key>
+ <true/>
+ <key>LSMinimumSystemVersion</key>
+ <string>10.9.0</string>
+ <key>NSSupportsAutomaticGraphicsSwitching</key>
+ <true/>
+ <key>NSRequiresAquaSystemAppearance</key>
+ <true/>
+ <key>NSPrincipalClass</key>
+ <string>GeckoNSApplication</string>
+ <key>SMPrivilegedExecutables</key>
+ <dict>
+ <key>org.mozilla.updater</key>
+ <string>identifier "org.mozilla.updater" and ((anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "43AQ936H96"))</string>
+ </dict>
+ <key>MozillaDeveloperRepoPath</key>
+ <string>%MOZ_DEVELOPER_REPO_PATH%</string>
+ <key>MozillaDeveloperObjPath</key>
+ <string>%MOZ_DEVELOPER_OBJ_PATH%</string>
+
+ <key>NSCameraUsageDescription</key>
+ <string>Only sites you allow within %MAC_APP_NAME% will be able to use the camera.</string>
+
+ <key>NSMicrophoneUsageDescription</key>
+ <string>Only sites you allow within %MAC_APP_NAME% will be able to use the microphone.</string>
+</dict>
+</plist>
diff --git a/browser/app/macbuild/Contents/MacOS-files-copy.in b/browser/app/macbuild/Contents/MacOS-files-copy.in
new file mode 100644
index 0000000000..e9d0f0efb9
--- /dev/null
+++ b/browser/app/macbuild/Contents/MacOS-files-copy.in
@@ -0,0 +1,11 @@
+# Specifies files that should be copied (via deep copy, resolving symlinks)
+# from dist/bin to the .app/Contents/MacOS directory. Linking is preferred to
+# reduce disk I/O during builds, so just include dylibs which need to be in the
+# same directory as returned by dladddr(3).
+#
+# Some of these dylibs load other dylibs which are assumed to be siblings in
+# the same directory obtained from dladdr(3). With macOS 10.15, dladdr returns
+# absolute resolved paths which breaks this assumption if symlinks are used
+# because the symlink targets are in different directories. Hence the need for
+# them to be copied to the same directory.
+/*.dylib
diff --git a/browser/app/macbuild/Contents/MacOS-files.in b/browser/app/macbuild/Contents/MacOS-files.in
new file mode 100644
index 0000000000..a0cac14ef7
--- /dev/null
+++ b/browser/app/macbuild/Contents/MacOS-files.in
@@ -0,0 +1,20 @@
+# Specifies files that should be copied (preserving symlinks) from dist/bin
+# to the .app/Contents/MacOS directory.
+/*.app/***
+/certutil
+/firefox-bin
+#if defined(MOZ_GECKODRIVER)
+/geckodriver
+#endif
+/gtest/***
+#if defined(MOZ_ASAN) || defined(MOZ_TSAN)
+/llvm-symbolizer
+#endif
+#if defined(MOZ_CRASHREPORTER)
+/minidump-analyzer
+#endif
+/pingsender
+/pk12util
+/ssltunnel
+/xpcshell
+/XUL
diff --git a/browser/app/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in b/browser/app/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in
new file mode 100644
index 0000000000..74d192cb08
--- /dev/null
+++ b/browser/app/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in
@@ -0,0 +1,5 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+CFBundleName = "%MAC_APP_NAME%";
diff --git a/browser/app/macversion.py b/browser/app/macversion.py
new file mode 100644
index 0000000000..f57b5dc85f
--- /dev/null
+++ b/browser/app/macversion.py
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from __future__ import absolute_import, print_function, unicode_literals
+import io
+from optparse import OptionParser
+import sys
+import re
+
+o = OptionParser()
+o.add_option('--buildid', dest='buildid')
+o.add_option('--version', dest='version')
+
+(options, args) = o.parse_args()
+
+if not options.buildid:
+ print('--buildid is required', file=sys.stderr)
+ sys.exit(1)
+
+if not options.version:
+ print('--version is required', file=sys.stderr)
+ sys.exit(1)
+
+# We want to build a version number that matches the format allowed for
+# CFBundleVersion (nnnnn[.nn[.nn]]). We'll incorporate both the version
+# number as well as the date, so that it changes at least daily (for nightly
+# builds), but also so that newly-built older versions (e.g. beta build) aren't
+# considered "newer" than previously-built newer versions (e.g. a trunk nightly)
+
+define, MOZ_BUILDID, buildid = io.open(
+ options.buildid, 'r', encoding='utf-8').read().split()
+
+# extract only the major version (i.e. "14" from "14.0b1")
+majorVersion = re.match(r'^(\d+)[^\d].*', options.version).group(1)
+# last two digits of the year
+twodigityear = buildid[2:4]
+month = buildid[4:6]
+if month[0] == '0':
+ month = month[1]
+day = buildid[6:8]
+if day[0] == '0':
+ day = day[1]
+
+print('%s.%s.%s' % (majorVersion + twodigityear, month, day))
diff --git a/browser/app/module.ver b/browser/app/module.ver
new file mode 100644
index 0000000000..5ef8d2a02a
--- /dev/null
+++ b/browser/app/module.ver
@@ -0,0 +1,8 @@
+WIN32_MODULE_COMPANYNAME=Mozilla Corporation
+WIN32_MODULE_COPYRIGHT=Firefox and Mozilla Developers; available under the MPL 2 license.
+WIN32_MODULE_PRODUCTVERSION=@MOZ_APP_WINVERSION@
+WIN32_MODULE_PRODUCTVERSION_STRING=@MOZ_APP_VERSION@
+WIN32_MODULE_TRADEMARKS=Firefox is a Trademark of The Mozilla Foundation.
+WIN32_MODULE_DESCRIPTION=@MOZ_APP_DISPLAYNAME@
+WIN32_MODULE_PRODUCTNAME=@MOZ_APP_DISPLAYNAME@
+WIN32_MODULE_NAME=@MOZ_APP_DISPLAYNAME@
diff --git a/browser/app/moz.build b/browser/app/moz.build
new file mode 100644
index 0000000000..62b2cc55a1
--- /dev/null
+++ b/browser/app/moz.build
@@ -0,0 +1,145 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+ BUG_COMPONENT = ("Firefox", "General")
+
+with Files("firefox.exe.manifest"):
+ BUG_COMPONENT = ("Core", "Widget: Win32")
+with Files("module.ver"):
+ BUG_COMPONENT = ("Core", "Widget: Win32")
+with Files("splash.rc"):
+ BUG_COMPONENT = ("Core", "Widget: Win32")
+
+with Files("macversion.py"):
+ BUG_COMPONENT = ("Core", "Widget: Cocoa")
+with Files("macbuild/**"):
+ BUG_COMPONENT = ("Core", "Widget: Cocoa")
+
+with Files("moz.build"):
+ BUG_COMPONENT = ("Firefox Build System", "General")
+with Files("Makefile.in"):
+ BUG_COMPONENT = ("Firefox Build System", "General")
+
+with Files("profile/channel-prefs.js"):
+ BUG_COMPONENT = ("Firefox", "Installer")
+with Files("profile/firefox.js"):
+ BUG_COMPONENT = ("Firefox", "General")
+
+if CONFIG['MOZ_NO_PIE_COMPAT']:
+ GeckoProgram(CONFIG['MOZ_APP_NAME'] + '-bin')
+
+ DIRS += ['no-pie']
+else:
+ GeckoProgram(CONFIG['MOZ_APP_NAME'])
+
+SOURCES += [
+ 'nsBrowserApp.cpp',
+]
+
+# Neither channel-prefs.js nor firefox.exe want to end up in dist/bin/browser.
+DIST_SUBDIR = ""
+
+LOCAL_INCLUDES += [
+ '!/build',
+ '/toolkit/xre',
+ '/xpcom/base',
+ '/xpcom/build',
+]
+
+if CONFIG['LIBFUZZER']:
+ USE_LIBS += [ 'fuzzer' ]
+ LOCAL_INCLUDES += [
+ '/tools/fuzzing/libfuzzer',
+ ]
+
+if CONFIG['ENABLE_GECKODRIVER']:
+ DEFINES['MOZ_GECKODRIVER'] = True
+
+if CONFIG['CC_TYPE'] == 'clang-cl':
+ # Always enter a Windows program through wmain, whether or not we're
+ # a console application.
+ WIN32_EXE_LDFLAGS += ['-ENTRY:wmainCRTStartup']
+
+if CONFIG['OS_ARCH'] == 'WINNT':
+ RCINCLUDE = 'splash.rc'
+ DIRS += [
+ 'winlauncher',
+ ]
+ USE_LIBS += [
+ 'winlauncher',
+ ]
+ LOCAL_INCLUDES += [
+ '/browser/app/winlauncher',
+ ]
+ DELAYLOAD_DLLS += [
+ 'oleaut32.dll',
+ 'ole32.dll',
+ 'rpcrt4.dll',
+ 'version.dll',
+ ]
+
+ if CONFIG['CC_TYPE'] == 'clang-cl':
+ libpath_flag = '-LIBPATH:'
+ else:
+ libpath_flag = '-L'
+
+ WIN32_EXE_LDFLAGS += [
+ libpath_flag + OBJDIR + '/winlauncher/freestanding',
+ ]
+
+if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'Darwin':
+ USE_LIBS += [
+ 'mozsandbox',
+ ]
+
+if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
+ # For sandbox includes and the include dependencies those have
+ LOCAL_INCLUDES += [
+ '/security/sandbox/chromium',
+ '/security/sandbox/chromium-shim',
+ ]
+
+ USE_LIBS += [
+ 'sandbox_s',
+ ]
+
+ DELAYLOAD_DLLS += [
+ 'winmm.dll',
+ 'user32.dll',
+ ]
+
+# Control the default heap size.
+# This is the heap returned by GetProcessHeap().
+# As we use the CRT heap, the default size is too large and wastes VM.
+#
+# The default heap size is 1MB on Win32.
+# The heap will grow if need be.
+#
+# Set it to 256k. See bug 127069.
+if CONFIG['OS_ARCH'] == 'WINNT' and CONFIG['CC_TYPE'] not in ('clang', 'gcc'):
+ LDFLAGS += ['/HEAP:0x40000']
+
+DisableStlWrapping()
+
+if CONFIG['MOZ_LINKER']:
+ OS_LIBS += CONFIG['MOZ_ZLIB_LIBS']
+
+if CONFIG['HAVE_CLOCK_MONOTONIC']:
+ OS_LIBS += CONFIG['REALTIME_LIBS']
+
+if CONFIG['MOZ_LINUX_32_SSE2_STARTUP_ERROR']:
+ DEFINES['MOZ_LINUX_32_SSE2_STARTUP_ERROR'] = True
+ COMPILE_FLAGS['OS_CXXFLAGS'] = [
+ f for f in COMPILE_FLAGS.get('OS_CXXFLAGS', [])
+ if not f.startswith('-march=') and f not in ('-msse', '-msse2', '-mfpmath=sse')
+ ] + [
+ '-mno-sse', '-mno-sse2', '-mfpmath=387',
+ ]
+
+for icon in ('firefox', 'document', 'newwindow', 'newtab', 'pbmode'):
+ DEFINES[icon.upper() + '_ICO'] = '"%s/%s/%s.ico"' % (
+ TOPSRCDIR, CONFIG['MOZ_BRANDING_DIRECTORY'], icon)
diff --git a/browser/app/no-pie/NoPie.c b/browser/app/no-pie/NoPie.c
new file mode 100644
index 0000000000..39b206e0af
--- /dev/null
+++ b/browser/app/no-pie/NoPie.c
@@ -0,0 +1,26 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+int main(int argc, char* argv[]) {
+ // Ideally, we'd use mozilla::BinaryPath, but that pulls in stdc++compat,
+ // and further causes trouble linking with LTO.
+ char path[PATH_MAX + 4];
+ ssize_t len = readlink("/proc/self/exe", path, PATH_MAX - 1);
+ if (len < 0) {
+ fprintf(stderr, "Couldn't find the application directory.\n");
+ return 255;
+ }
+ strcpy(path + len, "-bin");
+ execv(path, argv);
+ // execv never returns. If it did, there was an error.
+ fprintf(stderr, "Exec failed with error: %s\n", strerror(errno));
+ return 255;
+}
diff --git a/browser/app/no-pie/moz.build b/browser/app/no-pie/moz.build
new file mode 100644
index 0000000000..4c9c884327
--- /dev/null
+++ b/browser/app/no-pie/moz.build
@@ -0,0 +1,28 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Program(CONFIG['MOZ_APP_NAME'])
+
+SOURCES += [
+ 'NoPie.c',
+]
+
+# For some reason, LTO messes things up. We don't care anyways.
+CFLAGS += [
+ '-fno-lto',
+]
+
+# Use OS_LIBS instead of LDFLAGS to "force" the flag to come after -pie
+# from MOZ_PROGRAM_LDFLAGS.
+if CONFIG['CC_TYPE'] == 'clang':
+ # clang < 5.0 doesn't support -no-pie.
+ OS_LIBS += [
+ '-nopie'
+ ]
+else:
+ OS_LIBS += [
+ '-no-pie'
+ ]
diff --git a/browser/app/nsBrowserApp.cpp b/browser/app/nsBrowserApp.cpp
new file mode 100644
index 0000000000..6bab1adef6
--- /dev/null
+++ b/browser/app/nsBrowserApp.cpp
@@ -0,0 +1,351 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsXULAppAPI.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/XREAppData.h"
+#include "application.ini.h"
+#include "mozilla/Bootstrap.h"
+#if defined(XP_WIN)
+# include <windows.h>
+# include <stdlib.h>
+#elif defined(XP_UNIX)
+# include <sys/resource.h>
+# include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <time.h>
+
+#include "nsCOMPtr.h"
+
+#ifdef XP_WIN
+# include "LauncherProcessWin.h"
+# include "mozilla/WindowsDllBlocklist.h"
+
+# define XRE_WANT_ENVIRON
+# define strcasecmp _stricmp
+# ifdef MOZ_SANDBOX
+# include "mozilla/sandboxing/SandboxInitialization.h"
+# endif
+#endif
+#include "BinaryPath.h"
+
+#include "nsXPCOMPrivate.h" // for MAXPATHLEN and XPCOM_DLL
+
+#include "mozilla/Sprintf.h"
+#include "mozilla/StartupTimeline.h"
+#include "BaseProfiler.h"
+
+#ifdef LIBFUZZER
+# include "FuzzerDefs.h"
+#endif
+
+#ifdef MOZ_LINUX_32_SSE2_STARTUP_ERROR
+# include <cpuid.h>
+# include "mozilla/Unused.h"
+
+static bool IsSSE2Available() {
+ // The rest of the app has been compiled to assume that SSE2 is present
+ // unconditionally, so we can't use the normal copy of SSE.cpp here.
+ // Since SSE.cpp caches the results and we need them only transiently,
+ // instead of #including SSE.cpp here, let's just inline the specific check
+ // that's needed.
+ unsigned int level = 1u;
+ unsigned int eax, ebx, ecx, edx;
+ unsigned int bits = (1u << 26);
+ unsigned int max = __get_cpuid_max(0, nullptr);
+ if (level > max) {
+ return false;
+ }
+ __cpuid_count(level, 0, eax, ebx, ecx, edx);
+ return (edx & bits) == bits;
+}
+
+static const char sSSE2Message[] =
+ "This browser version requires a processor with the SSE2 instruction "
+ "set extension.\nYou may be able to obtain a version that does not "
+ "require SSE2 from your Linux distribution.\n";
+
+__attribute__((constructor)) static void SSE2Check() {
+ if (IsSSE2Available()) {
+ return;
+ }
+ // Using write() in order to avoid jemalloc-based buffering. Ignoring return
+ // values, since there isn't much we could do on failure and there is no
+ // point in trying to recover from errors.
+ MOZ_UNUSED(
+ write(STDERR_FILENO, sSSE2Message, MOZ_ARRAY_LENGTH(sSSE2Message) - 1));
+ // _exit() instead of exit() to avoid running the usual "at exit" code.
+ _exit(255);
+}
+#endif
+
+#if !defined(MOZ_WIDGET_COCOA) && !defined(MOZ_WIDGET_ANDROID)
+# define MOZ_BROWSER_CAN_BE_CONTENTPROC
+# include "../../ipc/contentproc/plugin-container.cpp"
+#endif
+
+using namespace mozilla;
+
+#ifdef XP_MACOSX
+# define kOSXResourcesFolder "Resources"
+#endif
+#define kDesktopFolder "browser"
+
+static MOZ_FORMAT_PRINTF(1, 2) void Output(const char* fmt, ...) {
+ va_list ap;
+ va_start(ap, fmt);
+
+#ifndef XP_WIN
+ vfprintf(stderr, fmt, ap);
+#else
+ char msg[2048];
+ vsnprintf_s(msg, _countof(msg), _TRUNCATE, fmt, ap);
+
+ wchar_t wide_msg[2048];
+ MultiByteToWideChar(CP_UTF8, 0, msg, -1, wide_msg, _countof(wide_msg));
+# if MOZ_WINCONSOLE
+ fwprintf_s(stderr, wide_msg);
+# else
+ // Linking user32 at load-time interferes with the DLL blocklist (bug 932100).
+ // This is a rare codepath, so we can load user32 at run-time instead.
+ HMODULE user32 = LoadLibraryW(L"user32.dll");
+ if (user32) {
+ decltype(MessageBoxW)* messageBoxW =
+ (decltype(MessageBoxW)*)GetProcAddress(user32, "MessageBoxW");
+ if (messageBoxW) {
+ messageBoxW(nullptr, wide_msg, L"Firefox",
+ MB_OK | MB_ICONERROR | MB_SETFOREGROUND);
+ }
+ FreeLibrary(user32);
+ }
+# endif
+#endif
+
+ va_end(ap);
+}
+
+/**
+ * Return true if |arg| matches the given argument name.
+ */
+static bool IsArg(const char* arg, const char* s) {
+ if (*arg == '-') {
+ if (*++arg == '-') ++arg;
+ return !strcasecmp(arg, s);
+ }
+
+#if defined(XP_WIN)
+ if (*arg == '/') return !strcasecmp(++arg, s);
+#endif
+
+ return false;
+}
+
+Bootstrap::UniquePtr gBootstrap;
+
+static int do_main(int argc, char* argv[], char* envp[]) {
+ // Allow firefox.exe to launch XULRunner apps via -app <application.ini>
+ // Note that -app must be the *first* argument.
+ const char* appDataFile = getenv("XUL_APP_FILE");
+ if ((!appDataFile || !*appDataFile) && (argc > 1 && IsArg(argv[1], "app"))) {
+ if (argc == 2) {
+ Output("Incorrect number of arguments passed to -app");
+ return 255;
+ }
+ appDataFile = argv[2];
+
+ char appEnv[MAXPATHLEN];
+ SprintfLiteral(appEnv, "XUL_APP_FILE=%s", argv[2]);
+ if (putenv(strdup(appEnv))) {
+ Output("Couldn't set %s.\n", appEnv);
+ return 255;
+ }
+ argv[2] = argv[0];
+ argv += 2;
+ argc -= 2;
+ } else if (argc > 1 && IsArg(argv[1], "xpcshell")) {
+ for (int i = 1; i < argc; i++) {
+ argv[i] = argv[i + 1];
+ }
+
+ XREShellData shellData;
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+ shellData.sandboxBrokerServices =
+ sandboxing::GetInitializedBrokerServices();
+#endif
+
+ return gBootstrap->XRE_XPCShellMain(--argc, argv, envp, &shellData);
+ }
+
+ BootstrapConfig config;
+
+ if (appDataFile && *appDataFile) {
+ config.appData = nullptr;
+ config.appDataPath = appDataFile;
+ } else {
+ // no -app flag so we use the compiled-in app data
+ config.appData = &sAppData;
+ config.appDataPath = kDesktopFolder;
+ }
+
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+ sandbox::BrokerServices* brokerServices =
+ sandboxing::GetInitializedBrokerServices();
+ sandboxing::PermissionsService* permissionsService =
+ sandboxing::GetPermissionsService();
+ if (!brokerServices) {
+ Output("Couldn't initialize the broker services.\n");
+ return 255;
+ }
+ config.sandboxBrokerServices = brokerServices;
+ config.sandboxPermissionsService = permissionsService;
+#endif
+
+#ifdef LIBFUZZER
+ if (getenv("FUZZER"))
+ gBootstrap->XRE_LibFuzzerSetDriver(fuzzer::FuzzerDriver);
+#endif
+
+ // Note: keep in sync with LauncherProcessWin.
+ const char* acceptableParams[] = {"url", nullptr};
+ EnsureCommandlineSafe(argc, argv, acceptableParams);
+
+ return gBootstrap->XRE_main(argc, argv, config);
+}
+
+static nsresult InitXPCOMGlue(LibLoadingStrategy aLibLoadingStrategy) {
+ if (gBootstrap) {
+ return NS_OK;
+ }
+
+ UniqueFreePtr<char> exePath = BinaryPath::Get();
+ if (!exePath) {
+ Output("Couldn't find the application directory.\n");
+ return NS_ERROR_FAILURE;
+ }
+
+ gBootstrap = mozilla::GetBootstrap(exePath.get(), aLibLoadingStrategy);
+ if (!gBootstrap) {
+ Output("Couldn't load XPCOM.\n");
+ return NS_ERROR_FAILURE;
+ }
+
+ // This will set this thread as the main thread.
+ gBootstrap->NS_LogInit();
+
+ return NS_OK;
+}
+
+#ifdef HAS_DLL_BLOCKLIST
+// NB: This must be extern, as this value is checked elsewhere
+uint32_t gBlocklistInitFlags = eDllBlocklistInitFlagDefault;
+#endif
+
+int main(int argc, char* argv[], char* envp[]) {
+#if defined(MOZ_ENABLE_FORKSERVER)
+ if (strcmp(argv[argc - 1], "forkserver") == 0) {
+ nsresult rv = InitXPCOMGlue(LibLoadingStrategy::NoReadAhead);
+ if (NS_FAILED(rv)) {
+ return 255;
+ }
+
+ // Run a fork server in this process, single thread. When it
+ // returns, it means the fork server have been stopped or a new
+ // content process is created.
+ //
+ // For the later case, XRE_ForkServer() will return false, running
+ // in a content process just forked from the fork server process.
+ // argc & argv will be updated with the values passing from the
+ // chrome process. With the new values, this function
+ // continues the reset of the code acting as a content process.
+ if (gBootstrap->XRE_ForkServer(&argc, &argv)) {
+ // Return from the fork server in the fork server process.
+ // Stop the fork server.
+ gBootstrap->NS_LogTerm();
+ return 0;
+ }
+ // In a content process forked from the fork server.
+ // Start acting as a content process.
+ }
+#endif
+
+ mozilla::TimeStamp start = mozilla::TimeStamp::Now();
+
+ AUTO_BASE_PROFILER_INIT;
+ AUTO_BASE_PROFILER_LABEL("nsBrowserApp main", OTHER);
+
+#ifdef MOZ_BROWSER_CAN_BE_CONTENTPROC
+ // We are launching as a content process, delegate to the appropriate
+ // main
+ if (argc > 1 && IsArg(argv[1], "contentproc")) {
+# ifdef HAS_DLL_BLOCKLIST
+ DllBlocklist_Initialize(gBlocklistInitFlags |
+ eDllBlocklistInitFlagIsChildProcess);
+# endif
+# if defined(XP_WIN) && defined(MOZ_SANDBOX)
+ // We need to initialize the sandbox TargetServices before InitXPCOMGlue
+ // because we might need the sandbox broker to give access to some files.
+ if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
+ Output("Failed to initialize the sandbox target services.");
+ return 255;
+ }
+# endif
+
+ nsresult rv = InitXPCOMGlue(LibLoadingStrategy::NoReadAhead);
+ if (NS_FAILED(rv)) {
+ return 255;
+ }
+
+ int result = content_process_main(gBootstrap.get(), argc, argv);
+
+# if defined(DEBUG) && defined(HAS_DLL_BLOCKLIST)
+ DllBlocklist_Shutdown();
+# endif
+
+ // InitXPCOMGlue calls NS_LogInit, so we need to balance it here.
+ gBootstrap->NS_LogTerm();
+
+ return result;
+ }
+#endif
+
+#ifdef HAS_DLL_BLOCKLIST
+ DllBlocklist_Initialize(gBlocklistInitFlags);
+#endif
+
+ nsresult rv = InitXPCOMGlue(LibLoadingStrategy::ReadAhead);
+ if (NS_FAILED(rv)) {
+ return 255;
+ }
+
+ gBootstrap->XRE_StartupTimelineRecord(mozilla::StartupTimeline::START, start);
+
+#ifdef MOZ_BROWSER_CAN_BE_CONTENTPROC
+ gBootstrap->XRE_EnableSameExecutableForContentProc();
+#endif
+
+ int result = do_main(argc, argv, envp);
+
+ gBootstrap->NS_LogTerm();
+
+#if defined(DEBUG) && defined(HAS_DLL_BLOCKLIST)
+ DllBlocklist_Shutdown();
+#endif
+
+#ifdef XP_MACOSX
+ // Allow writes again. While we would like to catch writes from static
+ // destructors to allow early exits to use _exit, we know that there is
+ // at least one such write that we don't control (see bug 826029). For
+ // now we enable writes again and early exits will have to use exit instead
+ // of _exit.
+ gBootstrap->XRE_StopLateWriteChecks();
+#endif
+
+ gBootstrap.reset();
+
+ return result;
+}
diff --git a/browser/app/permissions b/browser/app/permissions
new file mode 100644
index 0000000000..3ff3d84bc4
--- /dev/null
+++ b/browser/app/permissions
@@ -0,0 +1,26 @@
+# This file has default permissions for the permission manager.
+# The file-format is strict:
+# * matchtype \t type \t permission \t host
+# * "origin" should be used for matchtype, "host" is supported for legacy reasons
+# * type is a string that identifies the type of permission (e.g. "cookie")
+# * permission is an integer between 1 and 15
+# See PermissionManager.cpp for more...
+
+# UITour
+# Bug 1557153: www.mozilla.org gets a special workaround in UITourChild.jsm
+origin uitour 1 https://www.mozilla.org
+origin uitour 1 https://monitor.firefox.com
+origin uitour 1 https://screenshots.firefox.com
+origin uitour 1 https://support.mozilla.org
+origin uitour 1 about:home
+origin uitour 1 about:newtab
+
+# XPInstall
+origin install 1 https://addons.mozilla.org
+
+# Remote troubleshooting
+origin remote-troubleshooting 1 https://support.mozilla.org
+
+# addon install
+origin install 1 https://private-network.firefox.com
+origin install 1 https://fpn.firefox.com
diff --git a/browser/app/profile/channel-prefs.js b/browser/app/profile/channel-prefs.js
new file mode 100644
index 0000000000..eed6e634c2
--- /dev/null
+++ b/browser/app/profile/channel-prefs.js
@@ -0,0 +1,9 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+//
+// This pref is in its own file for complex reasons. See the comment in
+// browser/app/Makefile.in, bug 756325, and bug 1431342 for details. Do not add
+// other prefs to this file.
+
+pref("app.update.channel", "@MOZ_UPDATE_CHANNEL@");
diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
new file mode 100644
index 0000000000..fcd4e7fade
--- /dev/null
+++ b/browser/app/profile/firefox.js
@@ -0,0 +1,2400 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Non-static prefs that are specific to desktop Firefox belong in this file
+// (unless there is a compelling and documented reason for them to belong in
+// another file).
+//
+// Please indent all prefs defined within #ifdef/#ifndef conditions. This
+// improves readability, particular for conditional blocks that exceed a single
+// screen.
+
+#filter substitution
+
+#ifdef XP_UNIX
+ #ifndef XP_MACOSX
+ #define UNIX_BUT_NOT_MAC
+ #endif
+#endif
+
+pref("browser.hiddenWindowChromeURL", "chrome://browser/content/hiddenWindowMac.xhtml");
+
+// Enables some extra Extension System Logging (can reduce performance)
+pref("extensions.logging.enabled", false);
+
+// Disables strict compatibility, making addons compatible-by-default.
+pref("extensions.strictCompatibility", false);
+
+// Temporary preference to forcibly make themes more safe with Australis even if
+// extensions.checkCompatibility=false has been set.
+pref("extensions.checkCompatibility.temporaryThemeOverride_minAppVersion", "29.0a1");
+
+pref("extensions.webextPermissionPrompts", true);
+pref("extensions.webextOptionalPermissionPrompts", true);
+
+// Preferences for AMO integration
+pref("extensions.getAddons.cache.enabled", true);
+pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%");
+pref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%");
+pref("extensions.getAddons.link.url", "https://addons.mozilla.org/%LOCALE%/firefox/");
+pref("extensions.getAddons.langpacks.url", "https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION%");
+pref("extensions.getAddons.discovery.api_url", "https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%");
+
+// Use bloomfilters for the addons blocklist, instead of JSON only.
+pref("extensions.blocklist.useMLBF", true);
+pref("extensions.blocklist.useMLBF.stashes", true);
+
+// The URL for the privacy policy related to recommended extensions.
+pref("extensions.recommendations.privacyPolicyUrl", "https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=privacy-policy-link#addons");
+// The URL for Firefox Color, recommended on the theme page in about:addons.
+pref("extensions.recommendations.themeRecommendationUrl", "https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-footer-link");
+
+pref("extensions.update.autoUpdateDefault", true);
+
+// Check AUS for system add-on updates.
+pref("extensions.systemAddon.update.url", "https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
+pref("extensions.systemAddon.update.enabled", true);
+
+// Disable add-ons that are not installed by the user in all scopes by default.
+// See the SCOPE constants in AddonManager.jsm for values to use here.
+pref("extensions.autoDisableScopes", 15);
+// Scopes to scan for changes at startup.
+pref("extensions.startupScanScopes", 0);
+
+pref("extensions.geckoProfiler.acceptedExtensionIds", "geckoprofiler@mozilla.com,quantum-foxfooding@mozilla.com,raptor@mozilla.org");
+
+
+// Add-on content security policies.
+pref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' https://* moz-extension: blob: filesystem:;");
+pref("extensions.webextensions.default-content-security-policy", "script-src 'self'; object-src 'self';");
+
+pref("extensions.webextensions.remote", true);
+pref("extensions.webextensions.background-delayed-startup", true);
+
+// Require signed add-ons by default
+pref("extensions.langpacks.signatures.required", true);
+pref("xpinstall.signatures.required", true);
+pref("xpinstall.signatures.devInfoURL", "https://wiki.mozilla.org/Addons/Extension_Signing");
+
+// Enable extensionStorage storage actor by default
+pref("devtools.storage.extensionStorage.enabled", true);
+
+// Dictionary download preference
+pref("browser.dictionaries.download.url", "https://addons.mozilla.org/%LOCALE%/firefox/language-tools/");
+
+// At startup, should we check to see if the installation
+// date is older than some threshold
+pref("app.update.checkInstallTime", true);
+
+// The number of days a binary is permitted to be old without checking is defined in
+// firefox-branding.js (app.update.checkInstallTime.days)
+
+// The minimum delay in seconds for the timer to fire between the notification
+// of each consumer of the timer manager.
+// minimum=30 seconds, default=120 seconds, and maximum=300 seconds
+pref("app.update.timerMinimumDelay", 120);
+
+// The minimum delay in milliseconds for the first firing after startup of the timer
+// to notify consumers of the timer manager.
+// minimum=10 seconds, default=30 seconds, and maximum=120 seconds
+pref("app.update.timerFirstInterval", 30000);
+
+// App-specific update preferences
+
+// The interval to check for updates (app.update.interval) is defined in
+// firefox-branding.js
+
+// Enables some extra Application Update Logging (can reduce performance)
+pref("app.update.log", false);
+// Causes Application Update Logging to be sent to a file in the profile
+// directory. This preference is automatically disabled on application start to
+// prevent it from being left on accidentally. Turning this pref on enables
+// logging, even if app.update.log is false.
+pref("app.update.log.file", false);
+
+// The number of general background check failures to allow before notifying the
+// user of the failure. User initiated update checks always notify the user of
+// the failure.
+pref("app.update.backgroundMaxErrors", 10);
+
+// Ids of the links to the "What's new" update documentation
+pref("app.update.link.updateAvailableWhatsNew", "update-available-whats-new");
+pref("app.update.link.updateManualWhatsNew", "update-manual-whats-new");
+
+// How many times we should let downloads fail before prompting the user to
+// download a fresh installer.
+pref("app.update.download.promptMaxAttempts", 2);
+
+// How many times we should let an elevation prompt fail before prompting the user to
+// download a fresh installer.
+pref("app.update.elevation.promptMaxAttempts", 2);
+
+// If set to true, the Update Service will automatically download updates if the
+// user can apply updates. This pref is no longer used on Windows, except as the
+// default value to migrate to the new location that this data is now stored
+// (which is in a file in the update directory). Because of this, this pref
+// should no longer be used directly. Instead, getAppUpdateAutoEnabled and
+// getAppUpdateAutoEnabled from UpdateUtils.jsm should be used.
+#ifndef XP_WIN
+ pref("app.update.auto", true);
+#endif
+
+// If set to true, the Update Service will apply updates in the background
+// when it finishes downloading them.
+pref("app.update.staging.enabled", true);
+
+// Update service URL:
+// app.update.url was removed in Bug 1568994
+// app.update.url.manual is in branding section
+// app.update.url.details is in branding section
+
+// app.update.badgeWaitTime is in branding section
+// app.update.interval is in branding section
+// app.update.promptWaitTime is in branding section
+
+// Whether or not to attempt using the service for updates.
+#ifdef MOZ_MAINTENANCE_SERVICE
+ pref("app.update.service.enabled", true);
+#endif
+
+#ifdef MOZ_BITS_DOWNLOAD
+ // If set to true, the Update Service will attempt to use Windows BITS to
+ // download updates and will fallback to downloading internally if that fails.
+ pref("app.update.BITS.enabled", true);
+#endif
+
+// Symmetric (can be overridden by individual extensions) update preferences.
+// e.g.
+// extensions.{GUID}.update.enabled
+// extensions.{GUID}.update.url
+// .. etc ..
+//
+pref("extensions.update.enabled", true);
+pref("extensions.update.url", "https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%");
+pref("extensions.update.background.url", "https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%");
+pref("extensions.update.interval", 86400); // Check for updates to Extensions and
+ // Themes every day
+
+pref("lightweightThemes.getMoreURL", "https://addons.mozilla.org/%LOCALE%/firefox/themes");
+
+#if defined(MOZ_WIDEVINE_EME)
+ pref("browser.eme.ui.enabled", true);
+#else
+ pref("browser.eme.ui.enabled", false);
+#endif
+
+// UI tour experience.
+pref("browser.uitour.enabled", true);
+pref("browser.uitour.loglevel", "Error");
+pref("browser.uitour.requireSecure", true);
+pref("browser.uitour.themeOrigin", "https://addons.mozilla.org/%LOCALE%/firefox/themes/");
+pref("browser.uitour.url", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/");
+// How long to show a Hearbeat survey (two hours, in seconds)
+pref("browser.uitour.surveyDuration", 7200);
+
+pref("keyword.enabled", true);
+
+// Fixup whitelists, the urlbar won't try to search for these words, but will
+// instead consider them valid TLDs. Don't check these directly, use
+// Services.uriFixup.isDomainWhitelisted() instead.
+pref("browser.fixup.domainwhitelist.localhost", true);
+// https://tools.ietf.org/html/rfc2606
+pref("browser.fixup.domainsuffixwhitelist.test", true);
+pref("browser.fixup.domainsuffixwhitelist.example", true);
+pref("browser.fixup.domainsuffixwhitelist.invalid", true);
+pref("browser.fixup.domainsuffixwhitelist.localhost", true);
+// https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00
+pref("browser.fixup.domainsuffixwhitelist.internal", true);
+// https://tools.ietf.org/html/rfc6762
+pref("browser.fixup.domainsuffixwhitelist.local", true);
+
+#ifdef UNIX_BUT_NOT_MAC
+ pref("general.autoScroll", false);
+#else
+ pref("general.autoScroll", true);
+#endif
+
+// UI density of the browser chrome. This mostly affects toolbarbutton
+// and urlbar spacing. The possible values are 0=normal, 1=compact, 2=touch.
+pref("browser.uidensity", 0);
+// Whether Firefox will automatically override the uidensity to "touch"
+// while the user is in a touch environment (such as Windows tablet mode).
+pref("browser.touchmode.auto", true);
+
+// At startup, check if we're the default browser and prompt user if not.
+pref("browser.shell.checkDefaultBrowser", true);
+pref("browser.shell.shortcutFavicons",true);
+pref("browser.shell.mostRecentDateSetAsDefault", "");
+pref("browser.shell.skipDefaultBrowserCheckOnFirstRun", true);
+pref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", false);
+pref("browser.shell.defaultBrowserCheckCount", 0);
+pref("browser.defaultbrowser.notificationbar", false);
+
+// 0 = blank, 1 = home (browser.startup.homepage), 2 = last visited page, 3 = resume previous browser session
+// The behavior of option 3 is detailed at: http://wiki.mozilla.org/Session_Restore
+pref("browser.startup.page", 1);
+pref("browser.startup.homepage", "about:home");
+pref("browser.startup.homepage.abouthome_cache.enabled", false);
+
+// Whether we should skip the homepage when opening the first-run page
+pref("browser.startup.firstrunSkipsHomepage", true);
+
+// Show an about:blank window as early as possible for quick startup feedback.
+// Held to nightly on Linux due to bug 1450626.
+// Disabled on Mac because the bouncing dock icon already provides feedback.
+#if defined(XP_WIN) || defined(MOZ_WIDGET_GTK) && defined(NIGHTLY_BUILD)
+ pref("browser.startup.blankWindow", true);
+#else
+ pref("browser.startup.blankWindow", false);
+#endif
+
+// Don't create the hidden window during startup on
+// platforms that don't always need it (Win/Linux).
+pref("toolkit.lazyHiddenWindow", true);
+
+pref("browser.slowStartup.notificationDisabled", false);
+pref("browser.slowStartup.timeThreshold", 20000);
+pref("browser.slowStartup.maxSamples", 5);
+
+pref("browser.chrome.site_icons", true);
+// browser.warnOnQuit == false will override all other possible prompts when quitting or restarting
+pref("browser.warnOnQuit", true);
+pref("browser.fullscreen.autohide", true);
+pref("browser.overlink-delay", 80);
+
+// Whether using `ctrl` when hitting return/enter in the URL bar
+// (or clicking 'go') should prefix 'www.' and suffix
+// browser.fixup.alternate.suffix to the URL bar value prior to
+// navigating.
+pref("browser.urlbar.ctrlCanonizesURLs", true);
+
+// Control autoFill behavior
+pref("browser.urlbar.autoFill", true);
+
+// Whether to warm up network connections for autofill or search results.
+pref("browser.urlbar.speculativeConnect.enabled", true);
+
+// Whether bookmarklets should be filtered out of Address Bar matches.
+// This is enabled for security reasons, when true it is still possible to
+// search for bookmarklets typing "javascript: " followed by the actual query.
+pref("browser.urlbar.filter.javascript", true);
+
+// the maximum number of results to show in autocomplete when doing richResults
+pref("browser.urlbar.maxRichResults", 10);
+// The amount of time (ms) to wait after the user has stopped typing
+// before starting to perform autocomplete. 50 is the default set in
+// autocomplete.xml.
+pref("browser.urlbar.delay", 50);
+
+// The maximum number of historical search results to show.
+pref("browser.urlbar.maxHistoricalSearchSuggestions", 2);
+
+// When true, URLs in the user's history that look like search result pages
+// are styled to look like search engine results instead of the usual history
+// results.
+pref("browser.urlbar.restyleSearches", false);
+
+// The default behavior for the urlbar can be configured to use any combination
+// of the match filters with each additional filter adding more results (union).
+pref("browser.urlbar.suggest.bookmark", true);
+pref("browser.urlbar.suggest.history", true);
+pref("browser.urlbar.suggest.openpage", true);
+pref("browser.urlbar.suggest.searches", true);
+pref("browser.urlbar.suggest.topsites", true);
+
+// As a user privacy measure, don't fetch search suggestions if a pasted string
+// is longer than this.
+pref("browser.urlbar.maxCharsForSearchSuggestions", 100);
+
+pref("browser.urlbar.formatting.enabled", true);
+pref("browser.urlbar.trimURLs", true);
+
+// If changed to true, copying the entire URL from the location bar will put the
+// human readable (percent-decoded) URL on the clipboard.
+pref("browser.urlbar.decodeURLsOnCopy", false);
+
+// Whether or not to move tabs into the active window when using the "Switch to
+// Tab" feature of the awesomebar.
+pref("browser.urlbar.switchTabs.adoptIntoActiveWindow", false);
+
+// Whether addresses and search results typed into the address bar
+// should be opened in new tabs by default.
+pref("browser.urlbar.openintab", false);
+
+// If true, we show tail suggestions when available.
+pref("browser.urlbar.richSuggestions.tail", false);
+
+// This is disabled until Bug 1340663 figures out the remaining requirements.
+pref("browser.urlbar.usepreloadedtopurls.enabled", false);
+pref("browser.urlbar.usepreloadedtopurls.expire_days", 14);
+
+// If true, we show actionable tips in the Urlbar when the user is searching
+// for those actions.
+pref("browser.urlbar.update1.interventions", true);
+
+// If true, we show new users and those about to start an organic search a tip
+// encouraging them to use the Urlbar.
+pref("browser.urlbar.update1.searchTips", true);
+
+// Whether we expand the font size when when the urlbar is
+// focused in design update 2.
+pref("browser.urlbar.update2.expandTextOnFocus", false);
+
+pref("browser.urlbar.eventTelemetry.enabled", false);
+
+// Controls when to DNS resolve single word search strings, after they were
+// searched for. If the string is resolved as a valid host, show a
+// "Did you mean to go to 'host'" prompt.
+// 0 - never resolve; 1 - use heuristics (default); 2 - always resolve
+pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 1);
+
+pref("browser.altClickSave", false);
+
+// Enable logging downloads operations to the Console.
+pref("browser.download.loglevel", "Error");
+
+// Number of milliseconds to wait for the http headers (and thus
+// the Content-Disposition filename) before giving up and falling back to
+// picking a filename without that info in hand so that the user sees some
+// feedback from their action.
+pref("browser.download.saveLinkAsFilenameTimeout", 4000);
+
+pref("browser.download.useDownloadDir", true);
+pref("browser.download.folderList", 1);
+pref("browser.download.manager.addToRecentDocs", true);
+pref("browser.download.manager.resumeOnWakeDelay", 10000);
+
+// This allows disabling the animated notifications shown by
+// the Downloads Indicator when a download starts or completes.
+pref("browser.download.animateNotifications", true);
+
+// This records whether or not the panel has been shown at least once.
+pref("browser.download.panel.shown", false);
+
+// This controls whether the button is automatically shown/hidden depending
+// on whether there are downloads to show.
+pref("browser.download.autohideButton", true);
+
+#ifndef XP_MACOSX
+ pref("browser.helperApps.deleteTempFileOnExit", true);
+#endif
+
+// This controls the visibility of the radio button in the
+// Unknown Content Type (Helper App) dialog that will open
+// the content in the browser.
+pref("browser.helperApps.showOpenOptionForPdfJS", true);
+
+// search engines URL
+pref("browser.search.searchEnginesURL", "https://addons.mozilla.org/%LOCALE%/firefox/search-engines/");
+
+// Market-specific search defaults
+pref("browser.search.geoSpecificDefaults", true);
+pref("browser.search.geoSpecificDefaults.url", "https://search.services.mozilla.com/1/%APP%/%VERSION%/%CHANNEL%/%LOCALE%/%REGION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%");
+
+// search bar results always open in a new tab
+pref("browser.search.openintab", false);
+
+// context menu searches open in the foreground
+pref("browser.search.context.loadInBackground", false);
+
+// comma seperated list of of engines to hide in the search panel.
+pref("browser.search.hiddenOneOffs", "");
+
+// Mirrors whether the search-container widget is in the navigation toolbar.
+pref("browser.search.widget.inNavBar", false);
+
+// Enables display of the options for the user using a separate default search
+// engine in private browsing mode.
+#ifdef NIGHTLY_BUILD
+ pref("browser.search.separatePrivateDefault.ui.enabled", true);
+#endif
+// The maximum amount of times the private default banner is shown.
+pref("browser.search.separatePrivateDefault.ui.banner.max", 0);
+
+pref("browser.search.modernConfig", true);
+
+pref("browser.sessionhistory.max_entries", 50);
+
+// Built-in default permissions.
+pref("permissions.manager.defaultsUrl", "resource://app/defaults/permissions");
+
+// Set default fallback values for site permissions we want
+// the user to be able to globally change.
+pref("permissions.default.camera", 0);
+pref("permissions.default.microphone", 0);
+pref("permissions.default.geo", 0);
+pref("permissions.default.xr", 0);
+pref("permissions.default.desktop-notification", 0);
+pref("permissions.default.shortcuts", 0);
+
+pref("permissions.desktop-notification.postPrompt.enabled", true);
+pref("permissions.desktop-notification.notNow.enabled", false);
+
+pref("permissions.fullscreen.allowed", false);
+
+// handle links targeting new windows
+// 1=current window/tab, 2=new window, 3=new tab in most recent window
+pref("browser.link.open_newwindow", 3);
+
+// handle external links (i.e. links opened from a different application)
+// default: use browser.link.open_newwindow
+// 1-3: see browser.link.open_newwindow for interpretation
+pref("browser.link.open_newwindow.override.external", -1);
+
+// 0: no restrictions - divert everything
+// 1: don't divert window.open at all
+// 2: don't divert window.open with features
+pref("browser.link.open_newwindow.restriction", 2);
+
+// If true, this pref causes windows opened by window.open to be forced into new
+// tabs (rather than potentially opening separate windows, depending on
+// window.open arguments) when the browser is in fullscreen mode.
+// We set this differently on Mac because the fullscreen implementation there is
+// different.
+#ifdef XP_MACOSX
+ pref("browser.link.open_newwindow.disabled_in_fullscreen", true);
+#else
+ pref("browser.link.open_newwindow.disabled_in_fullscreen", false);
+#endif
+
+// Tabbed browser
+pref("browser.tabs.closeTabByDblclick", false);
+pref("browser.tabs.closeWindowWithLastTab", true);
+pref("browser.tabs.allowTabDetach", true);
+// Open related links to a tab, e.g., link in current tab, at next to the
+// current tab if |insertRelatedAfterCurrent| is true. Otherwise, always
+// append new tab to the end.
+pref("browser.tabs.insertRelatedAfterCurrent", true);
+// Open all links, e.g., bookmarks, history items at next to current tab
+// if |insertAfterCurrent| is true. Otherwise, append new tab to the end
+// for non-related links. Note that if this is set to true, it will trump
+// the value of browser.tabs.insertRelatedAfterCurrent.
+pref("browser.tabs.insertAfterCurrent", false);
+pref("browser.tabs.warnOnClose", true);
+pref("browser.tabs.warnOnCloseOtherTabs", true);
+pref("browser.tabs.warnOnOpen", true);
+pref("browser.tabs.maxOpenBeforeWarn", 15);
+pref("browser.tabs.loadInBackground", true);
+pref("browser.tabs.opentabfor.middleclick", true);
+pref("browser.tabs.loadDivertedInBackground", false);
+pref("browser.tabs.loadBookmarksInBackground", false);
+pref("browser.tabs.loadBookmarksInTabs", false);
+pref("browser.tabs.tabClipWidth", 140);
+pref("browser.tabs.tabMinWidth", 76);
+// Initial titlebar state is managed by -moz-gtk-csd-hide-titlebar-by-default
+// on Linux.
+#ifndef UNIX_BUT_NOT_MAC
+ pref("browser.tabs.drawInTitlebar", true);
+#endif
+
+//Control the visibility of Tab Manager Menu.
+pref("browser.tabs.tabmanager.enabled", false);
+
+// Offer additional drag space to the user. The drag space
+// will only be shown if browser.tabs.drawInTitlebar is true.
+pref("browser.tabs.extraDragSpace", false);
+
+// When tabs opened by links in other tabs via a combination of
+// browser.link.open_newwindow being set to 3 and target="_blank" etc are
+// closed:
+// true return to the tab that opened this tab (its owner)
+// false return to the adjacent tab (old default)
+pref("browser.tabs.selectOwnerOnClose", true);
+
+// This should match Chromium's audio indicator delay.
+pref("browser.tabs.delayHidingAudioPlayingIconMS", 3000);
+
+// Pref to control whether we use a separate privileged content process
+// for about: pages. This pref name did not age well: we will have multiple
+// types of privileged content processes, each with different privileges.
+// types of privleged content processes, each with different privleges.
+#if defined(MOZ_CODE_COVERAGE) && defined(XP_LINUX) || defined(MOZ_ASAN)
+ // Disabled on Linux ccov builds due to bug 1621269.
+ pref("browser.tabs.remote.separatePrivilegedContentProcess", false);
+#else
+ pref("browser.tabs.remote.separatePrivilegedContentProcess", true);
+#endif
+
+#if defined(NIGHTLY_BUILD) && !defined(MOZ_ASAN)
+ // This pref will cause assertions when a remoteType triggers a process switch
+ // to a new remoteType it should not be able to trigger.
+ pref("browser.tabs.remote.enforceRemoteTypeRestrictions", true);
+#endif
+
+// Pref to control whether we use a separate privileged content process
+// for certain mozilla webpages (which are listed in the pref
+// browser.tabs.remote.separatedMozillaDomains).
+pref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", true);
+
+// allow_eval_* is enabled on Firefox Desktop only at this
+// point in time
+pref("security.allow_eval_with_system_principal", false);
+pref("security.allow_eval_in_parent_process", false);
+
+#if defined(NIGHTLY_BUILD)
+ pref("security.allow_parent_unrestricted_js_loads", false);
+#endif
+
+// Unload tabs when available memory is running low
+pref("browser.tabs.unloadOnLowMemory", false);
+
+pref("browser.ctrlTab.recentlyUsedOrder", true);
+
+// By default, do not export HTML at shutdown.
+// If true, at shutdown the bookmarks in your menu and toolbar will
+// be exported as HTML to the bookmarks.html file.
+pref("browser.bookmarks.autoExportHTML", false);
+
+// The maximum number of daily bookmark backups to
+// keep in {PROFILEDIR}/bookmarkbackups. Special values:
+// -1: unlimited
+// 0: no backups created (and deletes all existing backups)
+pref("browser.bookmarks.max_backups", 15);
+
+// Whether menu should close after Ctrl-click, middle-click, etc.
+pref("browser.bookmarks.openInTabClosesMenu", true);
+
+// Scripts & Windows prefs
+pref("dom.disable_open_during_load", true);
+pref("javascript.options.showInConsole", true);
+
+// This is the pref to control the location bar, change this to true to
+// force this - this makes the origin of popup windows more obvious to avoid
+// spoofing. We would rather not do it by default because it affects UE for web
+// applications, but without it there isn't a really good way to prevent chrome
+// spoofing, see bug 337344
+pref("dom.disable_window_open_feature.location", true);
+// allow JS to move and resize existing windows
+pref("dom.disable_window_move_resize", false);
+// prevent JS from monkeying with window focus, etc
+pref("dom.disable_window_flip", true);
+
+// popups.policy 1=allow,2=reject
+pref("privacy.popups.policy", 1);
+pref("privacy.popups.usecustom", true);
+pref("privacy.popups.showBrowserMessage", true);
+
+pref("privacy.item.cookies", false);
+
+pref("privacy.clearOnShutdown.history", true);
+pref("privacy.clearOnShutdown.formdata", true);
+pref("privacy.clearOnShutdown.downloads", true);
+pref("privacy.clearOnShutdown.cookies", true);
+pref("privacy.clearOnShutdown.cache", true);
+pref("privacy.clearOnShutdown.sessions", true);
+pref("privacy.clearOnShutdown.offlineApps", false);
+pref("privacy.clearOnShutdown.siteSettings", false);
+pref("privacy.clearOnShutdown.openWindows", false);
+
+pref("privacy.cpd.history", true);
+pref("privacy.cpd.formdata", true);
+pref("privacy.cpd.passwords", false);
+pref("privacy.cpd.downloads", true);
+pref("privacy.cpd.cookies", true);
+pref("privacy.cpd.cache", true);
+pref("privacy.cpd.sessions", true);
+pref("privacy.cpd.offlineApps", false);
+pref("privacy.cpd.siteSettings", false);
+pref("privacy.cpd.openWindows", false);
+
+pref("privacy.history.custom", false);
+
+// What default should we use for the time span in the sanitizer:
+// 0 - Clear everything
+// 1 - Last Hour
+// 2 - Last 2 Hours
+// 3 - Last 4 Hours
+// 4 - Today
+// 5 - Last 5 minutes
+// 6 - Last 24 hours
+pref("privacy.sanitize.timeSpan", 1);
+
+pref("privacy.sanitize.migrateFx3Prefs", false);
+
+pref("privacy.panicButton.enabled", true);
+
+// Time until temporary permissions expire, in ms
+pref("privacy.temporary_permission_expire_time_ms", 3600000);
+
+pref("network.proxy.share_proxy_settings", false); // use the same proxy settings for all protocols
+
+// simple gestures support
+pref("browser.gesture.swipe.left", "Browser:BackOrBackDuplicate");
+pref("browser.gesture.swipe.right", "Browser:ForwardOrForwardDuplicate");
+pref("browser.gesture.swipe.up", "cmd_scrollTop");
+pref("browser.gesture.swipe.down", "cmd_scrollBottom");
+pref("browser.gesture.pinch.latched", false);
+pref("browser.gesture.pinch.threshold", 25);
+#if defined(XP_WIN) || defined(MOZ_WIDGET_GTK)
+ // Enabled for touch input display zoom.
+ pref("browser.gesture.pinch.out", "cmd_fullZoomEnlarge");
+ pref("browser.gesture.pinch.in", "cmd_fullZoomReduce");
+ pref("browser.gesture.pinch.out.shift", "cmd_fullZoomReset");
+ pref("browser.gesture.pinch.in.shift", "cmd_fullZoomReset");
+#else
+ // Disabled by default due to issues with track pad input.
+ pref("browser.gesture.pinch.out", "");
+ pref("browser.gesture.pinch.in", "");
+ pref("browser.gesture.pinch.out.shift", "");
+ pref("browser.gesture.pinch.in.shift", "");
+#endif
+pref("browser.gesture.twist.latched", false);
+pref("browser.gesture.twist.threshold", 0);
+pref("browser.gesture.twist.right", "cmd_gestureRotateRight");
+pref("browser.gesture.twist.left", "cmd_gestureRotateLeft");
+pref("browser.gesture.twist.end", "cmd_gestureRotateEnd");
+pref("browser.gesture.tap", "cmd_fullZoomReset");
+
+pref("browser.history_swipe_animation.disabled", false);
+
+// 0: Nothing happens
+// 1: Scrolling contents
+// 2: Go back or go forward, in your history
+// 3: Zoom in or out (reflowing zoom).
+// 4: Treat vertical wheel as horizontal scroll
+// 5: Zoom in or out (pinch zoom).
+#ifdef XP_MACOSX
+ // On macOS, if the wheel has one axis only, shift+wheel comes through as a
+ // horizontal scroll event. Thus, we can't assign anything other than normal
+ // scrolling to shift+wheel.
+ pref("mousewheel.with_shift.action", 1);
+ pref("mousewheel.with_alt.action", 2);
+ // On MacOS X, control+wheel is typically handled by system and we don't
+ // receive the event. So, command key which is the main modifier key for
+ // acceleration is the best modifier for zoom-in/out. However, we should keep
+ // the control key setting for backward compatibility.
+ pref("mousewheel.with_meta.action", 3); // command key on Mac
+ // Disable control-/meta-modified horizontal wheel events, since those are
+ // used on Mac as part of modified swipe gestures (e.g. Left swipe+Cmd is
+ // "go back" in a new tab).
+ pref("mousewheel.with_control.action.override_x", 0);
+ pref("mousewheel.with_meta.action.override_x", 0);
+#else
+ // On the other platforms (non-macOS), user may use legacy mouse which
+ // supports only vertical wheel but want to scroll horizontally. For such
+ // users, we should provide horizontal scroll with shift+wheel (same as
+ // Chrome). However, shift+wheel was used for navigating history. For users
+ // who want to keep using this feature, let's enable it with alt+wheel. This
+ // is better for consistency with macOS users.
+ pref("mousewheel.with_shift.action", 4);
+ pref("mousewheel.with_alt.action", 2);
+ pref("mousewheel.with_meta.action", 1); // win key on Win, Super/Hyper on Linux
+#endif
+pref("mousewheel.with_control.action",3);
+pref("mousewheel.with_win.action", 1);
+
+pref("browser.xul.error_pages.expert_bad_cert", false);
+pref("browser.xul.error_pages.show_safe_browsing_details_on_load", false);
+
+// Enable captive portal detection.
+pref("network.captive-portal-service.enabled", true);
+
+// If true, network link events will change the value of navigator.onLine
+pref("network.manage-offline-status", true);
+
+// We want to make sure mail URLs are handled externally...
+pref("network.protocol-handler.external.mailto", true); // for mail
+pref("network.protocol-handler.external.news", true); // for news
+pref("network.protocol-handler.external.snews", true); // for secure news
+pref("network.protocol-handler.external.nntp", true); // also news
+#ifdef XP_WIN
+ pref("network.protocol-handler.external.ms-windows-store", true);
+#endif
+
+// ...without warning dialogs
+pref("network.protocol-handler.warn-external.mailto", false);
+pref("network.protocol-handler.warn-external.news", false);
+pref("network.protocol-handler.warn-external.snews", false);
+pref("network.protocol-handler.warn-external.nntp", false);
+#ifdef XP_WIN
+ pref("network.protocol-handler.warn-external.ms-windows-store", false);
+#endif
+
+// By default, all protocol handlers are exposed. This means that
+// the browser will respond to openURL commands for all URL types.
+// It will also try to open link clicks inside the browser before
+// failing over to the system handlers.
+pref("network.protocol-handler.expose-all", true);
+pref("network.protocol-handler.expose.mailto", false);
+pref("network.protocol-handler.expose.news", false);
+pref("network.protocol-handler.expose.snews", false);
+pref("network.protocol-handler.expose.nntp", false);
+
+pref("accessibility.typeaheadfind", false);
+pref("accessibility.typeaheadfind.timeout", 5000);
+pref("accessibility.typeaheadfind.linksonly", false);
+pref("accessibility.typeaheadfind.flashBar", 1);
+
+// Accessibility indicator preferences such as support URL, enabled flag.
+pref("accessibility.support.url", "https://support.mozilla.org/%LOCALE%/kb/accessibility-services");
+pref("accessibility.indicator.enabled", false);
+
+pref("plugins.testmode", false);
+
+// Should plugins that are hidden show the infobar UI?
+pref("plugins.show_infobar", false);
+
+#if defined(_ARM64_) && defined(XP_WIN)
+ pref("plugin.default.state", 0);
+#else
+ pref("plugin.default.state", 1);
+#endif
+
+// Enables the download and use of the flash blocklists.
+pref("plugins.flashBlock.enabled", true);
+
+// Prefer HTML5 video over Flash content, and don't
+// load plugin instances with no src declared.
+// These prefs are documented in details on all.js.
+// With the "follow-ctp" setting, this will only
+// apply to users that have plugin.state.flash = 1.
+pref("plugins.favorfallback.mode", "follow-ctp");
+pref("plugins.favorfallback.rules", "nosrc,video");
+
+#ifdef XP_WIN
+ pref("browser.preferences.instantApply", false);
+#else
+ pref("browser.preferences.instantApply", true);
+#endif
+
+// Toggling Search bar on and off in about:preferences
+pref("browser.preferences.search", true);
+
+pref("browser.preferences.defaultPerformanceSettings.enabled", true);
+
+pref("browser.download.show_plugins_in_list", true);
+pref("browser.download.hide_plugins_without_extensions", true);
+
+// Backspace and Shift+Backspace behavior
+// 0 goes Back/Forward
+// 1 act like PgUp/PgDown
+// 2 and other values, nothing
+#ifdef UNIX_BUT_NOT_MAC
+ pref("browser.backspace_action", 2);
+#else
+ pref("browser.backspace_action", 0);
+#endif
+
+pref("intl.regional_prefs.use_os_locales", false);
+
+// this will automatically enable inline spellchecking (if it is available) for
+// editable elements in HTML
+// 0 = spellcheck nothing
+// 1 = check multi-line controls [default]
+// 2 = check multi/single line controls
+pref("layout.spellcheckDefault", 1);
+
+pref("browser.send_pings", false);
+
+// At startup, if the handler service notices that the version number in the
+// region.properties file is newer than the version number in the handler
+// service datastore, it will add any new handlers it finds in the prefs (as
+// seeded by this file) to its datastore.
+pref("gecko.handlerService.defaultHandlersVersion", "chrome://browser-region/locale/region.properties");
+
+// The default set of web-based protocol handlers shown in the application
+// selection dialog for webcal: ; I've arbitrarily picked 4 default handlers
+// per protocol, but if some locale wants more than that (or defaults for some
+// protocol not currently listed here), we should go ahead and add those.
+
+// webcal
+pref("gecko.handlerService.schemes.webcal.0.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.0.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.1.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.1.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.2.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.2.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.3.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.webcal.3.uriTemplate", "chrome://browser-region/locale/region.properties");
+
+// mailto
+pref("gecko.handlerService.schemes.mailto.0.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.0.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.1.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.1.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.2.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.2.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.3.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.mailto.3.uriTemplate", "chrome://browser-region/locale/region.properties");
+
+// irc
+pref("gecko.handlerService.schemes.irc.0.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.0.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.1.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.1.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.2.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.2.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.3.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.irc.3.uriTemplate", "chrome://browser-region/locale/region.properties");
+
+// ircs
+pref("gecko.handlerService.schemes.ircs.0.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.0.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.1.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.1.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.2.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.2.uriTemplate", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.3.name", "chrome://browser-region/locale/region.properties");
+pref("gecko.handlerService.schemes.ircs.3.uriTemplate", "chrome://browser-region/locale/region.properties");
+
+pref("browser.geolocation.warning.infoURL", "https://www.mozilla.org/%LOCALE%/firefox/geolocation/");
+pref("browser.xr.warning.infoURL", "https://www.mozilla.org/%LOCALE%/firefox/xr/");
+
+pref("browser.sessionstore.resume_from_crash", true);
+pref("browser.sessionstore.resume_session_once", false);
+pref("browser.sessionstore.resuming_after_os_restart", false);
+
+// Minimal interval between two save operations in milliseconds (while the user is active).
+pref("browser.sessionstore.interval", 15000); // 15 seconds
+
+// Minimal interval between two save operations in milliseconds (while the user is idle).
+pref("browser.sessionstore.interval.idle", 3600000); // 1h
+
+// Time (ms) before we assume that the user is idle and that we don't need to
+// collect/save the session quite as often.
+pref("browser.sessionstore.idleDelay", 180000); // 3 minutes
+
+// on which sites to save text data, POSTDATA and cookies
+// 0 = everywhere, 1 = unencrypted sites, 2 = nowhere
+pref("browser.sessionstore.privacy_level", 0);
+// how many tabs can be reopened (per window)
+pref("browser.sessionstore.max_tabs_undo", 25);
+// how many windows can be reopened (per session) - on non-OS X platforms this
+// pref may be ignored when dealing with pop-up windows to ensure proper startup
+pref("browser.sessionstore.max_windows_undo", 3);
+// number of crashes that can occur before the about:sessionrestore page is displayed
+// (this pref has no effect if more than 6 hours have passed since the last crash)
+pref("browser.sessionstore.max_resumed_crashes", 1);
+// number of back button session history entries to restore (-1 = all of them)
+pref("browser.sessionstore.max_serialize_back", 10);
+// number of forward button session history entries to restore (-1 = all of them)
+pref("browser.sessionstore.max_serialize_forward", -1);
+// restore_on_demand overrides MAX_CONCURRENT_TAB_RESTORES (sessionstore constant)
+// and restore_hidden_tabs. When true, tabs will not be restored until they are
+// focused (also applies to tabs that aren't visible). When false, the values
+// for MAX_CONCURRENT_TAB_RESTORES and restore_hidden_tabs are respected.
+// Selected tabs are always restored regardless of this pref.
+pref("browser.sessionstore.restore_on_demand", true);
+// Whether to automatically restore hidden tabs (i.e., tabs in other tab groups) or not
+pref("browser.sessionstore.restore_hidden_tabs", false);
+// If restore_on_demand is set, pinned tabs are restored on startup by default.
+// When set to true, this pref overrides that behavior, and pinned tabs will only
+// be restored when they are focused.
+pref("browser.sessionstore.restore_pinned_tabs_on_demand", false);
+// The version at which we performed the latest upgrade backup
+pref("browser.sessionstore.upgradeBackup.latestBuildID", "");
+// How many upgrade backups should be kept
+pref("browser.sessionstore.upgradeBackup.maxUpgradeBackups", 3);
+// End-users should not run sessionstore in debug mode
+pref("browser.sessionstore.debug", false);
+// Causes SessionStore to ignore non-final update messages from
+// browser tabs that were not caused by a flush from the parent.
+// This is a testing flag and should not be used by end-users.
+pref("browser.sessionstore.debug.no_auto_updates", false);
+// Forget closed windows/tabs after two weeks
+pref("browser.sessionstore.cleanup.forget_closed_after", 1209600000);
+// Amount of failed SessionFile writes until we restart the worker.
+pref("browser.sessionstore.max_write_failures", 5);
+
+// Whether to warn the user when quitting, even though their tabs will be restored.
+pref("browser.sessionstore.warnOnQuit", false);
+
+// allow META refresh by default
+pref("accessibility.blockautorefresh", false);
+
+// Whether history is enabled or not.
+pref("places.history.enabled", true);
+
+// Whether or not diacritics must match in history text searches.
+pref("places.search.matchDiacritics", false);
+
+// the (maximum) number of the recent visits to sample
+// when calculating frecency
+pref("places.frecency.numVisits", 10);
+
+// buckets (in days) for frecency calculation
+pref("places.frecency.firstBucketCutoff", 4);
+pref("places.frecency.secondBucketCutoff", 14);
+pref("places.frecency.thirdBucketCutoff", 31);
+pref("places.frecency.fourthBucketCutoff", 90);
+
+// weights for buckets for frecency calculations
+pref("places.frecency.firstBucketWeight", 100);
+pref("places.frecency.secondBucketWeight", 70);
+pref("places.frecency.thirdBucketWeight", 50);
+pref("places.frecency.fourthBucketWeight", 30);
+pref("places.frecency.defaultBucketWeight", 10);
+
+// bonus (in percent) for visit transition types for frecency calculations
+pref("places.frecency.embedVisitBonus", 0);
+pref("places.frecency.framedLinkVisitBonus", 0);
+pref("places.frecency.linkVisitBonus", 100);
+pref("places.frecency.typedVisitBonus", 2000);
+// The bookmarks bonus is always added on top of any other bonus, including
+// the redirect source and the typed ones.
+pref("places.frecency.bookmarkVisitBonus", 75);
+// The redirect source bonus overwrites any transition bonus.
+// 0 would hide these pages, instead we want them low ranked. Thus we use
+// linkVisitBonus - bookmarkVisitBonus, so that a bookmarked source is in par
+// with a common link.
+pref("places.frecency.redirectSourceVisitBonus", 25);
+pref("places.frecency.downloadVisitBonus", 0);
+// The perm/temp redirects here relate to redirect targets, not sources.
+pref("places.frecency.permRedirectVisitBonus", 50);
+pref("places.frecency.tempRedirectVisitBonus", 40);
+pref("places.frecency.reloadVisitBonus", 0);
+pref("places.frecency.defaultVisitBonus", 0);
+
+// bonus (in percent) for place types for frecency calculations
+pref("places.frecency.unvisitedBookmarkBonus", 140);
+pref("places.frecency.unvisitedTypedBonus", 200);
+
+// Controls behavior of the "Add Exception" dialog launched from SSL error pages
+// 0 - don't pre-populate anything
+// 1 - pre-populate site URL, but don't fetch certificate
+// 2 - pre-populate site URL and pre-fetch certificate
+pref("browser.ssl_override_behavior", 2);
+
+// if true, use full page zoom instead of text zoom
+pref("browser.zoom.full", true);
+
+// Whether or not to save and restore zoom levels on a per-site basis.
+pref("browser.zoom.siteSpecific", true);
+
+// Whether or not to update background tabs to the current zoom level.
+pref("browser.zoom.updateBackgroundTabs", true);
+
+// The breakpad report server to link to in about:crashes
+pref("breakpad.reportURL", "https://crash-stats.mozilla.org/report/index/");
+
+// URL for "Learn More" for DataCollection
+pref("toolkit.datacollection.infoURL",
+ "https://www.mozilla.org/legal/privacy/firefox.html");
+
+// URL for "Learn More" for Crash Reporter
+pref("toolkit.crashreporter.infoURL",
+ "https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter");
+
+// base URL for web-based support pages
+pref("app.support.baseURL", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/");
+
+// base url for web-based feedback pages
+#ifdef MOZ_DEV_EDITION
+ pref("app.feedback.baseURL", "https://input.mozilla.org/%LOCALE%/feedback/firefoxdev/%VERSION%/");
+#else
+ pref("app.feedback.baseURL", "https://input.mozilla.org/%LOCALE%/feedback/%APP%/%VERSION%/");
+#endif
+
+// Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
+pref("security.alternate_certificate_error_page", "certerror");
+
+pref("security.certerrors.recordEventTelemetry", true);
+pref("security.certerrors.permanentOverride", true);
+pref("security.certerrors.mitm.priming.enabled", true);
+pref("security.certerrors.mitm.priming.endpoint", "https://mitmdetection.services.mozilla.com/");
+pref("security.certerrors.mitm.auto_enable_enterprise_roots", true);
+
+pref("security.aboutcertificate.enabled", true);
+
+// Whether the bookmark panel should be shown when bookmarking a page.
+pref("browser.bookmarks.editDialog.showForNewBookmarks", true);
+
+// Don't try to alter this pref, it'll be reset the next time you use the
+// bookmarking dialog
+pref("browser.bookmarks.editDialog.firstEditField", "namePicker");
+
+// The number of recently selected folders in the edit bookmarks dialog.
+pref("browser.bookmarks.editDialog.maxRecentFolders", 7);
+
+pref("dom.ipc.plugins.flash.disable-protected-mode", false);
+
+// Feature-disable the protected-mode auto-flip
+pref("browser.flash-protected-mode-flip.enable", false);
+
+// Whether we've already flipped protected mode automatically
+pref("browser.flash-protected-mode-flip.done", false);
+
+pref("dom.ipc.shims.enabledWarnings", false);
+
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+ // Controls whether and how the Windows NPAPI plugin process is sandboxed.
+ // To get a different setting for a particular plugin replace "default", with
+ // the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
+ // On windows these levels are:
+ // 0 - no sandbox
+ // 1 - sandbox with USER_NON_ADMIN access token level
+ // 2 - a more strict sandbox, which might cause functionality issues. This now
+ // includes running at low integrity.
+ // 3 - the strongest settings we seem to be able to use without breaking
+ // everything, but will probably cause some functionality restrictions
+ pref("dom.ipc.plugins.sandbox-level.default", 0);
+ #if defined(_AMD64_)
+ // The base sandbox level in nsPluginTag::InitSandboxLevel must be
+ // updated to keep in sync with this value.
+ pref("dom.ipc.plugins.sandbox-level.flash", 3);
+ #else
+ pref("dom.ipc.plugins.sandbox-level.flash", 0);
+ #endif
+
+ // This controls the strength of the Windows content process sandbox for
+ // testing purposes. This will require a restart.
+ // On windows these levels are:
+ // See - security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+ // SetSecurityLevelForContentProcess() for what the different settings mean.
+ pref("security.sandbox.content.level", 6);
+
+ // This controls the depth of stack trace that is logged when Windows sandbox
+ // logging is turned on. This is only currently available for the content
+ // process because the only other sandbox (for GMP) has too strict a policy to
+ // allow stack tracing. This does not require a restart to take effect.
+ pref("security.sandbox.windows.log.stackTraceDepth", 0);
+
+ // This controls the strength of the Windows GPU process sandbox. Changes
+ // will require restart.
+ // For information on what the level number means, see
+ // SetSecurityLevelForGPUProcess() in
+ // security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+ pref("security.sandbox.gpu.level", 0);
+
+ // Controls whether we disable win32k for the processes.
+ // true means that win32k system calls are not permitted.
+ pref("security.sandbox.rdd.win32k-disable", true);
+ // Note: win32k is currently _not_ disabled for GMP due to intermittent test
+ // failures, where the GMP process fails very early. See bug 1449348.
+ pref("security.sandbox.gmp.win32k-disable", false);
+#endif
+
+#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
+ // This pref is discussed in bug 1083344, the naming is inspired from its
+ // Windows counterpart, but on Mac it's an integer which means:
+ // 0 -> "no sandbox" (nightly only)
+ // 1 -> "preliminary content sandboxing enabled: write access to
+ // home directory is prevented"
+ // 2 -> "preliminary content sandboxing enabled with profile protection:
+ // write access to home directory is prevented, read and write access
+ // to ~/Library and profile directories are prevented (excluding
+ // $PROFILE/{extensions,chrome})"
+ // 3 -> "no global read/write access, read access permitted to
+ // $PROFILE/{extensions,chrome}"
+ // This setting is read when the content process is started. On Mac the
+ // content process is killed when all windows are closed, so a change will
+ // take effect when the 1st window is opened.
+ pref("security.sandbox.content.level", 3);
+
+ // Prefs for controlling whether and how the Mac NPAPI Flash plugin process is
+ // sandboxed. On Mac these levels are:
+ // 0 - "no sandbox"
+ // 1 - "global read access, limited write access for Flash functionality"
+ // 2 - "read access triggered by file dialog activity, limited read/write"
+ // "access for Flash functionality"
+ // 3 - "limited read/write access for Flash functionality"
+ pref("dom.ipc.plugins.sandbox-level.flash", 1);
+ // Controls the level used on older OS X versions. Is overriden when the
+ // "dom.ipc.plugins.sandbox-level.flash" is set to 0.
+ pref("dom.ipc.plugins.sandbox-level.flash.legacy", 1);
+ // The max OS minor version where we use the above legacy sandbox level.
+ pref("dom.ipc.plugins.sandbox-level.flash.max-legacy-os-minor", 10);
+ // Controls the sandbox level used by plugins other than Flash. On Mac,
+ // no other plugins are supported and this pref is only used for test
+ // plugins used in automated tests.
+ pref("dom.ipc.plugins.sandbox-level.default", 1);
+#endif
+
+#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
+ // This pref is introduced as part of bug 742434, the naming is inspired from
+ // its Windows/Mac counterpart, but on Linux it's an integer which means:
+ // 0 -> "no sandbox"
+ // 1 -> "content sandbox using seccomp-bpf when available" + ipc restrictions
+ // 2 -> "seccomp-bpf + write file broker"
+ // 3 -> "seccomp-bpf + read/write file brokering"
+ // 4 -> all of the above + network/socket restrictions + chroot
+ //
+ // The purpose of this setting is to allow Linux users or distros to disable
+ // the sandbox while we fix their problems, or to allow running Firefox with
+ // exotic configurations we can't reasonably support out of the box.
+ //
+ pref("security.sandbox.content.level", 4);
+ // Introduced as part of bug 1608558. Linux is currently the only platform
+ // that uses a sandbox level for the socket process. There are currently
+ // only 2 levels:
+ // 0 -> "no sandbox"
+ // 1 -> "sandboxed, allows socket operations and reading necessary certs"
+ pref("security.sandbox.socket.process.level", 1);
+ pref("security.sandbox.content.write_path_whitelist", "");
+ pref("security.sandbox.content.read_path_whitelist", "");
+ pref("security.sandbox.content.syscall_whitelist", "");
+#endif
+
+#if defined(XP_OPENBSD) && defined(MOZ_SANDBOX)
+ pref("security.sandbox.content.level", 1);
+#endif
+
+#if defined(MOZ_SANDBOX)
+ // ID (a UUID when set by gecko) that is used to form the name of a
+ // sandbox-writable temporary directory to be used by content processes
+ // when a temporary writable file is required in a level 1 sandbox.
+ pref("security.sandbox.content.tempDirSuffix", "");
+ pref("security.sandbox.plugin.tempDirSuffix", "");
+
+ // This pref determines if messages relevant to sandbox violations are
+ // logged.
+ #if defined(XP_WIN) || defined(XP_MACOSX)
+ pref("security.sandbox.logging.enabled", false);
+ #endif
+#endif
+
+// This pref governs whether we attempt to work around problems caused by
+// plugins using OS calls to manipulate the cursor while running out-of-
+// process. These workarounds all involve intercepting (hooking) certain
+// OS calls in the plugin process, then arranging to make certain OS calls
+// in the browser process. Eventually plugins will be required to use the
+// NPAPI to manipulate the cursor, and these workarounds will be removed.
+// See bug 621117.
+#ifdef XP_MACOSX
+ pref("dom.ipc.plugins.nativeCursorSupport", true);
+#endif
+
+#ifdef XP_WIN
+ pref("browser.taskbar.previews.enable", false);
+ pref("browser.taskbar.previews.max", 20);
+ pref("browser.taskbar.previews.cachetime", 5);
+ pref("browser.taskbar.lists.enabled", true);
+ pref("browser.taskbar.lists.frequent.enabled", true);
+ pref("browser.taskbar.lists.recent.enabled", false);
+ pref("browser.taskbar.lists.maxListItemCount", 7);
+ pref("browser.taskbar.lists.tasks.enabled", true);
+ pref("browser.taskbar.lists.refreshInSeconds", 120);
+#endif
+
+// Preferences to be synced by default
+pref("services.sync.prefs.sync.accessibility.blockautorefresh", true);
+pref("services.sync.prefs.sync.accessibility.browsewithcaret", true);
+pref("services.sync.prefs.sync.accessibility.typeaheadfind", true);
+pref("services.sync.prefs.sync.accessibility.typeaheadfind.linksonly", true);
+pref("services.sync.prefs.sync.addons.ignoreUserEnabledChanges", true);
+pref("services.sync.prefs.sync.app.shield.optoutstudies.enabled", true);
+// The addons prefs related to repository verification are intentionally
+// not synced for security reasons. If a system is compromised, a user
+// could weaken the pref locally, install an add-on from an untrusted
+// source, and this would propagate automatically to other,
+// uncompromised Sync-connected devices.
+pref("services.sync.prefs.sync.browser.contentblocking.category", true);
+pref("services.sync.prefs.sync.browser.contentblocking.features.strict", true);
+pref("services.sync.prefs.sync.browser.crashReports.unsubmittedCheck.autoSubmit2", true);
+pref("services.sync.prefs.sync.browser.ctrlTab.recentlyUsedOrder", true);
+pref("services.sync.prefs.sync.browser.discovery.enabled", true);
+pref("services.sync.prefs.sync.browser.download.useDownloadDir", true);
+pref("services.sync.prefs.sync.browser.formfill.enable", true);
+pref("services.sync.prefs.sync.browser.link.open_newwindow", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSearch", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSponsored", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.topsites", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.topSitesRows", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.snippets", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.section.topstories", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.topstories.rows", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.section.highlights", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeVisited", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeBookmarks", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeDownloads", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includePocket", true);
+pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.rows", true);
+pref("services.sync.prefs.sync.browser.newtabpage.enabled", true);
+pref("services.sync.prefs.sync.browser.newtabpage.pinned", true);
+pref("services.sync.prefs.sync.browser.offline-apps.notify", true);
+pref("services.sync.prefs.sync.browser.search.update", true);
+pref("services.sync.prefs.sync.browser.search.widget.inNavBar", true);
+pref("services.sync.prefs.sync.browser.startup.homepage", true);
+pref("services.sync.prefs.sync.browser.startup.page", true);
+pref("services.sync.prefs.sync.browser.tabs.loadInBackground", true);
+pref("services.sync.prefs.sync.browser.tabs.warnOnClose", true);
+pref("services.sync.prefs.sync.browser.tabs.warnOnOpen", true);
+pref("services.sync.prefs.sync.browser.taskbar.previews.enable", true);
+pref("services.sync.prefs.sync.browser.urlbar.matchBuckets", true);
+pref("services.sync.prefs.sync.browser.urlbar.maxRichResults", true);
+pref("services.sync.prefs.sync.browser.urlbar.suggest.bookmark", true);
+pref("services.sync.prefs.sync.browser.urlbar.suggest.history", true);
+pref("services.sync.prefs.sync.browser.urlbar.suggest.openpage", true);
+pref("services.sync.prefs.sync.browser.urlbar.suggest.searches", true);
+pref("services.sync.prefs.sync.dom.disable_open_during_load", true);
+pref("services.sync.prefs.sync.dom.disable_window_flip", true);
+pref("services.sync.prefs.sync.dom.disable_window_move_resize", true);
+pref("services.sync.prefs.sync.dom.event.contextmenu.enabled", true);
+pref("services.sync.prefs.sync.extensions.update.enabled", true);
+pref("services.sync.prefs.sync.extensions.activeThemeID", true);
+pref("services.sync.prefs.sync.intl.accept_languages", true);
+pref("services.sync.prefs.sync.intl.regional_prefs.use_os_locales", true);
+pref("services.sync.prefs.sync.layout.spellcheckDefault", true);
+pref("services.sync.prefs.sync.media.autoplay.default", true);
+pref("services.sync.prefs.sync.media.eme.enabled", true);
+pref("services.sync.prefs.sync.network.cookie.cookieBehavior", true);
+pref("services.sync.prefs.sync.network.cookie.lifetimePolicy", true);
+pref("services.sync.prefs.sync.network.cookie.thirdparty.sessionOnly", true);
+pref("services.sync.prefs.sync.permissions.default.image", true);
+pref("services.sync.prefs.sync.pref.downloads.disable_button.edit_actions", true);
+pref("services.sync.prefs.sync.pref.privacy.disable_button.cookie_exceptions", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.cache", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.cookies", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.downloads", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.formdata", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.history", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.offlineApps", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.sessions", true);
+pref("services.sync.prefs.sync.privacy.clearOnShutdown.siteSettings", true);
+pref("services.sync.prefs.sync.privacy.donottrackheader.enabled", true);
+pref("services.sync.prefs.sync.privacy.fuzzyfox.enabled", false);
+pref("services.sync.prefs.sync.privacy.fuzzyfox.clockgrainus", false);
+pref("services.sync.prefs.sync.privacy.sanitize.sanitizeOnShutdown", true);
+pref("services.sync.prefs.sync.privacy.trackingprotection.enabled", true);
+pref("services.sync.prefs.sync.privacy.trackingprotection.cryptomining.enabled", true);
+pref("services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.enabled", true);
+pref("services.sync.prefs.sync.privacy.trackingprotection.pbmode.enabled", true);
+pref("services.sync.prefs.sync.privacy.resistFingerprinting", true);
+pref("services.sync.prefs.sync.privacy.reduceTimerPrecision", true);
+pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds", true);
+pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter", true);
+pref("services.sync.prefs.sync.security.default_personal_cert", true);
+pref("services.sync.prefs.sync.services.sync.syncedTabs.showRemoteIcons", true);
+pref("services.sync.prefs.sync.signon.rememberSignons", true);
+pref("services.sync.prefs.sync.spellchecker.dictionary", true);
+
+// A preference which, if false, means sync will only apply incoming preference
+// changes if there's already a local services.sync.prefs.sync.* control pref.
+// If true, all incoming preferences will be applied and the local "control
+// pref" updated accordingly.
+pref("services.sync.prefs.dangerously_allow_arbitrary", false);
+
+// A preference that controls whether we should show the icon for a remote tab.
+// This pref has no UI but exists because some people may be concerned that
+// fetching these icons to show remote tabs may leak information about that
+// user's tabs and bookmarks. Note this pref is also synced.
+pref("services.sync.syncedTabs.showRemoteIcons", true);
+
+// Whether the character encoding menu is under the main Firefox button. This
+// preference is a string so that localizers can alter it.
+pref("browser.menu.showCharacterEncoding", "chrome://browser/locale/browser.properties");
+
+// Allow using tab-modal prompts when possible.
+pref("prompts.tab_modal.enabled", true);
+
+// Whether prompts should be content modal (1) tab modal (2) or window modal(3) by default
+// This is a fallback value for when prompt callers do not specify a modalType.
+pref("prompts.defaultModalType", 3);
+
+// Activates preloading of the new tab url.
+pref("browser.newtab.preload", true);
+
+// Activity Stream prefs that control to which page to redirect
+#ifndef RELEASE_OR_BETA
+ pref("browser.newtabpage.activity-stream.debug", false);
+#endif
+
+pref("browser.library.activity-stream.enabled", true);
+
+// The remote FxA root content URL for the Activity Stream firstrun page.
+pref("browser.newtabpage.activity-stream.fxaccounts.endpoint", "https://accounts.firefox.com/");
+
+// The pref that controls if the search shortcuts experiment is on
+pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts", true);
+
+// ASRouter provider configuration
+pref("browser.newtabpage.activity-stream.asrouter.providers.cfr", "{\"id\":\"cfr\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"cfr\",\"frequency\":{\"custom\":[{\"period\":\"daily\",\"cap\":1}]},\"categories\":[\"cfrAddons\",\"cfrFeatures\"],\"updateCycleInMs\":3600000}");
+pref("browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel", "{\"id\":\"whats-new-panel\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"whats-new-panel\",\"updateCycleInMs\":3600000}");
+pref("browser.newtabpage.activity-stream.asrouter.providers.message-groups", "{\"id\":\"message-groups\",\"enabled\":false,\"type\":\"remote-settings\",\"bucket\":\"message-groups\",\"updateCycleInMs\":3600000}");
+// This url, if changed, MUST continue to point to an https url. Pulling arbitrary content to inject into
+// this page over http opens us up to a man-in-the-middle attack that we'd rather not face. If you are a downstream
+// repackager of this code using an alternate snippet url, please keep your users safe
+pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{\"id\":\"snippets\",\"enabled\":true,\"type\":\"remote\",\"url\":\"https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/\",\"updateCycleInMs\":14400000}");
+pref("browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments", "{\"id\":\"messaging-experiments\",\"enabled\":true,\"type\":\"remote-experiments\",\"messageGroups\":[\"cfr\",\"whats-new-panel\",\"moments-page\",\"snippets\",\"cfr-fxa\",\"aboutwelcome\"],\"updateCycleInMs\":3600000}");
+
+// The pref that controls if ASRouter uses the remote fluent files.
+// It's enabled by default, but could be disabled to force ASRouter to use the local files.
+pref("browser.newtabpage.activity-stream.asrouter.useRemoteL10n", true);
+
+// These prefs control if Discovery Stream is enabled.
+pref("browser.newtabpage.activity-stream.discoverystream.enabled", true);
+pref("browser.newtabpage.activity-stream.discoverystream.hardcoded-basic-layout", false);
+pref("browser.newtabpage.activity-stream.discoverystream.spocs-endpoint", "");
+// List of regions that get stories by default.
+pref("browser.newtabpage.activity-stream.discoverystream.region-stories-config", "US,DE,CA,GB");
+// List of regions that get spocs by default.
+pref("browser.newtabpage.activity-stream.discoverystream.region-spocs-config", "US");
+// List of regions that get the 7 row layout.
+pref("browser.newtabpage.activity-stream.discoverystream.region-layout-config", "US,CA,GB");
+// Allows Pocket story collections to be dismissed.
+pref("browser.newtabpage.activity-stream.discoverystream.isCollectionDismissible", true);
+// Switch between different versions of the recommendation provider.
+pref("browser.newtabpage.activity-stream.discoverystream.personalization.version", 1);
+// Configurable keys used by personalization version 2.
+pref("browser.newtabpage.activity-stream.discoverystream.personalization.modelKeys", "nb_model_arts_and_entertainment, nb_model_autos_and_vehicles, nb_model_beauty_and_fitness, nb_model_blogging_resources_and_services, nb_model_books_and_literature, nb_model_business_and_industrial, nb_model_computers_and_electronics, nb_model_finance, nb_model_food_and_drink, nb_model_games, nb_model_health, nb_model_hobbies_and_leisure, nb_model_home_and_garden, nb_model_internet_and_telecom, nb_model_jobs_and_education, nb_model_law_and_government, nb_model_online_communities, nb_model_people_and_society, nb_model_pets_and_animals, nb_model_real_estate, nb_model_reference, nb_model_science, nb_model_shopping, nb_model_sports, nb_model_travel");
+// System pref to allow Pocket stories personalization to be turned on/off.
+pref("browser.newtabpage.activity-stream.discoverystream.recs.personalized", false);
+// System pref to allow Pocket sponsored content personalization to be turned on/off.
+pref("browser.newtabpage.activity-stream.discoverystream.spocs.personalized", true);
+
+// User pref to show stories on newtab (feeds.system.topstories has to be set to true as well)
+pref("browser.newtabpage.activity-stream.feeds.section.topstories", true);
+
+// The pref controls if search hand-off is enabled for Activity Stream.
+#ifdef NIGHTLY_BUILD
+ pref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", true);
+#else
+ pref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", false);
+#endif
+
+pref("trailhead.firstrun.branches", "join-dynamic");
+
+// Separate about welcome
+pref("browser.aboutwelcome.enabled", true);
+// Used for switching simplified 3 cards welcome to multistage welcome
+pref("browser.aboutwelcome.overrideContent", "");
+
+// The pref that controls if the What's New panel is enabled.
+pref("browser.messaging-system.whatsNewPanel.enabled", true);
+// Used for CFR messages with scores. See Bug 1594422.
+pref("browser.messaging-system.personalized-cfr.scores", "{}");
+pref("browser.messaging-system.personalized-cfr.score-threshold", 5000);
+
+// Experiment Manager
+// See Console.jsm LOG_LEVELS for all possible values
+pref("messaging-system.log", "warn");
+pref("messaging-system.rsexperimentloader.enabled", true);
+
+// Enable the DOM fullscreen API.
+pref("full-screen-api.enabled", true);
+
+// Startup Crash Tracking
+// number of startup crashes that can occur before starting into safe mode automatically
+// (this pref has no effect if more than 6 hours have passed since the last crash)
+pref("toolkit.startup.max_resumed_crashes", 3);
+
+// Whether to use RegisterApplicationRestart to restart the browser and resume
+// the session on next Windows startup
+#if defined(XP_WIN)
+ pref("toolkit.winRegisterApplicationRestart", true);
+#endif
+
+// Completely disable pdf.js as an option to preview pdfs within firefox.
+// Note: if this is not disabled it does not necessarily mean pdf.js is the pdf
+// handler just that it is an option.
+pref("pdfjs.disabled", false);
+// Used by pdf.js to know the first time firefox is run with it installed so it
+// can become the default pdf viewer.
+pref("pdfjs.firstRun", true);
+// The values of preferredAction and alwaysAskBeforeHandling before pdf.js
+// became the default.
+pref("pdfjs.previousHandler.preferredAction", 0);
+pref("pdfjs.previousHandler.alwaysAskBeforeHandling", false);
+
+// Try to convert PDFs sent as octet-stream
+pref("pdfjs.handleOctetStream", true);
+
+// Is the sidebar positioned ahead of the content browser
+pref("sidebar.position_start", true);
+
+pref("security.identitypopup.recordEventTelemetry", true);
+pref("security.protectionspopup.recordEventTelemetry", true);
+pref("security.app_menu.recordEventTelemetry", true);
+
+// Block insecure active content on https pages
+pref("security.mixed_content.block_active_content", true);
+
+// Show in-content login form warning UI for insecure login fields
+pref("security.insecure_field_warning.contextual.enabled", true);
+
+// Show degraded UI for http pages.
+pref("security.insecure_connection_icon.enabled", true);
+// Show degraded UI for http pages in private mode.
+pref("security.insecure_connection_icon.pbmode.enabled", true);
+
+// For secure connections, show gray instead of green lock icon
+pref("security.secure_connection_icon_color_gray", true);
+
+// Show "Not Secure" text for http pages; disabled for now
+pref("security.insecure_connection_text.enabled", false);
+pref("security.insecure_connection_text.pbmode.enabled", false);
+
+// 1 = allow MITM for certificate pinning checks.
+pref("security.cert_pinning.enforcement_level", 1);
+
+
+// If this turns true, Moz*Gesture events are not called stopPropagation()
+// before content.
+pref("dom.debug.propagate_gesture_events_through_content", false);
+
+// CustomizableUI debug logging.
+pref("browser.uiCustomization.debug", false);
+
+// CustomizableUI state of the browser's user interface
+pref("browser.uiCustomization.state", "");
+
+// If set to false, FxAccounts and Sync will be unavailable.
+// A restart is mandatory after flipping that preference.
+pref("identity.fxaccounts.enabled", true);
+
+// The remote FxA root content URL. Must use HTTPS.
+pref("identity.fxaccounts.remote.root", "https://accounts.firefox.com/");
+
+// The value of the context query parameter passed in fxa requests.
+pref("identity.fxaccounts.contextParam", "fx_desktop_v3");
+
+// The remote URL of the FxA Profile Server
+pref("identity.fxaccounts.remote.profile.uri", "https://profile.accounts.firefox.com/v1");
+
+// The remote URL of the FxA OAuth Server
+pref("identity.fxaccounts.remote.oauth.uri", "https://oauth.accounts.firefox.com/v1");
+
+// Whether FxA pairing using QR codes is enabled.
+pref("identity.fxaccounts.pairing.enabled", true);
+
+// The remote URI of the FxA pairing server
+pref("identity.fxaccounts.remote.pairing.uri", "wss://channelserver.services.mozilla.com");
+
+// Token server used by the FxA Sync identity.
+pref("identity.sync.tokenserver.uri", "https://token.services.mozilla.com/1.0/sync/1.5");
+
+// Fetch Sync tokens using the OAuth token function
+#ifdef NIGHTLY_BUILD
+ // Only enabled in Nightly to avoid excessive / abnormal traffic to FxA
+ pref("identity.sync.useOAuthForSyncToken", true);
+#else
+ pref("identity.sync.useOAuthForSyncToken", false);
+#endif
+
+// Using session tokens to fetch OAuth tokens
+pref("identity.fxaccounts.useSessionTokensForOAuth", true);
+
+// Auto-config URL for FxA self-hosters, makes an HTTP request to
+// [identity.fxaccounts.autoconfig.uri]/.well-known/fxa-client-configuration
+// This is now the prefered way of pointing to a custom FxA server, instead
+// of making changes to "identity.fxaccounts.*.uri".
+pref("identity.fxaccounts.autoconfig.uri", "");
+
+// URL for help link about Send Tab.
+pref("identity.sendtabpromo.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab");
+
+// URLs for promo links to mobile browsers. Note that consumers are expected to
+// append a value for utm_campaign.
+pref("identity.mobilepromo.android", "https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=");
+pref("identity.mobilepromo.ios", "https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=");
+
+// Migrate any existing Firefox Account data from the default profile to the
+// Developer Edition profile.
+#ifdef MOZ_DEV_EDITION
+ pref("identity.fxaccounts.migrateToDevEdition", true);
+#else
+ pref("identity.fxaccounts.migrateToDevEdition", false);
+#endif
+
+// If activated, send tab will use the new FxA commands backend.
+pref("identity.fxaccounts.commands.enabled", true);
+// How often should we try to fetch missed FxA commands on sync (in seconds).
+// Default is 24 hours.
+pref("identity.fxaccounts.commands.missed.fetch_interval", 86400);
+
+// Whether we should run a test-pattern through EME GMPs before assuming they'll
+// decode H.264.
+pref("media.gmp.trial-create.enabled", true);
+
+// Note: when media.gmp-*.visible is true, provided we're running on a
+// supported platform/OS version, the corresponding CDM appears in the
+// plugins list, Firefox will download the GMP/CDM if enabled, and our
+// UI to re-enable EME prompts the user to re-enable EME if it's disabled
+// and script requests EME. If *.visible is false, we won't show the UI
+// to enable the CDM if its disabled; it's as if the keysystem is completely
+// unsupported.
+
+#ifdef MOZ_WIDEVINE_EME
+ pref("media.gmp-widevinecdm.visible", true);
+ pref("media.gmp-widevinecdm.enabled", true);
+#endif
+
+pref("media.gmp-gmpopenh264.visible", true);
+pref("media.gmp-gmpopenh264.enabled", true);
+
+// Set Firefox to block autoplay, asking for permission by default.
+pref("media.autoplay.default", 1); // 0=Allowed, 1=Blocked, 5=All Blocked
+
+#ifdef NIGHTLY_BUILD
+ // Block WebAudio from playing automatically.
+ pref("media.autoplay.block-webaudio", true);
+#else
+ pref("media.autoplay.block-webaudio", false);
+#endif
+
+pref("media.videocontrols.picture-in-picture.enabled", true);
+pref("media.videocontrols.picture-in-picture.video-toggle.enabled", true);
+
+#ifdef NIGHTLY_BUILD
+ // Show the audio toggle for Picture-in-Picture.
+ pref("media.videocontrols.picture-in-picture.audio-toggle.enabled", true);
+ // Enable keyboard controls for Picture-in-Picture.
+ pref("media.videocontrols.picture-in-picture.keyboard-controls.enabled", true);
+#else
+ pref("media.videocontrols.picture-in-picture.audio-toggle.enabled", false);
+ pref("media.videocontrols.picture-in-picture.keyboard-controls.enabled", false);
+#endif
+
+pref("browser.translation.detectLanguage", false);
+pref("browser.translation.neverForLanguages", "");
+// Show the translation UI bits, like the info bar, notification icon and preferences.
+pref("browser.translation.ui.show", false);
+// Allows to define the translation engine. Google is default, Bing or Yandex are other options.
+pref("browser.translation.engine", "Google");
+
+// Telemetry settings.
+// Determines if Telemetry pings can be archived locally.
+pref("toolkit.telemetry.archive.enabled", true);
+// Enables sending the shutdown ping when Firefox shuts down.
+pref("toolkit.telemetry.shutdownPingSender.enabled", true);
+// Enables sending the shutdown ping using the pingsender from the first session.
+pref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false);
+// Enables sending a duplicate of the first shutdown ping from the first session.
+pref("toolkit.telemetry.firstShutdownPing.enabled", true);
+// Enables sending the 'new-profile' ping on new profiles.
+pref("toolkit.telemetry.newProfilePing.enabled", true);
+// Enables sending 'update' pings on Firefox updates.
+pref("toolkit.telemetry.updatePing.enabled", true);
+// Enables sending 'bhr' pings when the browser hangs.
+pref("toolkit.telemetry.bhrPing.enabled", true);
+// Whether to enable Ecosystem Telemetry, requires a restart.
+pref("toolkit.telemetry.ecosystemtelemetry.enabled", false);
+
+// Ping Centre Telemetry settings.
+pref("browser.ping-centre.telemetry", true);
+pref("browser.ping-centre.log", false);
+
+// Enable GMP support in the addon manager.
+pref("media.gmp-provider.enabled", true);
+
+// Enable blocking access to storage from tracking resources by default.
+pref("network.cookie.cookieBehavior", 4 /* BEHAVIOR_REJECT_TRACKER */);
+
+// Enable fingerprinting blocking by default for all channels, only on desktop.
+pref("privacy.trackingprotection.fingerprinting.enabled", true);
+
+// Enable cryptomining blocking by default for all channels, only on desktop.
+pref("privacy.trackingprotection.cryptomining.enabled", true);
+
+pref("browser.contentblocking.database.enabled", true);
+
+pref("dom.storage_access.enabled", true);
+
+pref("browser.contentblocking.cryptomining.preferences.ui.enabled", true);
+pref("browser.contentblocking.fingerprinting.preferences.ui.enabled", true);
+#ifdef NIGHTLY_BUILD
+ // Enable cookieBehavior = BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN as an option in the custom category ui
+ pref("browser.contentblocking.reject-and-isolate-cookies.preferences.ui.enabled", true);
+#endif
+
+// Possible values for browser.contentblocking.features.strict pref:
+// Tracking Protection:
+// "tp": tracking protection enabled
+// "-tp": tracking protection disabled
+// Tracking Protection in private windows:
+// "tpPrivate": tracking protection in private windows enabled
+// "-tpPrivate": tracking protection in private windows disabled
+// Fingerprinting:
+// "fp": fingerprinting blocking enabled
+// "-fp": fingerprinting blocking disabled
+// Cryptomining:
+// "cm": cryptomining blocking enabled
+// "-cm": cryptomining blocking disabled
+// Social Tracking Protection:
+// "stp": social tracking protection enabled
+// "-stp": social tracking protection disabled
+// Cookie behavior:
+// "cookieBehavior0": cookie behaviour BEHAVIOR_ACCEPT
+// "cookieBehavior1": cookie behaviour BEHAVIOR_REJECT_FOREIGN
+// "cookieBehavior2": cookie behaviour BEHAVIOR_REJECT
+// "cookieBehavior3": cookie behaviour BEHAVIOR_LIMIT_FOREIGN
+// "cookieBehavior4": cookie behaviour BEHAVIOR_REJECT_TRACKER
+// "cookieBehavior5": cookie behaviour BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN
+// One value from each section must be included in the browser.contentblocking.features.strict pref.
+pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior4,cm,fp,stp");
+
+// Hide the "Change Block List" link for trackers/tracking content in the custom
+// Content Blocking/ETP panel. By default, it will not be visible. There is also
+// an UI migration in place to set this pref to true if a user has a custom block
+// lists enabled.
+pref("browser.contentblocking.customBlockList.preferences.ui.enabled", false);
+
+pref("browser.contentblocking.reportBreakage.url", "https://tracking-protection-issues.herokuapp.com/new");
+
+// Enable Protections report's Lockwise card by default.
+pref("browser.contentblocking.report.lockwise.enabled", true);
+
+// Enable Protections report's Monitor card by default.
+pref("browser.contentblocking.report.monitor.enabled", true);
+
+// Disable Protections report's Proxy card by default.
+pref("browser.contentblocking.report.proxy.enabled", false);
+
+// Disable the mobile promotion by default.
+pref("browser.contentblocking.report.show_mobile_app", false);
+
+pref("browser.contentblocking.report.monitor.url", "https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections");
+pref("browser.contentblocking.report.monitor.how_it_works.url", "https://monitor.firefox.com/about");
+pref("browser.contentblocking.report.monitor.sign_in_url", "https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protections&email=");
+pref("browser.contentblocking.report.monitor.preferences_url", "https://monitor.firefox.com/user/preferences");
+pref("browser.contentblocking.report.monitor.home_page_url", "https://monitor.firefox.com/user/dashboard");
+pref("browser.contentblocking.report.manage_devices.url", "https://accounts.firefox.com/settings/clients");
+pref("browser.contentblocking.report.endpoint_url", "https://monitor.firefox.com/user/breach-stats?includeResolved=true");
+pref("browser.contentblocking.report.proxy_extension.url", "https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-protections&utm_content=about-protections");
+pref("browser.contentblocking.report.lockwise.mobile-ios.url", "https://apps.apple.com/app/id1314000270");
+pref("browser.contentblocking.report.lockwise.mobile-android.url", "https://play.google.com/store/apps/details?id=mozilla.lockbox&referrer=utm_source%3Dprotection_report%26utm_content%3Dmobile_promotion");
+pref("browser.contentblocking.report.mobile-ios.url", "https://apps.apple.com/app/firefox-private-safe-browser/id989804926");
+pref("browser.contentblocking.report.mobile-android.url", "https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_report%26utm_content%3Dmobile_promotion");
+
+// Protection Report's SUMO urls
+pref("browser.contentblocking.report.lockwise.how_it_works.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report");
+pref("browser.contentblocking.report.social.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report");
+pref("browser.contentblocking.report.cookie.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report");
+pref("browser.contentblocking.report.tracker.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report");
+pref("browser.contentblocking.report.fingerprinter.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report");
+pref("browser.contentblocking.report.cryptominer.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report");
+
+pref("browser.contentblocking.cfr-milestone.enabled", true);
+pref("browser.contentblocking.cfr-milestone.milestone-achieved", 0);
+// Milestones should always be in increasing order
+pref("browser.contentblocking.cfr-milestone.milestones", "[1000, 5000, 10000, 25000, 50000, 100000, 500000]");
+
+// Enables the new Protections Panel.
+#ifdef NIGHTLY_BUILD
+ pref("browser.protections_panel.enabled", true);
+ pref("browser.protections_panel.infoMessage.seen", false);
+#endif
+
+// Always enable newtab segregation using containers
+pref("privacy.usercontext.about_newtab_segregation.enabled", true);
+// Enable Contextual Identity Containers
+#ifdef NIGHTLY_BUILD
+ pref("privacy.userContext.enabled", true);
+ pref("privacy.userContext.ui.enabled", true);
+#else
+ pref("privacy.userContext.enabled", false);
+ pref("privacy.userContext.ui.enabled", false);
+#endif
+pref("privacy.userContext.extension", "");
+// allows user to open container menu on a left click instead of a new
+// tab in the default container
+pref("privacy.userContext.newTabContainerOnLeftClick.enabled", false);
+
+// Set to true to allow the user to silence all notifications when
+// sharing the screen.
+pref("privacy.webrtc.allowSilencingNotifications", false);
+// Set to true to use the legacy WebRTC global indicator
+pref("privacy.webrtc.legacyGlobalIndicator", true);
+// Set to true to enable a warning displayed when attempting
+// to switch tabs in a window that's being shared over WebRTC.
+pref("privacy.webrtc.sharedTabWarning", false);
+
+// Start the browser in e10s mode
+pref("browser.tabs.remote.autostart", true);
+pref("browser.tabs.remote.desktopbehavior", true);
+
+// Run media transport in a separate process?
+#ifdef NIGHTLY_BUILD
+ pref("media.peerconnection.mtransport_process", true);
+#else
+ pref("media.peerconnection.mtransport_process", false);
+#endif
+
+// For speculatively warming up tabs to improve perceived
+// performance while using the async tab switcher.
+pref("browser.tabs.remote.warmup.enabled", true);
+
+// Caches tab layers to improve perceived performance
+// of tab switches.
+pref("browser.tabs.remote.tabCacheSize", 0);
+
+pref("browser.tabs.remote.warmup.maxTabs", 3);
+pref("browser.tabs.remote.warmup.unloadDelayMs", 2000);
+
+// For the about:tabcrashed page
+pref("browser.tabs.crashReporting.sendReport", true);
+pref("browser.tabs.crashReporting.includeURL", false);
+pref("browser.tabs.crashReporting.requestEmail", false);
+pref("browser.tabs.crashReporting.emailMe", false);
+pref("browser.tabs.crashReporting.email", "");
+
+// If true, unprivileged extensions may use experimental APIs on
+// nightly and developer edition.
+pref("extensions.experiments.enabled", false);
+
+#if defined(XP_WIN)
+ // Allows us to deprioritize the processes of background tabs at an OS level
+ pref("dom.ipc.processPriorityManager.enabled", true);
+#endif
+
+// Don't limit how many nodes we care about on desktop:
+pref("reader.parse-node-limit", 0);
+
+// On desktop, we want the URLs to be included here for ease of debugging,
+// and because (normally) these errors are not persisted anywhere.
+pref("reader.errors.includeURLs", true);
+
+pref("view_source.tab", true);
+
+pref("dom.serviceWorkers.enabled", true);
+
+// Enable Push API.
+pref("dom.push.enabled", true);
+
+// These are the thumbnail width/height set in about:newtab.
+// If you change this, ENSURE IT IS THE SAME SIZE SET
+// by about:newtab. These values are in CSS pixels.
+pref("toolkit.pageThumbs.minWidth", 280);
+pref("toolkit.pageThumbs.minHeight", 190);
+
+// Enable speech synthesis
+pref("media.webspeech.synth.enabled", true);
+
+pref("browser.esedbreader.loglevel", "Error");
+
+pref("browser.laterrun.enabled", false);
+
+pref("dom.ipc.processPrelaunch.enabled", true);
+
+// See comments in bug 1340115 on how we got to these numbers.
+pref("browser.migrate.chrome.history.limit", 2000);
+pref("browser.migrate.chrome.history.maxAgeInDays", 180);
+
+pref("extensions.pocket.api", "api.getpocket.com");
+pref("extensions.pocket.enabled", true);
+pref("extensions.pocket.oAuthConsumerKey", "40249-e88c401e1b1f2242d9e441c4");
+pref("extensions.pocket.site", "getpocket.com");
+
+// Can be removed once Bug 1618058 is resolved.
+pref("signon.generation.confidenceThreshold", "0.75");
+
+#ifdef NIGHTLY_BUILD
+pref("signon.management.page.os-auth.enabled", true);
+#else
+pref("signon.management.page.os-auth.enabled", false);
+#endif
+pref("signon.management.page.breach-alerts.enabled", true);
+pref("signon.management.page.vulnerable-passwords.enabled", true);
+pref("signon.management.page.sort", "name");
+// The utm_creative value is appended within the code (specific to the location on
+// where it is clicked). Be sure that if these two prefs are updated, that
+// the utm_creative param be last.
+pref("signon.management.page.mobileAndroidURL", "https://app.adjust.com/6tteyjo?redirect=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dmozilla.lockbox&utm_campaign=Desktop&utm_adgroup=InProduct&utm_creative=");
+pref("signon.management.page.mobileAppleURL", "https://app.adjust.com/6tteyjo?redirect=https%3A%2F%2Fitunes.apple.com%2Fapp%2Fid1314000270%3Fmt%3D8&utm_campaign=Desktop&utm_adgroup=InProduct&utm_creative=");
+pref("signon.management.page.breachAlertUrl",
+ "https://monitor.firefox.com/breach-details/");
+pref("signon.management.page.hideMobileFooter", false);
+pref("signon.management.page.showPasswordSyncNotification", true);
+pref("signon.passwordEditCapture.enabled", true);
+pref("signon.showAutoCompleteFooter", true);
+pref("signon.showAutoCompleteImport", "");
+
+// Enable the "Simplify Page" feature in Print Preview. This feature
+// is disabled by default in toolkit.
+pref("print.use_simplify_page", true);
+
+// Space separated list of URLS that are allowed to send objects (instead of
+// only strings) through webchannels. This list is duplicated in mobile/android/app/mobile.js
+pref("webchannel.allowObject.urlWhitelist", "https://content.cdn.mozilla.net https://support.mozilla.org https://install.mozilla.org");
+
+// Whether or not the browser should scan for unsubmitted
+// crash reports, and then show a notification for submitting
+// those reports.
+#ifdef NIGHTLY_BUILD
+ pref("browser.crashReports.unsubmittedCheck.enabled", true);
+#else
+ pref("browser.crashReports.unsubmittedCheck.enabled", false);
+#endif
+
+// chancesUntilSuppress is how many times we'll show the unsubmitted
+// crash report notification across different days and shutdown
+// without a user choice before we suppress the notification for
+// some number of days.
+pref("browser.crashReports.unsubmittedCheck.chancesUntilSuppress", 4);
+pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
+
+// Preferences for the form autofill system extension
+// The truthy values of "extensions.formautofill.available" are "on" and "detect",
+// any other value means autofill isn't available.
+// "detect" means it's enabled if conditions defined in the extension are met.
+#ifdef NIGHTLY_BUILD
+ pref("extensions.formautofill.available", "on");
+#else
+ pref("extensions.formautofill.available", "detect");
+#endif
+pref("extensions.formautofill.creditCards.available", false);
+pref("extensions.formautofill.addresses.enabled", true);
+pref("extensions.formautofill.creditCards.enabled", true);
+// Pref for shield/heartbeat to recognize users who have used Credit Card
+// Autofill. The valid values can be:
+// 0: none
+// 1: submitted a manually-filled credit card form (but didn't see the doorhanger
+// because of a duplicate profile in the storage)
+// 2: saw the doorhanger
+// 3: submitted an autofill'ed credit card form
+pref("extensions.formautofill.creditCards.used", 0);
+pref("extensions.formautofill.firstTimeUse", true);
+pref("extensions.formautofill.heuristics.enabled", true);
+// Whether the user enabled the OS re-auth dialog.
+pref("extensions.formautofill.reauth.enabled", false);
+pref("extensions.formautofill.section.enabled", true);
+pref("extensions.formautofill.loglevel", "Warn");
+
+pref("toolkit.osKeyStore.loglevel", "Warn");
+
+#ifdef NIGHTLY_BUILD
+ // Comma separated list of countries Form Autofill is available in.
+ pref("extensions.formautofill.supportedCountries", "US,CA,DE");
+ pref("extensions.formautofill.supportRTL", true);
+#else
+ pref("extensions.formautofill.supportedCountries", "US");
+ pref("extensions.formautofill.supportRTL", false);
+#endif
+
+// Whether or not to restore a session with lazy-browser tabs.
+pref("browser.sessionstore.restore_tabs_lazily", true);
+
+pref("browser.suppress_first_window_animation", true);
+
+// Preference that allows individual users to disable Screenshots.
+pref("extensions.screenshots.disabled", false);
+// Preference that allows individual users to leave Screenshots enabled, but
+// disable uploading to the server.
+pref("extensions.screenshots.upload-disabled", false);
+
+// DoH Rollout: the earliest date of profile creation for which we don't need
+// to show the doorhanger. This is when the version of the privacy statement
+// that includes DoH went live - Oct 31, 2019. This has to be a string because
+// the number is outside the signed 32-bit integer range.
+pref("doh-rollout.profileCreationThreshold", "1572476400000");
+
+// DoH Rollout: whether to enable automatic performance-based TRR-selection.
+// This pref is controlled by a Normandy rollout so we don't overload providers.
+pref("doh-rollout.trr-selection.enabled", false);
+
+// URL for Learn More link for browser error logging in preferences
+pref("browser.chrome.errorReporter.infoURL",
+ "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection");
+
+// Normandy client preferences
+pref("app.normandy.api_url", "https://normandy.cdn.mozilla.net/api/v1");
+pref("app.normandy.dev_mode", false);
+pref("app.normandy.enabled", true);
+pref("app.normandy.first_run", true);
+pref("app.normandy.logging.level", 50); // Warn
+pref("app.normandy.run_interval_seconds", 21600); // 6 hours
+pref("app.normandy.shieldLearnMoreUrl", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield");
+pref("app.normandy.last_seen_buildid", "");
+pref("app.normandy.onsync_skew_sec", 600);
+#ifdef MOZ_DATA_REPORTING
+ pref("app.shield.optoutstudies.enabled", true);
+#else
+ pref("app.shield.optoutstudies.enabled", false);
+#endif
+
+// Web apps support
+pref("browser.ssb.enabled", false);
+
+// Multi-lingual preferences
+#if defined(RELEASE_OR_BETA) && !defined(MOZ_DEV_EDITION)
+ pref("intl.multilingual.enabled", true);
+ pref("intl.multilingual.downloadEnabled", true);
+#else
+ pref("intl.multilingual.enabled", false);
+ // AMO only serves language packs for release and beta versions.
+ pref("intl.multilingual.downloadEnabled", false);
+#endif
+
+// Simulate conditions that will happen when the browser
+// is running with Fission enabled. This is meant to assist
+// development and testing of Fission.
+// The current simulated conditions are:
+// - Don't propagate events from subframes to JS child actors
+pref("fission.frontend.simulate-events", false);
+// - Only deliver subframe messages that specifies
+// their destination (using the BrowsingContext id).
+pref("fission.frontend.simulate-messages", false);
+
+// Coverage ping is disabled by default.
+pref("toolkit.coverage.enabled", false);
+pref("toolkit.coverage.endpoint.base", "https://coverage.mozilla.org");
+
+// Discovery prefs
+pref("browser.discovery.enabled", true);
+pref("browser.discovery.containers.enabled", true);
+pref("browser.discovery.sites", "addons.mozilla.org");
+
+pref("browser.engagement.recent_visited_origins.expiry", 86400); // 24 * 60 * 60 (24 hours in seconds)
+
+pref("browser.aboutConfig.showWarning", true);
+
+pref("browser.toolbars.keyboard_navigation", true);
+
+// Prefs to control the Firefox Account toolbar menu.
+// This pref will surface existing Firefox Account information
+// as a button next to the hamburger menu. It allows
+// quick access to sign-in and manage your Firefox Account.
+pref("identity.fxaccounts.toolbar.enabled", true);
+pref("identity.fxaccounts.toolbar.accessed", false);
+
+// Prefs for different services supported by Firefox Account
+pref("identity.fxaccounts.service.sendLoginUrl", "https://send.firefox.com/login/");
+pref("identity.fxaccounts.service.monitorLoginUrl", "https://monitor.firefox.com/");
+
+// Check bundled omni JARs for corruption.
+pref("corroborator.enabled", true);
+
+// Toolbox preferences
+pref("devtools.toolbox.footer.height", 250);
+pref("devtools.toolbox.sidebar.width", 500);
+pref("devtools.toolbox.host", "bottom");
+pref("devtools.toolbox.previousHost", "right");
+pref("devtools.toolbox.selectedTool", "inspector");
+pref("devtools.toolbox.sideEnabled", true);
+pref("devtools.toolbox.zoomValue", "1");
+pref("devtools.toolbox.splitconsoleEnabled", false);
+pref("devtools.toolbox.splitconsoleHeight", 100);
+pref("devtools.toolbox.tabsOrder", "");
+
+// The fission pref for enabling the "Multiprocess Browser Toolbox", which will
+// make it possible to debug anything in Firefox (See Bug 1570639 for more
+// information).
+#if defined(NIGHTLY_BUILD)
+pref("devtools.browsertoolbox.fission", true);
+#else
+pref("devtools.browsertoolbox.fission", false);
+#endif
+
+// The fission pref for enabling Fission frame debugging directly from the
+// regular web/content toolbox.
+// ⚠ This is a work in progress. Expect weirdness when the pref is enabled. ⚠
+pref("devtools.contenttoolbox.fission", false);
+
+// This pref is also related to fission, but not only. It allows the toolbox
+// to stay open even if the debugged tab switches to another process.
+// It can happen between two documents, one running in the parent process like
+// about:sessionrestore and another one running in the content process like
+// any web page. Or between two distinct domain when running with fission turned
+// on. See bug 1565263.
+// ⚠ This is a work in progress. Expect weirdness when the pref is flipped on ⚠
+pref("devtools.target-switching.enabled", false);
+
+// Toolbox Button preferences
+pref("devtools.command-button-pick.enabled", true);
+pref("devtools.command-button-frames.enabled", true);
+pref("devtools.command-button-splitconsole.enabled", true);
+pref("devtools.command-button-paintflashing.enabled", false);
+pref("devtools.command-button-responsive.enabled", true);
+pref("devtools.command-button-screenshot.enabled", false);
+pref("devtools.command-button-rulers.enabled", false);
+pref("devtools.command-button-measure.enabled", false);
+pref("devtools.command-button-noautohide.enabled", false);
+#ifndef MOZILLA_OFFICIAL
+ pref("devtools.command-button-fission-prefs.enabled", true);
+#endif
+
+// Inspector preferences
+// Enable the Inspector
+pref("devtools.inspector.enabled", true);
+// What was the last active sidebar in the inspector
+pref("devtools.inspector.activeSidebar", "layoutview");
+pref("devtools.inspector.remote", false);
+
+// Enable the 3 pane mode in the inspector
+pref("devtools.inspector.three-pane-enabled", true);
+// Enable the 3 pane mode in the chrome inspector
+pref("devtools.inspector.chrome.three-pane-enabled", false);
+// Collapse pseudo-elements by default in the rule-view
+pref("devtools.inspector.show_pseudo_elements", false);
+// The default size for image preview tooltips in the rule-view/computed-view/markup-view
+pref("devtools.inspector.imagePreviewTooltipSize", 300);
+// Enable user agent style inspection in rule-view
+pref("devtools.inspector.showUserAgentStyles", false);
+// Show native anonymous content and user agent shadow roots
+pref("devtools.inspector.showAllAnonymousContent", false);
+// Enable the new Rules View
+pref("devtools.inspector.new-rulesview.enabled", false);
+// Enable the compatibility tool in the inspector.
+#if defined(NIGHTLY_BUILD) || defined(MOZ_DEV_EDITION)
+pref("devtools.inspector.compatibility.enabled", true);
+#else
+pref("devtools.inspector.compatibility.enabled", false);
+#endif
+// Enable color scheme simulation in the inspector.
+pref("devtools.inspector.color-scheme-simulation.enabled", false);
+
+// Grid highlighter preferences
+pref("devtools.gridinspector.gridOutlineMaxColumns", 50);
+pref("devtools.gridinspector.gridOutlineMaxRows", 50);
+pref("devtools.gridinspector.showGridAreas", false);
+pref("devtools.gridinspector.showGridLineNumbers", false);
+pref("devtools.gridinspector.showInfiniteLines", false);
+// Max number of grid highlighters that can be displayed
+pref("devtools.gridinspector.maxHighlighters", 3);
+
+// Compatibility preferences
+// Stringified array of target browsers that users investigate.
+pref("devtools.inspector.compatibility.target-browsers", "");
+
+// Whether or not the box model panel is opened in the layout view
+pref("devtools.layout.boxmodel.opened", true);
+// Whether or not the flexbox panel is opened in the layout view
+pref("devtools.layout.flexbox.opened", true);
+// Whether or not the flexbox container panel is opened in the layout view
+pref("devtools.layout.flex-container.opened", true);
+// Whether or not the flexbox item panel is opened in the layout view
+pref("devtools.layout.flex-item.opened", true);
+// Whether or not the grid inspector panel is opened in the layout view
+pref("devtools.layout.grid.opened", true);
+
+// Enable hovering Box Model values and jumping to their source CSS rule in the
+// rule-view.
+#if defined(NIGHTLY_BUILD)
+ pref("devtools.layout.boxmodel.highlightProperty", true);
+#else
+ pref("devtools.layout.boxmodel.highlightProperty", false);
+#endif
+
+// By how many times eyedropper will magnify pixels
+pref("devtools.eyedropper.zoom", 6);
+
+// Enable to collapse attributes that are too long.
+pref("devtools.markup.collapseAttributes", true);
+// Length to collapse attributes
+pref("devtools.markup.collapseAttributeLength", 120);
+// Whether to auto-beautify the HTML on copy.
+pref("devtools.markup.beautifyOnCopy", false);
+// Whether or not the DOM mutation breakpoints context menu are enabled in the
+// markup view.
+pref("devtools.markup.mutationBreakpoints.enabled", true);
+
+// DevTools default color unit
+pref("devtools.defaultColorUnit", "authored");
+
+// Enable the Memory tools
+pref("devtools.memory.enabled", true);
+
+pref("devtools.memory.custom-census-displays", "{}");
+pref("devtools.memory.custom-label-displays", "{}");
+pref("devtools.memory.custom-tree-map-displays", "{}");
+
+pref("devtools.memory.max-individuals", 1000);
+pref("devtools.memory.max-retaining-paths", 10);
+
+// Enable the Performance tools
+pref("devtools.performance.enabled", true);
+
+// The default Performance UI settings
+pref("devtools.performance.memory.sample-probability", "0.05");
+// Can't go higher than this without causing internal allocation overflows while
+// serializing the allocations data over the RDP.
+pref("devtools.performance.memory.max-log-length", 125000);
+pref("devtools.performance.timeline.hidden-markers",
+ "[\"Composite\",\"CompositeForwardTransaction\"]");
+pref("devtools.performance.profiler.buffer-size", 10000000);
+pref("devtools.performance.profiler.sample-frequency-hz", 1000);
+pref("devtools.performance.ui.invert-call-tree", true);
+pref("devtools.performance.ui.invert-flame-graph", false);
+pref("devtools.performance.ui.flatten-tree-recursion", true);
+pref("devtools.performance.ui.show-platform-data", false);
+pref("devtools.performance.ui.show-idle-blocks", true);
+pref("devtools.performance.ui.enable-memory", false);
+pref("devtools.performance.ui.enable-allocations", false);
+pref("devtools.performance.ui.enable-framerate", true);
+pref("devtools.performance.ui.show-jit-optimizations", false);
+pref("devtools.performance.ui.show-triggers-for-gc-types",
+ "TOO_MUCH_MALLOC ALLOC_TRIGGER LAST_DITCH EAGER_ALLOC_TRIGGER");
+
+// Temporary pref disabling memory flame views
+// TODO remove once we have flame charts via bug 1148663
+pref("devtools.performance.ui.enable-memory-flame", false);
+
+// Enable experimental options in the UI only in Nightly
+#if defined(NIGHTLY_BUILD)
+ pref("devtools.performance.ui.experimental", true);
+#else
+ pref("devtools.performance.ui.experimental", false);
+#endif
+
+// The default cache UI setting
+pref("devtools.cache.disabled", false);
+
+// The default service workers UI setting
+pref("devtools.serviceWorkers.testing.enabled", false);
+
+// Enable the Network Monitor
+pref("devtools.netmonitor.enabled", true);
+
+pref("devtools.netmonitor.features.search", true);
+pref("devtools.netmonitor.features.requestBlocking", true);
+
+// Enable the Application panel on Nightly
+#if defined(NIGHTLY_BUILD) || defined(MOZ_DEV_EDITION)
+ pref("devtools.application.enabled", true);
+#else
+ pref("devtools.application.enabled", false);
+#endif
+
+// The default Network Monitor UI settings
+pref("devtools.netmonitor.panes-network-details-width", 550);
+pref("devtools.netmonitor.panes-network-details-height", 450);
+pref("devtools.netmonitor.panes-search-width", 550);
+pref("devtools.netmonitor.panes-search-height", 450);
+pref("devtools.netmonitor.filters", "[\"all\"]");
+pref("devtools.netmonitor.visibleColumns",
+ "[\"status\",\"method\",\"domain\",\"file\",\"initiator\",\"type\",\"transferred\",\"contentSize\",\"waterfall\"]"
+);
+pref("devtools.netmonitor.columnsData",
+ '[{"name":"status","minWidth":30,"width":5}, {"name":"method","minWidth":30,"width":5}, {"name":"domain","minWidth":30,"width":10}, {"name":"file","minWidth":30,"width":25}, {"name":"url","minWidth":30,"width":25},{"name":"initiator","minWidth":30,"width":10},{"name":"type","minWidth":30,"width":5},{"name":"transferred","minWidth":30,"width":10},{"name":"contentSize","minWidth":30,"width":5},{"name":"waterfall","minWidth":150,"width":15}]');
+pref("devtools.netmonitor.ws.payload-preview-height", 128);
+pref("devtools.netmonitor.ws.visibleColumns",
+ '["data", "time"]'
+);
+pref("devtools.netmonitor.ws.displayed-frames.limit", 500);
+
+pref("devtools.netmonitor.response.ui.limit", 10240);
+
+// Save request/response bodies yes/no.
+pref("devtools.netmonitor.saveRequestAndResponseBodies", true);
+
+// The default Network monitor HAR export setting
+pref("devtools.netmonitor.har.defaultLogDir", "");
+pref("devtools.netmonitor.har.defaultFileName", "%hostname_Archive [%date]");
+pref("devtools.netmonitor.har.jsonp", false);
+pref("devtools.netmonitor.har.jsonpCallback", "");
+pref("devtools.netmonitor.har.includeResponseBodies", true);
+pref("devtools.netmonitor.har.compress", false);
+pref("devtools.netmonitor.har.forceExport", false);
+pref("devtools.netmonitor.har.pageLoadedTimeout", 1500);
+pref("devtools.netmonitor.har.enableAutoExportToFile", false);
+
+pref("devtools.netmonitor.features.webSockets", true);
+
+// Disable the EventSource Inspector.
+pref("devtools.netmonitor.features.serverSentEvents", false);
+
+// Enable the Storage Inspector
+pref("devtools.storage.enabled", true);
+
+// Enable the Style Editor.
+pref("devtools.styleeditor.enabled", true);
+pref("devtools.styleeditor.autocompletion-enabled", true);
+pref("devtools.styleeditor.showMediaSidebar", true);
+pref("devtools.styleeditor.mediaSidebarWidth", 238);
+pref("devtools.styleeditor.navSidebarWidth", 245);
+pref("devtools.styleeditor.transitions", true);
+
+// Screenshot Option Settings.
+pref("devtools.screenshot.clipboard.enabled", false);
+pref("devtools.screenshot.audio.enabled", true);
+
+// Make sure the DOM panel is hidden by default
+pref("devtools.dom.enabled", false);
+
+// Enable the Accessibility panel.
+pref("devtools.accessibility.enabled", true);
+// Enable accessibility panel auto initialization on early beta and dev edition.
+#if defined(EARLY_BETA_OR_EARLIER) || defined(MOZ_DEV_EDITION)
+ pref("devtools.accessibility.auto-init.enabled", true);
+#else
+ pref("devtools.accessibility.auto-init.enabled", false);
+#endif
+
+// Web console filters
+pref("devtools.webconsole.filter.error", true);
+pref("devtools.webconsole.filter.warn", true);
+pref("devtools.webconsole.filter.info", true);
+pref("devtools.webconsole.filter.log", true);
+pref("devtools.webconsole.filter.debug", true);
+pref("devtools.webconsole.filter.css", false);
+pref("devtools.webconsole.filter.net", false);
+pref("devtools.webconsole.filter.netxhr", false);
+
+// Webconsole autocomplete preference
+pref("devtools.webconsole.input.autocomplete",true);
+
+// Show context selector in console input, in the browser toolbox
+#if defined(NIGHTLY_BUILD)
+ pref("devtools.webconsole.input.context", true);
+#else
+ pref("devtools.webconsole.input.context", false);
+#endif
+
+// Show context selector in console input, in the content toolbox
+pref("devtools.contenttoolbox.webconsole.input.context", false);
+
+// Set to true to eagerly show the results of webconsole terminal evaluations
+// when they don't have side effects.
+pref("devtools.webconsole.input.eagerEvaluation", true);
+
+// Browser console filters
+pref("devtools.browserconsole.filter.error", true);
+pref("devtools.browserconsole.filter.warn", true);
+pref("devtools.browserconsole.filter.info", true);
+pref("devtools.browserconsole.filter.log", true);
+pref("devtools.browserconsole.filter.debug", true);
+pref("devtools.browserconsole.filter.css", false);
+pref("devtools.browserconsole.filter.net", false);
+pref("devtools.browserconsole.filter.netxhr", false);
+
+// Max number of inputs to store in web console history.
+pref("devtools.webconsole.inputHistoryCount", 300);
+
+// Persistent logging: |true| if you want the relevant tool to keep all of the
+// logged messages after reloading the page, |false| if you want the output to
+// be cleared each time page navigation happens.
+pref("devtools.webconsole.persistlog", false);
+pref("devtools.netmonitor.persistlog", false);
+
+// Web Console timestamp: |true| if you want the logs and instructions
+// in the Web Console to display a timestamp, or |false| to not display
+// any timestamps.
+pref("devtools.webconsole.timestampMessages", false);
+
+// Enable the webconsole sidebar toggle in Nightly builds.
+#if defined(NIGHTLY_BUILD)
+ pref("devtools.webconsole.sidebarToggle", true);
+#else
+ pref("devtools.webconsole.sidebarToggle", false);
+#endif
+
+// Saved editor mode state in the console.
+pref("devtools.webconsole.input.editor", false);
+pref("devtools.browserconsole.input.editor", false);
+
+// Editor width for webconsole and browserconsole.
+pref("devtools.webconsole.input.editorWidth", 0);
+pref("devtools.browserconsole.input.editorWidth", 0);
+
+// Display an onboarding UI for the Editor mode.
+pref("devtools.webconsole.input.editorOnboarding", true);
+
+// Disable the new performance recording panel by default
+pref("devtools.performance.new-panel-enabled", false);
+
+// Enable message grouping in the console, true by default
+pref("devtools.webconsole.groupWarningMessages", true);
+
+// Saved state of the Display content messages checkbox in the browser console.
+pref("devtools.browserconsole.contentMessages", false);
+
+// Enable client-side mapping service for source maps
+pref("devtools.source-map.client-service.enabled", true);
+
+// The number of lines that are displayed in the web console.
+pref("devtools.hud.loglimit", 10000);
+
+// The developer tools editor configuration:
+// - tabsize: how many spaces to use when a Tab character is displayed.
+// - expandtab: expand Tab characters to spaces.
+// - keymap: which keymap to use (can be 'default', 'emacs' or 'vim')
+// - autoclosebrackets: whether to permit automatic bracket/quote closing.
+// - detectindentation: whether to detect the indentation from the file
+// - enableCodeFolding: Whether to enable code folding or not.
+pref("devtools.editor.tabsize", 2);
+pref("devtools.editor.expandtab", true);
+pref("devtools.editor.keymap", "default");
+pref("devtools.editor.autoclosebrackets", true);
+pref("devtools.editor.detectindentation", true);
+pref("devtools.editor.enableCodeFolding", true);
+pref("devtools.editor.autocomplete", true);
+
+// The angle of the viewport.
+pref("devtools.responsive.viewport.angle", 0);
+// The width of the viewport.
+pref("devtools.responsive.viewport.width", 320);
+// The height of the viewport.
+pref("devtools.responsive.viewport.height", 480);
+// The pixel ratio of the viewport.
+pref("devtools.responsive.viewport.pixelRatio", 0);
+// Whether or not the viewports are left aligned.
+pref("devtools.responsive.leftAlignViewport.enabled", false);
+// Whether to reload when touch simulation is toggled
+pref("devtools.responsive.reloadConditions.touchSimulation", false);
+// Whether to reload when user agent is changed
+pref("devtools.responsive.reloadConditions.userAgent", false);
+// Whether to show the notification about reloading to apply emulation
+pref("devtools.responsive.reloadNotification.enabled", true);
+// Whether or not touch simulation is enabled.
+pref("devtools.responsive.touchSimulation.enabled", false);
+// Whether or not meta viewport is enabled, if and only if touchSimulation
+// is also enabled.
+pref("devtools.responsive.metaViewport.enabled", true);
+// The user agent of the viewport.
+pref("devtools.responsive.userAgent", "");
+
+// Show the custom user agent input only in Nightly.
+#if defined(NIGHTLY_BUILD)
+ pref("devtools.responsive.showUserAgentInput", true);
+#else
+ pref("devtools.responsive.showUserAgentInput", false);
+#endif
+
+// Show the RDM browser UI in Nightly or DevEdition builds.
+#if defined(NIGHTLY_BUILD) || defined(MOZ_DEV_EDITION)
+ pref("devtools.responsive.browserUI.enabled", true);
+#else
+ pref("devtools.responsive.browserUI.enabled", false);
+#endif
+
+// Show tab debug targets for This Firefox (on by default for local builds).
+#ifdef MOZILLA_OFFICIAL
+ pref("devtools.aboutdebugging.local-tab-debugging", false);
+#else
+ pref("devtools.aboutdebugging.local-tab-debugging", true);
+#endif
+
+// Show process debug targets.
+pref("devtools.aboutdebugging.process-debugging", true);
+// Stringified array of network locations that users can connect to.
+pref("devtools.aboutdebugging.network-locations", "[]");
+// Debug target pane collapse/expand settings.
+pref("devtools.aboutdebugging.collapsibilities.installedExtension", false);
+pref("devtools.aboutdebugging.collapsibilities.otherWorker", false);
+pref("devtools.aboutdebugging.collapsibilities.serviceWorker", false);
+pref("devtools.aboutdebugging.collapsibilities.sharedWorker", false);
+pref("devtools.aboutdebugging.collapsibilities.tab", false);
+pref("devtools.aboutdebugging.collapsibilities.temporaryExtension", false);
+
+// about:debugging: only show system and hidden extensions in local builds by
+// default.
+#ifdef MOZILLA_OFFICIAL
+ pref("devtools.aboutdebugging.showHiddenAddons", false);
+#else
+ pref("devtools.aboutdebugging.showHiddenAddons", true);
+#endif
+
+// Map top-level await expressions in the console
+pref("devtools.debugger.features.map-await-expression", true);
+
+#if defined(NIGHTLY_BUILD) || defined(MOZ_DEV_EDITION)
+pref("devtools.debugger.features.async-captured-stacks", true);
+pref("devtools.debugger.features.async-live-stacks", false);
+#else
+pref("devtools.debugger.features.async-live-stacks", true);
+pref("devtools.debugger.features.async-captured-stacks", false);
+#endif
+
+// Disable autohide for DevTools popups and tooltips.
+// This is currently not exposed by any UI to avoid making
+// about:devtools-toolbox tabs unusable by mistake.
+pref("devtools.popup.disable_autohide", false);
+
+// Visibility switch preference for the WhatsNew panel.
+pref("devtools.whatsnew.enabled", true);
+
+// Temporary preference to fully disable the WhatsNew panel on any target.
+// Should be removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1596037
+pref("devtools.whatsnew.feature-enabled", true);
+
+// FirstStartup service time-out in ms
+pref("first-startup.timeout", 30000);
+
+// Enable the default browser agent.
+// The agent still runs as scheduled if this pref is disabled,
+// but it exits immediately before taking any action.
+#ifdef XP_WIN
+ pref("default-browser-agent.enabled", true);
+#endif
diff --git a/browser/app/splash.rc b/browser/app/splash.rc
new file mode 100644
index 0000000000..c406b79850
--- /dev/null
+++ b/browser/app/splash.rc
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <windows.h>
+#include "nsNativeAppSupportWin.h"
+
+1 24 "firefox.exe.manifest"
+
+IDI_APPICON ICON FIREFOX_ICO
+IDI_DOCUMENT ICON DOCUMENT_ICO
+IDI_APPLICATION ICON FIREFOX_ICO
+IDI_NEWWINDOW ICON NEWWINDOW_ICO
+IDI_NEWTAB ICON NEWTAB_ICO
+IDI_PBMODE ICON PBMODE_ICO
+
+STRINGTABLE DISCARDABLE
+BEGIN
+ IDS_STARTMENU_APPNAME, "@MOZ_APP_DISPLAYNAME@"
+END
diff --git a/browser/app/winlauncher/DllBlocklistInit.cpp b/browser/app/winlauncher/DllBlocklistInit.cpp
new file mode 100644
index 0000000000..a822029fed
--- /dev/null
+++ b/browser/app/winlauncher/DllBlocklistInit.cpp
@@ -0,0 +1,204 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "nsWindowsDllInterceptor.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/ImportDir.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Types.h"
+#include "mozilla/WindowsDllBlocklist.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+#include "DllBlocklistInit.h"
+#include "freestanding/DllBlocklist.h"
+#include "freestanding/FunctionTableResolver.h"
+
+#if defined(_MSC_VER)
+extern "C" IMAGE_DOS_HEADER __ImageBase;
+#endif
+
+namespace mozilla {
+
+#if defined(MOZ_ASAN) || defined(_M_ARM64)
+
+// This DLL blocking code is incompatible with ASAN because
+// it is able to execute before ASAN itself has even initialized.
+// Also, AArch64 has not been tested with this.
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA*) {
+ return mozilla::Ok();
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess) {
+ return mozilla::Ok();
+}
+
+#else
+
+static LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPInternal(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk) {
+ freestanding::gK32.Init();
+ if (freestanding::gK32.IsInitialized()) {
+ freestanding::gK32.Transfer(aChildProcess, &freestanding::gK32);
+ }
+
+ CrossProcessDllInterceptor intcpt(aChildProcess);
+ intcpt.Init(L"ntdll.dll");
+
+ bool ok = freestanding::stub_NtMapViewOfSection.SetDetour(
+ aChildProcess, intcpt, "NtMapViewOfSection",
+ &freestanding::patched_NtMapViewOfSection);
+ if (!ok) {
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ ok = freestanding::stub_LdrLoadDll.SetDetour(
+ aChildProcess, intcpt, "LdrLoadDll", &freestanding::patched_LdrLoadDll);
+ if (!ok) {
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ // Because aChildProcess has just been created in a suspended state, its
+ // dynamic linker has not yet been initialized, thus its executable has
+ // not yet been linked with ntdll.dll. If the blocklist hook intercepts a
+ // library load prior to the link, the hook will be unable to invoke any
+ // ntdll.dll functions.
+ //
+ // We know that the executable for our *current* process's binary is already
+ // linked into ntdll, so we obtain the IAT from our own executable and graft
+ // it onto the child process's IAT, thus enabling the child process's hook to
+ // safely make its ntdll calls.
+
+ HMODULE ourModule;
+# if defined(_MSC_VER)
+ ourModule = reinterpret_cast<HMODULE>(&__ImageBase);
+# else
+ ourModule = ::GetModuleHandleW(nullptr);
+# endif // defined(_MSC_VER)
+
+ mozilla::nt::PEHeaders ourExeImage(ourModule);
+ if (!ourExeImage) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // As part of our mitigation of binary tampering, copy our import directory
+ // from the original in our executable file.
+ LauncherVoidResult importDirRestored = RestoreImportDirectory(
+ aFullImagePath, ourExeImage, aChildProcess, ourModule);
+ if (importDirRestored.isErr()) {
+ return importDirRestored;
+ }
+
+ mozilla::nt::PEHeaders ntdllImage(::GetModuleHandleW(L"ntdll.dll"));
+ if (!ntdllImage) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // If we have a cached IAT i.e. |aCachedNtdllThunk| is non-null, we can
+ // safely copy it to |aChildProcess| even if the local IAT has been modified.
+ // If |aCachedNtdllThunk| is null, we've failed to cache the IAT or we're in
+ // the launcher process where there is no chance to cache the IAT. In those
+ // cases, we retrieve the IAT with the boundary check to avoid a modified IAT
+ // from being copied into |aChildProcess|.
+ Maybe<Span<IMAGE_THUNK_DATA> > ntdllThunks;
+ if (aCachedNtdllThunk) {
+ ntdllThunks = ourExeImage.GetIATThunksForModule("ntdll.dll");
+ } else {
+ Maybe<Range<const uint8_t> > ntdllBoundaries = ntdllImage.GetBounds();
+ if (!ntdllBoundaries) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // We can use GetIATThunksForModule() to check whether IAT is modified
+ // or not because no functions exported from ntdll.dll is forwarded.
+ ntdllThunks =
+ ourExeImage.GetIATThunksForModule("ntdll.dll", ntdllBoundaries.ptr());
+ }
+ if (!ntdllThunks) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_DATA);
+ }
+
+ SIZE_T bytesWritten;
+
+ { // Scope for prot
+ PIMAGE_THUNK_DATA firstIatThunkDst = ntdllThunks.value().data();
+ const IMAGE_THUNK_DATA* firstIatThunkSrc =
+ aCachedNtdllThunk ? aCachedNtdllThunk : firstIatThunkDst;
+ SIZE_T iatLength = ntdllThunks.value().LengthBytes();
+
+ AutoVirtualProtect prot(firstIatThunkDst, iatLength, PAGE_READWRITE,
+ aChildProcess);
+ if (!prot) {
+ return LAUNCHER_ERROR_FROM_MOZ_WINDOWS_ERROR(prot.GetError());
+ }
+
+ ok = !!::WriteProcessMemory(aChildProcess, firstIatThunkDst,
+ firstIatThunkSrc, iatLength, &bytesWritten);
+ if (!ok || bytesWritten != iatLength) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ }
+
+ // Tell the mozglue blocklist that we have bootstrapped
+ uint32_t newFlags = eDllBlocklistInitFlagWasBootstrapped;
+
+ if (gBlocklistInitFlags & eDllBlocklistInitFlagWasBootstrapped) {
+ // If we ourselves were bootstrapped, then we are starting a child process
+ // and need to set the appropriate flag.
+ newFlags |= eDllBlocklistInitFlagIsChildProcess;
+ }
+
+ ok = !!::WriteProcessMemory(aChildProcess, &gBlocklistInitFlags, &newFlags,
+ sizeof(newFlags), &bytesWritten);
+ if (!ok || bytesWritten != sizeof(newFlags)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ return Ok();
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk) {
+ // We come here when the browser process launches a sandbox process.
+ // If the launcher process already failed to bootstrap the browser process,
+ // we should not attempt to bootstrap a child process because it's likely
+ // to fail again. Instead, we only restore the import directory entry.
+ if (!(gBlocklistInitFlags & eDllBlocklistInitFlagWasBootstrapped)) {
+ HMODULE exeImageBase;
+# if defined(_MSC_VER)
+ exeImageBase = reinterpret_cast<HMODULE>(&__ImageBase);
+# else
+ exeImageBase = ::GetModuleHandleW(nullptr);
+# endif // defined(_MSC_VER)
+
+ mozilla::nt::PEHeaders localImage(exeImageBase);
+ if (!localImage) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ return RestoreImportDirectory(aFullImagePath, localImage, aChildProcess,
+ exeImageBase);
+ }
+
+ return InitializeDllBlocklistOOPInternal(aFullImagePath, aChildProcess,
+ aCachedNtdllThunk);
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess) {
+ return InitializeDllBlocklistOOPInternal(aFullImagePath, aChildProcess,
+ nullptr);
+}
+
+#endif // defined(MOZ_ASAN) || defined(_M_ARM64)
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/DllBlocklistInit.h b/browser/app/winlauncher/DllBlocklistInit.h
new file mode 100644
index 0000000000..c6b87bce91
--- /dev/null
+++ b/browser/app/winlauncher/DllBlocklistInit.h
@@ -0,0 +1,25 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_DllBlocklistInit_h
+#define mozilla_DllBlocklistInit_h
+
+#include <windows.h>
+
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk);
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess);
+
+} // namespace mozilla
+
+#endif // mozilla_DllBlocklistInit_h
diff --git a/browser/app/winlauncher/ErrorHandler.cpp b/browser/app/winlauncher/ErrorHandler.cpp
new file mode 100644
index 0000000000..d1bd4d0d29
--- /dev/null
+++ b/browser/app/winlauncher/ErrorHandler.cpp
@@ -0,0 +1,758 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ErrorHandler.h"
+
+#include <utility>
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/JSONWriter.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Unused.h"
+#include "mozilla/WinTokenUtils.h"
+#include "mozilla/WindowsVersion.h"
+#include "mozilla/XREAppData.h"
+#include "mozilla/glue/WindowsDllServices.h"
+#include "mozilla/mscom/ProcessRuntime.h"
+#include "nsWindowsHelpers.h"
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+# include "mozilla/LauncherRegistryInfo.h"
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+#include <algorithm>
+#include <process.h>
+#include <sstream>
+#include <string>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <objbase.h>
+#include <rpc.h>
+#if !defined(__MINGW32__)
+# include <comutil.h>
+# include <iwscapi.h>
+# include <wscapi.h>
+#endif // !defined(__MINGW32__)
+#include <tlhelp32.h>
+
+#if !defined(RRF_SUBKEY_WOW6464KEY)
+# define RRF_SUBKEY_WOW6464KEY 0x00010000
+#endif // !defined(RRF_SUBKEY_WOW6464KEY)
+
+#define QUOTE_ME2(x) #x
+#define QUOTE_ME(x) QUOTE_ME2(x)
+
+#define TELEMETRY_BASE_URL L"https://incoming.telemetry.mozilla.org/submit"
+#define TELEMETRY_NAMESPACE L"/firefox-launcher-process"
+#define TELEMETRY_LAUNCHER_PING_DOCTYPE L"/launcher-process-failure"
+#define TELEMETRY_LAUNCHER_PING_VERSION L"/1"
+
+static const wchar_t kUrl[] = TELEMETRY_BASE_URL TELEMETRY_NAMESPACE
+ TELEMETRY_LAUNCHER_PING_DOCTYPE TELEMETRY_LAUNCHER_PING_VERSION L"/";
+static const uint32_t kGuidCharLenWithNul = 39;
+static const uint32_t kGuidCharLenNoBracesNoNul = 36;
+static const mozilla::StaticXREAppData* gAppData;
+static bool gForceEventLog = false;
+
+namespace {
+
+struct EventSourceDeleter {
+ using pointer = HANDLE;
+
+ void operator()(pointer aEvtSrc) { ::DeregisterEventSource(aEvtSrc); }
+};
+
+using EventLog = mozilla::UniquePtr<HANDLE, EventSourceDeleter>;
+
+struct SerializedEventData {
+ HRESULT mHr;
+ uint32_t mLine;
+ char mFile[1];
+};
+
+} // anonymous namespace
+
+static void PostErrorToLog(const mozilla::LauncherError& aError) {
+ // This is very bare-bones; just enough to spit out an HRESULT to the
+ // Application event log.
+ EventLog log(::RegisterEventSourceW(nullptr, L"Firefox"));
+ if (!log) {
+ return;
+ }
+
+ size_t fileLen = strlen(aError.mFile);
+ size_t dataLen = sizeof(HRESULT) + sizeof(uint32_t) + fileLen;
+ auto evtDataBuf = mozilla::MakeUnique<char[]>(dataLen);
+ SerializedEventData& evtData =
+ *reinterpret_cast<SerializedEventData*>(evtDataBuf.get());
+ evtData.mHr = aError.mError.AsHResult();
+ evtData.mLine = aError.mLine;
+ // Since this is binary data, we're not concerning ourselves with null
+ // terminators.
+ memcpy(evtData.mFile, aError.mFile, fileLen);
+
+ ::ReportEventW(log.get(), EVENTLOG_ERROR_TYPE, 0, aError.mError.AsHResult(),
+ nullptr, 0, dataLen, nullptr, evtDataBuf.get());
+}
+
+#if defined(MOZ_TELEMETRY_REPORTING)
+
+namespace {
+
+// This JSONWriteFunc writes directly to a temp file. By creating this file
+// with the FILE_ATTRIBUTE_TEMPORARY attribute, we hint to the OS that this
+// file is short-lived. The OS will try to avoid flushing it to disk if at
+// all possible.
+class TempFileWriter final : public mozilla::JSONWriteFunc {
+ public:
+ TempFileWriter() : mFailed(false), mSuccessfulHandoff(false) {
+ wchar_t name[MAX_PATH + 1] = {};
+ if (_wtmpnam_s(name)) {
+ mFailed = true;
+ return;
+ }
+
+ mTempFileName = name;
+
+ mTempFile.own(::CreateFileW(name, GENERIC_WRITE, FILE_SHARE_READ, nullptr,
+ CREATE_NEW, FILE_ATTRIBUTE_TEMPORARY, nullptr));
+ if (mTempFile.get() == INVALID_HANDLE_VALUE) {
+ mFailed = true;
+ }
+ }
+
+ ~TempFileWriter() {
+ if (mSuccessfulHandoff) {
+ // It is no longer our responsibility to delete the temp file if we have
+ // successfully handed it off to pingsender.
+ return;
+ }
+
+ mTempFile.reset();
+ ::DeleteFileW(mTempFileName.c_str());
+ }
+
+ explicit operator bool() const { return !mFailed; }
+
+ void Write(const char* aStr) override {
+ size_t len = strlen(aStr);
+ Write(aStr, len);
+ }
+
+ void Write(const char* aStr, size_t aLen) override {
+ if (mFailed) {
+ return;
+ }
+
+ DWORD bytesWritten = 0;
+ if (!::WriteFile(mTempFile, aStr, aLen, &bytesWritten, nullptr) ||
+ bytesWritten != aLen) {
+ mFailed = true;
+ }
+ }
+
+ const std::wstring& GetFileName() const { return mTempFileName; }
+
+ void SetSuccessfulHandoff() { mSuccessfulHandoff = true; }
+
+ private:
+ bool mFailed;
+ bool mSuccessfulHandoff;
+ std::wstring mTempFileName;
+ nsAutoHandle mTempFile;
+};
+
+using SigMap = mozilla::Vector<std::wstring, 0, InfallibleAllocPolicy>;
+
+} // anonymous namespace
+
+// This is the guideline for maximum string length for telemetry intake
+static const size_t kMaxStrLen = 80;
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const wchar_t* aStr,
+ const size_t aStrLenExclNul) {
+ // Yes, this might not handle surrogate pairs correctly. Let's just let
+ // WideCharToMultiByte fail in that unlikely case.
+ size_t cvtLen = std::min(aStrLenExclNul, kMaxStrLen);
+
+ int numConv = ::WideCharToMultiByte(CP_UTF8, 0, aStr, cvtLen, nullptr, 0,
+ nullptr, nullptr);
+ if (!numConv) {
+ return nullptr;
+ }
+
+ // Include room for the null terminator by adding one
+ auto buf = mozilla::MakeUnique<char[]>(numConv + 1);
+
+ numConv = ::WideCharToMultiByte(CP_UTF8, 0, aStr, cvtLen, buf.get(), numConv,
+ nullptr, nullptr);
+ if (!numConv) {
+ return nullptr;
+ }
+
+ // Add null termination. numConv does not include the terminator, so we don't
+ // subtract 1 when indexing into buf.
+ buf[numConv] = 0;
+
+ return buf;
+}
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const wchar_t* aStr) {
+ return WideToUTF8(aStr, wcslen(aStr));
+}
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const std::wstring& aStr) {
+ return WideToUTF8(aStr.c_str(), aStr.length());
+}
+
+// MinGW does not support the Windows Security Center APIs.
+# if !defined(__MINGW32__)
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const _bstr_t& aStr) {
+ return WideToUTF8(static_cast<const wchar_t*>(aStr), aStr.length());
+}
+
+namespace {
+
+struct ProviderKey {
+ WSC_SECURITY_PROVIDER mProviderType;
+ const char* mKey;
+};
+
+} // anonymous namespace
+
+static bool EnumWSCProductList(RefPtr<IWSCProductList>& aProdList,
+ mozilla::JSONWriter& aJson) {
+ LONG count;
+ HRESULT hr = aProdList->get_Count(&count);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ // Unlikely, but put a bound on the max length of the output array for the
+ // purposes of telemetry intake.
+ count = std::min(count, 1000L);
+
+ // Record the name(s) of each active registered product in this category
+ for (LONG index = 0; index < count; ++index) {
+ RefPtr<IWscProduct> product;
+ hr = aProdList->get_Item(index, getter_AddRefs(product));
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ WSC_SECURITY_PRODUCT_STATE state;
+ hr = product->get_ProductState(&state);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ // We only care about products that are active
+ if (state == WSC_SECURITY_PRODUCT_STATE_OFF ||
+ state == WSC_SECURITY_PRODUCT_STATE_SNOOZED ||
+ state == WSC_SECURITY_PRODUCT_STATE_EXPIRED) {
+ continue;
+ }
+
+ _bstr_t bName;
+ hr = product->get_ProductName(bName.GetAddress());
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ auto buf = WideToUTF8(bName);
+ if (!buf) {
+ return false;
+ }
+
+ aJson.StringElement(buf.get());
+ }
+
+ return true;
+}
+
+static const ProviderKey gProvKeys[] = {
+ {WSC_SECURITY_PROVIDER_ANTIVIRUS, "av"},
+ {WSC_SECURITY_PROVIDER_ANTISPYWARE, "antispyware"},
+ {WSC_SECURITY_PROVIDER_FIREWALL, "firewall"}};
+
+static bool AddWscInfo(mozilla::JSONWriter& aJson) {
+ if (!mozilla::IsWin8OrLater()) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ // We need COM for this. Using ProcessRuntime so that process-global COM
+ // configuration is done correctly
+ mozilla::mscom::ProcessRuntime mscom(
+ mozilla::mscom::ProcessRuntime::ProcessCategory::Launcher);
+ if (!mscom) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ aJson.StartObjectProperty("security");
+
+ const CLSID clsid = __uuidof(WSCProductList);
+ const IID iid = __uuidof(IWSCProductList);
+
+ for (uint32_t index = 0; index < mozilla::ArrayLength(gProvKeys); ++index) {
+ // NB: A separate instance of IWSCProductList is needed for each distinct
+ // security provider type; MSDN says that we cannot reuse the same object
+ // and call Initialize() to pave over the previous data.
+ RefPtr<IWSCProductList> prodList;
+ HRESULT hr = ::CoCreateInstance(clsid, nullptr, CLSCTX_INPROC_SERVER, iid,
+ getter_AddRefs(prodList));
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ hr = prodList->Initialize(gProvKeys[index].mProviderType);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ aJson.StartArrayProperty(gProvKeys[index].mKey);
+
+ if (!EnumWSCProductList(prodList, aJson)) {
+ return false;
+ }
+
+ aJson.EndArray();
+ }
+
+ aJson.EndObject();
+
+ return true;
+}
+# endif // !defined(__MINGW32__)
+
+// Max array length for telemetry intake.
+static const size_t kMaxArrayLen = 1000;
+
+static bool AddModuleInfo(const nsAutoHandle& aSnapshot,
+ mozilla::JSONWriter& aJson) {
+ if (aSnapshot.get() == INVALID_HANDLE_VALUE) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ SigMap signatures;
+ size_t moduleCount = 0;
+
+ MODULEENTRY32W module = {sizeof(module)};
+ if (!::Module32FirstW(aSnapshot, &module)) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ mozilla::glue::BasicDllServices dllServices;
+
+ aJson.StartObjectProperty("modules");
+
+ // For each module, add its version number (or empty string if not present),
+ // followed by an optional index into the signatures array
+ do {
+ ++moduleCount;
+
+ wchar_t leaf[_MAX_FNAME] = {};
+ if (::_wsplitpath_s(module.szExePath, nullptr, 0, nullptr, 0, leaf,
+ mozilla::ArrayLength(leaf), nullptr, 0)) {
+ return false;
+ }
+
+ if (_wcslwr_s(leaf, mozilla::ArrayLength(leaf))) {
+ return false;
+ }
+
+ auto leafUtf8 = WideToUTF8(leaf);
+ if (!leafUtf8) {
+ return false;
+ }
+
+ aJson.StartArrayProperty(leafUtf8.get());
+
+ std::string version;
+ DWORD verInfoSize = ::GetFileVersionInfoSizeW(module.szExePath, nullptr);
+ if (verInfoSize) {
+ auto verInfoBuf = mozilla::MakeUnique<BYTE[]>(verInfoSize);
+
+ if (::GetFileVersionInfoW(module.szExePath, 0, verInfoSize,
+ verInfoBuf.get())) {
+ VS_FIXEDFILEINFO* fixedInfo = nullptr;
+ UINT fixedInfoLen = 0;
+
+ if (::VerQueryValueW(verInfoBuf.get(), L"\\",
+ reinterpret_cast<LPVOID*>(&fixedInfo),
+ &fixedInfoLen)) {
+ std::ostringstream oss;
+ oss << HIWORD(fixedInfo->dwFileVersionMS) << '.'
+ << LOWORD(fixedInfo->dwFileVersionMS) << '.'
+ << HIWORD(fixedInfo->dwFileVersionLS) << '.'
+ << LOWORD(fixedInfo->dwFileVersionLS);
+ version = oss.str();
+ }
+ }
+ }
+
+ aJson.StringElement(version.c_str());
+
+ mozilla::Maybe<ptrdiff_t> sigIndex;
+ auto signedBy = dllServices.GetBinaryOrgName(module.szExePath);
+ if (signedBy) {
+ std::wstring strSignedBy(signedBy.get());
+ auto entry = std::find(signatures.begin(), signatures.end(), strSignedBy);
+ if (entry == signatures.end()) {
+ mozilla::Unused << signatures.append(std::move(strSignedBy));
+ entry = &signatures.back();
+ }
+
+ sigIndex = mozilla::Some(entry - signatures.begin());
+ }
+
+ if (sigIndex) {
+ aJson.IntElement(sigIndex.value());
+ }
+
+ aJson.EndArray();
+ } while (moduleCount < kMaxArrayLen && ::Module32NextW(aSnapshot, &module));
+
+ aJson.EndObject();
+
+ aJson.StartArrayProperty("signatures");
+
+ // Serialize each entry in the signatures array
+ for (auto&& itr : signatures) {
+ auto sigUtf8 = WideToUTF8(itr);
+ if (!sigUtf8) {
+ continue;
+ }
+
+ aJson.StringElement(sigUtf8.get());
+ }
+
+ aJson.EndArray();
+
+ return true;
+}
+
+namespace {
+
+struct PingThreadContext {
+ explicit PingThreadContext(const mozilla::LauncherError& aError)
+ : mLauncherError(aError),
+ mModulesSnapshot(::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0)) {}
+ mozilla::LauncherError mLauncherError;
+ nsAutoHandle mModulesSnapshot;
+};
+
+} // anonymous namespace
+
+static bool PrepPing(const PingThreadContext& aContext, const std::wstring& aId,
+ mozilla::JSONWriter& aJson) {
+# if defined(DEBUG)
+ const mozilla::JSONWriter::CollectionStyle style =
+ mozilla::JSONWriter::MultiLineStyle;
+# else
+ const mozilla::JSONWriter::CollectionStyle style =
+ mozilla::JSONWriter::SingleLineStyle;
+# endif // defined(DEBUG)
+
+ aJson.Start(style);
+
+ aJson.StringProperty("type", "launcher-process-failure");
+ aJson.IntProperty("version", 1);
+
+ auto idUtf8 = WideToUTF8(aId);
+ if (idUtf8) {
+ aJson.StringProperty("id", idUtf8.get());
+ }
+
+ time_t now;
+ time(&now);
+ tm gmTm;
+ if (!gmtime_s(&gmTm, &now)) {
+ char isoTimeBuf[32] = {};
+ if (strftime(isoTimeBuf, mozilla::ArrayLength(isoTimeBuf), "%FT%T.000Z",
+ &gmTm)) {
+ aJson.StringProperty("creationDate", isoTimeBuf);
+ }
+ }
+
+ aJson.StringProperty("update_channel", QUOTE_ME(MOZ_UPDATE_CHANNEL));
+
+ if (gAppData) {
+ aJson.StringProperty("build_id", gAppData->buildID);
+ aJson.StringProperty("build_version", gAppData->version);
+ }
+
+ OSVERSIONINFOEXW osv = {sizeof(osv)};
+ if (::GetVersionExW(reinterpret_cast<OSVERSIONINFOW*>(&osv))) {
+ std::ostringstream oss;
+ oss << osv.dwMajorVersion << "." << osv.dwMinorVersion << "."
+ << osv.dwBuildNumber;
+
+ if (osv.dwMajorVersion == 10 && osv.dwMinorVersion == 0) {
+ // Get the "Update Build Revision" (UBR) value
+ DWORD ubrValue;
+ DWORD ubrValueLen = sizeof(ubrValue);
+ LSTATUS ubrOk =
+ ::RegGetValueW(HKEY_LOCAL_MACHINE,
+ L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
+ L"UBR", RRF_RT_DWORD | RRF_SUBKEY_WOW6464KEY, nullptr,
+ &ubrValue, &ubrValueLen);
+ if (ubrOk == ERROR_SUCCESS) {
+ oss << "." << ubrValue;
+ }
+ }
+
+ if (oss) {
+ aJson.StringProperty("os_version", oss.str().c_str());
+ }
+
+ bool isServer = osv.wProductType == VER_NT_DOMAIN_CONTROLLER ||
+ osv.wProductType == VER_NT_SERVER;
+ aJson.BoolProperty("server_os", isServer);
+ }
+
+ WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = {};
+ int localeNameLen =
+ ::GetUserDefaultLocaleName(localeName, mozilla::ArrayLength(localeName));
+ if (localeNameLen) {
+ auto localeNameUtf8 = WideToUTF8(localeName, localeNameLen - 1);
+ if (localeNameUtf8) {
+ aJson.StringProperty("os_locale", localeNameUtf8.get());
+ }
+ }
+
+ SYSTEM_INFO sysInfo;
+ ::GetNativeSystemInfo(&sysInfo);
+ aJson.IntProperty("cpu_arch", sysInfo.wProcessorArchitecture);
+ aJson.IntProperty("num_logical_cpus", sysInfo.dwNumberOfProcessors);
+
+ mozilla::LauncherResult<bool> isAdminWithoutUac =
+ mozilla::IsAdminWithoutUac();
+ if (isAdminWithoutUac.isOk()) {
+ aJson.BoolProperty("is_admin_without_uac", isAdminWithoutUac.unwrap());
+ }
+
+ MEMORYSTATUSEX memStatus = {sizeof(memStatus)};
+ if (::GlobalMemoryStatusEx(&memStatus)) {
+ aJson.StartObjectProperty("memory");
+ aJson.IntProperty("total_phys", memStatus.ullTotalPhys);
+ aJson.IntProperty("avail_phys", memStatus.ullAvailPhys);
+ aJson.IntProperty("avail_page_file", memStatus.ullAvailPageFile);
+ aJson.IntProperty("avail_virt", memStatus.ullAvailVirtual);
+ aJson.EndObject();
+ }
+
+ aJson.StringProperty("xpcom_abi", TARGET_XPCOM_ABI);
+
+ aJson.StartObjectProperty("launcher_error", style);
+
+ std::string srcFileLeaf(aContext.mLauncherError.mFile);
+ // Obtain the leaf name of the file for privacy reasons
+ // (In case this is somebody's local build)
+ auto pos = srcFileLeaf.find_last_of("/\\");
+ if (pos != std::string::npos) {
+ srcFileLeaf = srcFileLeaf.substr(pos + 1);
+ }
+
+ aJson.StringProperty("source_file", srcFileLeaf.c_str());
+
+ aJson.IntProperty("source_line", aContext.mLauncherError.mLine);
+ aJson.IntProperty("hresult", aContext.mLauncherError.mError.AsHResult());
+ aJson.EndObject();
+
+# if !defined(__MINGW32__)
+ if (!AddWscInfo(aJson)) {
+ return false;
+ }
+# endif // !defined(__MINGW32__)
+
+ if (!AddModuleInfo(aContext.mModulesSnapshot, aJson)) {
+ return false;
+ }
+
+ aJson.End();
+
+ return true;
+}
+
+static bool DoSendPing(const PingThreadContext& aContext) {
+ auto writeFunc = mozilla::MakeUnique<TempFileWriter>();
+ if (!(*writeFunc)) {
+ return false;
+ }
+
+ mozilla::JSONWriter json(std::move(writeFunc));
+
+ UUID uuid;
+ if (::UuidCreate(&uuid) != RPC_S_OK) {
+ return false;
+ }
+
+ wchar_t guidBuf[kGuidCharLenWithNul] = {};
+ if (::StringFromGUID2(uuid, guidBuf, kGuidCharLenWithNul) !=
+ kGuidCharLenWithNul) {
+ return false;
+ }
+
+ // Strip the curly braces off of the guid
+ std::wstring guidNoBraces(guidBuf + 1, kGuidCharLenNoBracesNoNul);
+
+ // Populate json with the ping information
+ if (!PrepPing(aContext, guidNoBraces, json)) {
+ return false;
+ }
+
+ // Obtain the name of the temp file that we have written
+ TempFileWriter& tempFile = *static_cast<TempFileWriter*>(json.WriteFunc());
+ if (!tempFile) {
+ return false;
+ }
+
+ const std::wstring& fileName = tempFile.GetFileName();
+
+ // Using the path to our executable binary, construct the path to
+ // pingsender.exe
+ mozilla::UniquePtr<wchar_t[]> exePath(mozilla::GetFullBinaryPath());
+
+ wchar_t drive[_MAX_DRIVE] = {};
+ wchar_t dir[_MAX_DIR] = {};
+ if (_wsplitpath_s(exePath.get(), drive, mozilla::ArrayLength(drive), dir,
+ mozilla::ArrayLength(dir), nullptr, 0, nullptr, 0)) {
+ return false;
+ }
+
+ wchar_t pingSenderPath[MAX_PATH + 1] = {};
+ if (_wmakepath_s(pingSenderPath, mozilla::ArrayLength(pingSenderPath), drive,
+ dir, L"pingsender", L"exe")) {
+ return false;
+ }
+
+ // Construct the telemetry URL
+ wchar_t urlBuf[mozilla::ArrayLength(kUrl) + kGuidCharLenNoBracesNoNul] = {};
+ if (wcscpy_s(urlBuf, kUrl)) {
+ return false;
+ }
+
+ if (wcscat_s(urlBuf, guidNoBraces.c_str())) {
+ return false;
+ }
+
+ // Now build the command line arguments to pingsender
+ wchar_t* pingSenderArgv[] = {pingSenderPath, urlBuf,
+ const_cast<wchar_t*>(fileName.c_str())};
+
+ mozilla::UniquePtr<wchar_t[]> pingSenderCmdLine(mozilla::MakeCommandLine(
+ mozilla::ArrayLength(pingSenderArgv), pingSenderArgv));
+
+ // Now start pingsender to handle the rest
+ PROCESS_INFORMATION pi;
+
+ STARTUPINFOW si = {sizeof(si)};
+ si.dwFlags = STARTF_USESHOWWINDOW;
+ si.wShowWindow = SW_HIDE;
+
+ if (!::CreateProcessW(pingSenderPath, pingSenderCmdLine.get(), nullptr,
+ nullptr, FALSE, 0, nullptr, nullptr, &si, &pi)) {
+ return false;
+ }
+
+ tempFile.SetSuccessfulHandoff();
+
+ nsAutoHandle proc(pi.hProcess);
+ nsAutoHandle thread(pi.hThread);
+
+ return true;
+}
+
+static unsigned __stdcall SendPingThread(void* aContext) {
+ mozilla::UniquePtr<PingThreadContext> context(
+ reinterpret_cast<PingThreadContext*>(aContext));
+
+ if (!DoSendPing(*context) || gForceEventLog) {
+ PostErrorToLog(context->mLauncherError);
+ }
+
+ return 0;
+}
+
+#endif // defined(MOZ_TELEMETRY_REPORTING)
+
+static bool SendPing(const mozilla::LauncherError& aError) {
+#if defined(MOZ_TELEMETRY_REPORTING)
+# if defined(MOZ_LAUNCHER_PROCESS)
+ mozilla::LauncherRegistryInfo regInfo;
+ mozilla::LauncherResult<bool> telemetryEnabled = regInfo.IsTelemetryEnabled();
+ if (telemetryEnabled.isErr() || !telemetryEnabled.unwrap()) {
+ // Do not send anything if telemetry has been opted out
+ return false;
+ }
+# endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ // We send this ping when the launcher process fails. After we start the
+ // SendPingThread, this thread falls back from running as the launcher process
+ // to running as the browser main thread. Once this happens, it will be unsafe
+ // to set up PoisonIOInterposer (since we have already spun up a background
+ // thread).
+ mozilla::SaveToEnv("MOZ_DISABLE_POISON_IO_INTERPOSER=1");
+
+ // Capture aError and our module list into context for processing on another
+ // thread.
+ auto thdParam = mozilla::MakeUnique<PingThreadContext>(aError);
+
+ // The ping does a lot of file I/O. Since we want this thread to continue
+ // executing browser startup, we should gather that information on a
+ // background thread.
+ uintptr_t thdHandle =
+ _beginthreadex(nullptr, 0, &SendPingThread, thdParam.get(),
+ STACK_SIZE_PARAM_IS_A_RESERVATION, nullptr);
+ if (!thdHandle) {
+ return false;
+ }
+
+ // We have handed off thdParam to the background thread
+ mozilla::Unused << thdParam.release();
+
+ ::CloseHandle(reinterpret_cast<HANDLE>(thdHandle));
+ return true;
+#else
+ return false;
+#endif
+}
+
+namespace mozilla {
+
+void HandleLauncherError(const LauncherError& aError) {
+#if defined(MOZ_LAUNCHER_PROCESS)
+ LauncherRegistryInfo regInfo;
+ Unused << regInfo.DisableDueToFailure();
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (SendPing(aError) && !gForceEventLog) {
+ return;
+ }
+
+ PostErrorToLog(aError);
+}
+
+void SetLauncherErrorAppData(const StaticXREAppData& aAppData) {
+ gAppData = &aAppData;
+}
+
+void SetLauncherErrorForceEventLog() { gForceEventLog = true; }
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/ErrorHandler.h b/browser/app/winlauncher/ErrorHandler.h
new file mode 100644
index 0000000000..5aa99f08f2
--- /dev/null
+++ b/browser/app/winlauncher/ErrorHandler.h
@@ -0,0 +1,51 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ErrorHandler_h
+#define mozilla_ErrorHandler_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+
+/**
+ * All launcher process error handling should live in the implementation of
+ * this function.
+ */
+void HandleLauncherError(const LauncherError& aError);
+
+// This function is simply a convenience overload that automatically unwraps
+// the LauncherError from the provided LauncherResult and then forwards it to
+// the main implementation.
+template <typename T>
+inline void HandleLauncherError(const LauncherResult<T>& aResult) {
+ MOZ_ASSERT(aResult.isErr());
+ if (aResult.isOk()) {
+ return;
+ }
+
+ HandleLauncherError(aResult.inspectErr());
+}
+
+// This function is simply a convenience overload that unwraps the provided
+// GenericErrorResult<LauncherError> and forwards it to the main implementation.
+inline void HandleLauncherError(
+ const GenericErrorResult<LauncherError>& aResult) {
+ LauncherVoidResult r(aResult);
+ HandleLauncherError(r);
+}
+
+// Forward declaration
+struct StaticXREAppData;
+
+void SetLauncherErrorAppData(const StaticXREAppData& aAppData);
+
+void SetLauncherErrorForceEventLog();
+
+} // namespace mozilla
+
+#endif // mozilla_ErrorHandler_h
diff --git a/browser/app/winlauncher/LaunchUnelevated.cpp b/browser/app/winlauncher/LaunchUnelevated.cpp
new file mode 100644
index 0000000000..07d9cecb0a
--- /dev/null
+++ b/browser/app/winlauncher/LaunchUnelevated.cpp
@@ -0,0 +1,175 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "LaunchUnelevated.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/mscom/ProcessRuntime.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/ShellHeaderOnlyUtils.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "nsWindowsHelpers.h"
+
+#include <windows.h>
+
+static mozilla::LauncherResult<bool> IsHighIntegrity(
+ const nsAutoHandle& aToken) {
+ DWORD reqdLen;
+ if (!::GetTokenInformation(aToken.get(), TokenIntegrityLevel, nullptr, 0,
+ &reqdLen)) {
+ DWORD err = ::GetLastError();
+ if (err != ERROR_INSUFFICIENT_BUFFER) {
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+ }
+
+ auto buf = mozilla::MakeUnique<char[]>(reqdLen);
+
+ if (!::GetTokenInformation(aToken.get(), TokenIntegrityLevel, buf.get(),
+ reqdLen, &reqdLen)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ auto tokenLabel = reinterpret_cast<PTOKEN_MANDATORY_LABEL>(buf.get());
+
+ DWORD subAuthCount = *::GetSidSubAuthorityCount(tokenLabel->Label.Sid);
+ DWORD integrityLevel =
+ *::GetSidSubAuthority(tokenLabel->Label.Sid, subAuthCount - 1);
+ return integrityLevel > SECURITY_MANDATORY_MEDIUM_RID;
+}
+
+static mozilla::LauncherResult<HANDLE> GetMediumIntegrityToken(
+ const nsAutoHandle& aProcessToken) {
+ HANDLE rawResult;
+ if (!::DuplicateTokenEx(aProcessToken.get(), 0, nullptr,
+ SecurityImpersonation, TokenPrimary, &rawResult)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ nsAutoHandle result(rawResult);
+
+ BYTE mediumIlSid[SECURITY_MAX_SID_SIZE];
+ DWORD mediumIlSidSize = sizeof(mediumIlSid);
+ if (!::CreateWellKnownSid(WinMediumLabelSid, nullptr, mediumIlSid,
+ &mediumIlSidSize)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ TOKEN_MANDATORY_LABEL integrityLevel = {};
+ integrityLevel.Label.Attributes = SE_GROUP_INTEGRITY;
+ integrityLevel.Label.Sid = reinterpret_cast<PSID>(mediumIlSid);
+
+ if (!::SetTokenInformation(rawResult, TokenIntegrityLevel, &integrityLevel,
+ sizeof(integrityLevel))) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ return result.disown();
+}
+
+namespace mozilla {
+
+// If we're running at an elevated integrity level, re-run ourselves at the
+// user's normal integrity level. We do this by locating the active explorer
+// shell, and then asking it to do a ShellExecute on our behalf. We do it this
+// way to ensure that the child process runs as the original user in the active
+// session; an elevated process could be running with different credentials than
+// those of the session.
+// See https://blogs.msdn.microsoft.com/oldnewthing/20131118-00/?p=2643
+
+LauncherVoidResult LaunchUnelevated(int aArgc, wchar_t* aArgv[]) {
+ // We need COM to talk to Explorer. Using ProcessRuntime so that
+ // process-global COM configuration is done correctly
+ mozilla::mscom::ProcessRuntime mscom(GeckoProcessType_Default);
+ if (!mscom) {
+ return LAUNCHER_ERROR_FROM_HRESULT(mscom.GetHResult());
+ }
+
+ // Omit argv[0] because ShellExecute doesn't need it in params
+ UniquePtr<wchar_t[]> cmdLine(MakeCommandLine(aArgc - 1, aArgv + 1));
+ if (!cmdLine) {
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ _bstr_t exe(aArgv[0]);
+ _variant_t args(cmdLine.get());
+ _variant_t operation(L"open");
+ _variant_t directory;
+ _variant_t showCmd(SW_SHOWNORMAL);
+ return ShellExecuteByExplorer(exe, args, operation, directory, showCmd);
+}
+
+LauncherResult<ElevationState> GetElevationState(
+ mozilla::LauncherFlags aFlags, nsAutoHandle& aOutMediumIlToken) {
+ aOutMediumIlToken.reset();
+
+ const DWORD tokenFlags = TOKEN_QUERY | TOKEN_DUPLICATE |
+ TOKEN_ADJUST_DEFAULT | TOKEN_ASSIGN_PRIMARY;
+ HANDLE rawToken;
+ if (!::OpenProcessToken(::GetCurrentProcess(), tokenFlags, &rawToken)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ nsAutoHandle token(rawToken);
+
+ LauncherResult<TOKEN_ELEVATION_TYPE> elevationType = GetElevationType(token);
+ if (elevationType.isErr()) {
+ return LAUNCHER_ERROR_FROM_RESULT(elevationType);
+ }
+
+ switch (elevationType.unwrap()) {
+ case TokenElevationTypeLimited:
+ return ElevationState::eNormalUser;
+ case TokenElevationTypeFull:
+ // If we want to start a non-elevated browser process and wait on it,
+ // we're going to need a medium IL token.
+ if ((aFlags & (mozilla::LauncherFlags::eWaitForBrowser |
+ mozilla::LauncherFlags::eNoDeelevate)) ==
+ mozilla::LauncherFlags::eWaitForBrowser) {
+ LauncherResult<HANDLE> tokenResult = GetMediumIntegrityToken(token);
+ if (tokenResult.isOk()) {
+ aOutMediumIlToken.own(tokenResult.unwrap());
+ } else {
+ return LAUNCHER_ERROR_FROM_RESULT(tokenResult);
+ }
+ }
+
+ return ElevationState::eElevated;
+ case TokenElevationTypeDefault:
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("Was a new value added to the enumeration?");
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ // In this case, UAC is disabled. We do not yet know whether or not we are
+ // running at high integrity. If we are at high integrity, we can't relaunch
+ // ourselves in a non-elevated state via Explorer, as we would just end up in
+ // an infinite loop of launcher processes re-launching themselves.
+
+ LauncherResult<bool> isHighIntegrity = IsHighIntegrity(token);
+ if (isHighIntegrity.isErr()) {
+ return LAUNCHER_ERROR_FROM_RESULT(isHighIntegrity);
+ }
+
+ if (!isHighIntegrity.unwrap()) {
+ return ElevationState::eNormalUser;
+ }
+
+ if (!(aFlags & mozilla::LauncherFlags::eNoDeelevate)) {
+ LauncherResult<HANDLE> tokenResult = GetMediumIntegrityToken(token);
+ if (tokenResult.isOk()) {
+ aOutMediumIlToken.own(tokenResult.unwrap());
+ } else {
+ return LAUNCHER_ERROR_FROM_RESULT(tokenResult);
+ }
+ }
+
+ return ElevationState::eHighIntegrityNoUAC;
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/LaunchUnelevated.h b/browser/app/winlauncher/LaunchUnelevated.h
new file mode 100644
index 0000000000..c5e0594d2f
--- /dev/null
+++ b/browser/app/winlauncher/LaunchUnelevated.h
@@ -0,0 +1,30 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_LaunchUnelevated_h
+#define mozilla_LaunchUnelevated_h
+
+#include "LauncherProcessWin.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "mozilla/Maybe.h"
+#include "nsWindowsHelpers.h"
+
+namespace mozilla {
+
+enum class ElevationState {
+ eNormalUser = 0,
+ eElevated = (1 << 0),
+ eHighIntegrityNoUAC = (1 << 1),
+};
+
+LauncherResult<ElevationState> GetElevationState(
+ LauncherFlags aFlags, nsAutoHandle& aOutMediumIlToken);
+
+LauncherVoidResult LaunchUnelevated(int aArgc, wchar_t* aArgv[]);
+
+} // namespace mozilla
+
+#endif // mozilla_LaunchUnelevated_h
diff --git a/browser/app/winlauncher/LauncherProcessWin.cpp b/browser/app/winlauncher/LauncherProcessWin.cpp
new file mode 100644
index 0000000000..ee2c290bfc
--- /dev/null
+++ b/browser/app/winlauncher/LauncherProcessWin.cpp
@@ -0,0 +1,410 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "LauncherProcessWin.h"
+
+#include <string.h>
+
+#include "mozilla/Attributes.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/DynamicallyLinkedFunctionPtr.h"
+#include "mozilla/glue/Debug.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/SafeMode.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/WindowsConsole.h"
+#include "mozilla/WindowsVersion.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "nsWindowsHelpers.h"
+
+#include <windows.h>
+#include <processthreadsapi.h>
+
+#include "DllBlocklistInit.h"
+#include "ErrorHandler.h"
+#include "LaunchUnelevated.h"
+#include "ProcThreadAttributes.h"
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+# include "mozilla/LauncherRegistryInfo.h"
+# include "SameBinary.h"
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+/**
+ * At this point the child process has been created in a suspended state. Any
+ * additional startup work (eg, blocklist setup) should go here.
+ *
+ * @return Ok if browser startup should proceed
+ */
+static mozilla::LauncherVoidResult PostCreationSetup(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ HANDLE aChildMainThread, const bool aIsSafeMode) {
+ return mozilla::InitializeDllBlocklistOOPFromLauncher(aFullImagePath,
+ aChildProcess);
+}
+
+#if !defined( \
+ PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
+# define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON \
+ (0x00000001ULL << 60)
+#endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
+
+#if !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
+# define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF \
+ (0x00000002ULL << 40)
+#endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
+
+#if (_WIN32_WINNT < 0x0602)
+BOOL WINAPI
+SetProcessMitigationPolicy(PROCESS_MITIGATION_POLICY aMitigationPolicy,
+ PVOID aBuffer, SIZE_T aBufferLen);
+#endif // (_WIN32_WINNT >= 0x0602)
+
+/**
+ * Any mitigation policies that should be set on the browser process should go
+ * here.
+ */
+static void SetMitigationPolicies(mozilla::ProcThreadAttributes& aAttrs,
+ const bool aIsSafeMode) {
+ if (mozilla::IsWin10AnniversaryUpdateOrLater()) {
+ aAttrs.AddMitigationPolicy(
+ PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON);
+ }
+
+#if defined(_M_ARM64)
+ // Disable CFG on older versions of ARM64 Windows to avoid a crash in COM.
+ if (!mozilla::IsWin10Sep2018UpdateOrLater()) {
+ aAttrs.AddMitigationPolicy(
+ PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF);
+ }
+#endif // defined(_M_ARM64)
+}
+
+static mozilla::LauncherFlags ProcessCmdLine(int& aArgc, wchar_t* aArgv[]) {
+ mozilla::LauncherFlags result = mozilla::LauncherFlags::eNone;
+
+ if (mozilla::CheckArg(aArgc, aArgv, L"wait-for-browser",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::RemoveArg) ==
+ mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, L"marionette",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, L"headless",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::EnvHasValue("MOZ_AUTOMATION") ||
+ mozilla::EnvHasValue("MOZ_HEADLESS")) {
+ result |= mozilla::LauncherFlags::eWaitForBrowser;
+ }
+
+ if (mozilla::CheckArg(aArgc, aArgv, L"no-deelevate") == mozilla::ARG_FOUND) {
+ result |= mozilla::LauncherFlags::eNoDeelevate;
+ }
+
+ return result;
+}
+
+static void MaybeBreakForBrowserDebugging() {
+ if (mozilla::EnvHasValue("MOZ_DEBUG_BROWSER_PROCESS")) {
+ ::DebugBreak();
+ return;
+ }
+
+ const wchar_t* pauseLenS = _wgetenv(L"MOZ_DEBUG_BROWSER_PAUSE");
+ if (!pauseLenS || !(*pauseLenS)) {
+ return;
+ }
+
+ DWORD pauseLenMs = wcstoul(pauseLenS, nullptr, 10) * 1000;
+ printf_stderr("\n\nBROWSERBROWSERBROWSERBROWSER\n debug me @ %lu\n\n",
+ ::GetCurrentProcessId());
+ ::Sleep(pauseLenMs);
+}
+
+static bool DoLauncherProcessChecks(int& argc, wchar_t** argv) {
+ // NB: We run all tests in this function instead of returning early in order
+ // to ensure that all side effects take place, such as clearing environment
+ // variables.
+ bool result = false;
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // We still prefer to compare file ids. Comparing NT paths i.e. passing
+ // CompareNtPathsOnly to IsSameBinaryAsParentProcess is much faster, but
+ // we're not 100% sure that NT path comparison perfectly prevents the
+ // launching loop of the launcher process.
+ mozilla::LauncherResult<bool> isSame = mozilla::IsSameBinaryAsParentProcess();
+ if (isSame.isOk()) {
+ result = !isSame.unwrap();
+ } else {
+ HandleLauncherError(isSame.unwrapErr());
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (mozilla::EnvHasValue("MOZ_LAUNCHER_PROCESS")) {
+ mozilla::SaveToEnv("MOZ_LAUNCHER_PROCESS=");
+ result = true;
+ }
+
+ result |= mozilla::CheckArg(
+ argc, argv, L"launcher", static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
+
+ return result;
+}
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+static mozilla::Maybe<bool> RunAsLauncherProcess(
+ mozilla::LauncherRegistryInfo& aRegInfo, int& argc, wchar_t** argv) {
+#else
+static mozilla::Maybe<bool> RunAsLauncherProcess(int& argc, wchar_t** argv) {
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ // return fast when we're a child process.
+ // (The remainder of this function has some side effects that are
+ // undesirable for content processes)
+ if (mozilla::CheckArg(argc, argv, L"contentproc",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND) {
+ return mozilla::Some(false);
+ }
+
+ bool runAsLauncher = DoLauncherProcessChecks(argc, argv);
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ bool forceLauncher =
+ runAsLauncher &&
+ mozilla::CheckArg(argc, argv, L"force-launcher",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
+
+ mozilla::LauncherRegistryInfo::ProcessType desiredType =
+ runAsLauncher ? mozilla::LauncherRegistryInfo::ProcessType::Launcher
+ : mozilla::LauncherRegistryInfo::ProcessType::Browser;
+
+ mozilla::LauncherRegistryInfo::CheckOption checkOption =
+ forceLauncher ? mozilla::LauncherRegistryInfo::CheckOption::Force
+ : mozilla::LauncherRegistryInfo::CheckOption::Default;
+
+ mozilla::LauncherResult<mozilla::LauncherRegistryInfo::ProcessType>
+ runAsType = aRegInfo.Check(desiredType, checkOption);
+
+ if (runAsType.isErr()) {
+ mozilla::HandleLauncherError(runAsType);
+ return mozilla::Nothing();
+ }
+
+ runAsLauncher = runAsType.unwrap() ==
+ mozilla::LauncherRegistryInfo::ProcessType::Launcher;
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (!runAsLauncher) {
+ // In this case, we will be proceeding to run as the browser.
+ // We should check MOZ_DEBUG_BROWSER_* env vars.
+ MaybeBreakForBrowserDebugging();
+ }
+
+ return mozilla::Some(runAsLauncher);
+}
+
+namespace mozilla {
+
+Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
+ const StaticXREAppData& aAppData) {
+ // Note: keep in sync with nsBrowserApp.
+ const wchar_t* acceptableParams[] = {L"url", nullptr};
+ EnsureCommandlineSafe(argc, argv, acceptableParams);
+
+ SetLauncherErrorAppData(aAppData);
+
+ if (CheckArg(argc, argv, L"log-launcher-error",
+ static_cast<const wchar_t**>(nullptr),
+ mozilla::CheckArgFlag::RemoveArg) == ARG_FOUND) {
+ SetLauncherErrorForceEventLog();
+ }
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ LauncherRegistryInfo regInfo;
+ Maybe<bool> runAsLauncher = RunAsLauncherProcess(regInfo, argc, argv);
+#else
+ Maybe<bool> runAsLauncher = RunAsLauncherProcess(argc, argv);
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ if (!runAsLauncher || !runAsLauncher.value()) {
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // Update the registry as Browser
+ LauncherVoidResult commitResult = regInfo.Commit();
+ if (commitResult.isErr()) {
+ mozilla::HandleLauncherError(commitResult);
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ return Nothing();
+ }
+
+ // Make sure that the launcher process itself has image load policies set
+ if (IsWin10AnniversaryUpdateOrLater()) {
+ static const StaticDynamicallyLinkedFunctionPtr<decltype(
+ &SetProcessMitigationPolicy)>
+ pSetProcessMitigationPolicy(L"kernel32.dll",
+ "SetProcessMitigationPolicy");
+ if (pSetProcessMitigationPolicy) {
+ PROCESS_MITIGATION_IMAGE_LOAD_POLICY imgLoadPol = {};
+ imgLoadPol.PreferSystem32Images = 1;
+
+ DebugOnly<BOOL> setOk = pSetProcessMitigationPolicy(
+ ProcessImageLoadPolicy, &imgLoadPol, sizeof(imgLoadPol));
+ MOZ_ASSERT(setOk);
+ }
+ }
+
+ mozilla::UseParentConsole();
+
+ if (!SetArgv0ToFullBinaryPath(argv)) {
+ HandleLauncherError(LAUNCHER_ERROR_GENERIC());
+ return Nothing();
+ }
+
+ LauncherFlags flags = ProcessCmdLine(argc, argv);
+
+ nsAutoHandle mediumIlToken;
+ LauncherResult<ElevationState> elevationState =
+ GetElevationState(flags, mediumIlToken);
+ if (elevationState.isErr()) {
+ HandleLauncherError(elevationState);
+ return Nothing();
+ }
+
+ // If we're elevated, we should relaunch ourselves as a normal user.
+ // Note that we only call LaunchUnelevated when we don't need to wait for the
+ // browser process.
+ if (elevationState.unwrap() == ElevationState::eElevated &&
+ !(flags &
+ (LauncherFlags::eWaitForBrowser | LauncherFlags::eNoDeelevate)) &&
+ !mediumIlToken.get()) {
+ LauncherVoidResult launchedUnelevated = LaunchUnelevated(argc, argv);
+ bool failed = launchedUnelevated.isErr();
+ if (failed) {
+ HandleLauncherError(launchedUnelevated);
+ return Nothing();
+ }
+
+ return Some(0);
+ }
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // Update the registry as Launcher
+ LauncherVoidResult commitResult = regInfo.Commit();
+ if (commitResult.isErr()) {
+ mozilla::HandleLauncherError(commitResult);
+ return Nothing();
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ // Now proceed with setting up the parameters for process creation
+ UniquePtr<wchar_t[]> cmdLine(MakeCommandLine(argc, argv));
+ if (!cmdLine) {
+ HandleLauncherError(LAUNCHER_ERROR_GENERIC());
+ return Nothing();
+ }
+
+ const Maybe<bool> isSafeMode =
+ IsSafeModeRequested(argc, argv, SafeModeFlag::NoKeyPressCheck);
+ if (!isSafeMode) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_PARAMETER));
+ return Nothing();
+ }
+
+ ProcThreadAttributes attrs;
+ SetMitigationPolicies(attrs, isSafeMode.value());
+
+ HANDLE stdHandles[] = {::GetStdHandle(STD_INPUT_HANDLE),
+ ::GetStdHandle(STD_OUTPUT_HANDLE),
+ ::GetStdHandle(STD_ERROR_HANDLE)};
+
+ attrs.AddInheritableHandles(stdHandles);
+
+ DWORD creationFlags = CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT;
+
+ STARTUPINFOEXW siex;
+ LauncherResult<bool> attrsOk = attrs.AssignTo(siex);
+ if (attrsOk.isErr()) {
+ HandleLauncherError(attrsOk);
+ return Nothing();
+ }
+
+ BOOL inheritHandles = FALSE;
+
+ if (attrsOk.unwrap()) {
+ creationFlags |= EXTENDED_STARTUPINFO_PRESENT;
+
+ if (attrs.HasInheritableHandles()) {
+ siex.StartupInfo.dwFlags |= STARTF_USESTDHANDLES;
+ siex.StartupInfo.hStdInput = stdHandles[0];
+ siex.StartupInfo.hStdOutput = stdHandles[1];
+ siex.StartupInfo.hStdError = stdHandles[2];
+
+ // Since attrsOk == true, we have successfully set the handle inheritance
+ // whitelist policy, so only the handles added to attrs will be inherited.
+ inheritHandles = TRUE;
+ }
+ }
+
+ PROCESS_INFORMATION pi = {};
+ BOOL createOk;
+
+ if (mediumIlToken.get()) {
+ createOk =
+ ::CreateProcessAsUserW(mediumIlToken.get(), argv[0], cmdLine.get(),
+ nullptr, nullptr, inheritHandles, creationFlags,
+ nullptr, nullptr, &siex.StartupInfo, &pi);
+ } else {
+ createOk = ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr,
+ inheritHandles, creationFlags, nullptr, nullptr,
+ &siex.StartupInfo, &pi);
+ }
+
+ if (!createOk) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
+ return Nothing();
+ }
+
+ nsAutoHandle process(pi.hProcess);
+ nsAutoHandle mainThread(pi.hThread);
+
+ LauncherVoidResult setupResult = PostCreationSetup(
+ argv[0], process.get(), mainThread.get(), isSafeMode.value());
+ if (setupResult.isErr()) {
+ HandleLauncherError(setupResult);
+ ::TerminateProcess(process.get(), 1);
+ return Nothing();
+ }
+
+ if (::ResumeThread(mainThread.get()) == static_cast<DWORD>(-1)) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
+ ::TerminateProcess(process.get(), 1);
+ return Nothing();
+ }
+
+ if (flags & LauncherFlags::eWaitForBrowser) {
+ DWORD exitCode;
+ if (::WaitForSingleObject(process.get(), INFINITE) == WAIT_OBJECT_0 &&
+ ::GetExitCodeProcess(process.get(), &exitCode)) {
+ // Propagate the browser process's exit code as our exit code.
+ return Some(static_cast<int>(exitCode));
+ }
+ } else {
+ const DWORD timeout =
+ ::IsDebuggerPresent() ? INFINITE : kWaitForInputIdleTimeoutMS;
+
+ // Keep the current process around until the callback process has created
+ // its message queue, to avoid the launched process's windows being forced
+ // into the background.
+ mozilla::WaitForInputIdle(process.get(), timeout);
+ }
+
+ return Some(0);
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/LauncherProcessWin.h b/browser/app/winlauncher/LauncherProcessWin.h
new file mode 100644
index 0000000000..4fc819f658
--- /dev/null
+++ b/browser/app/winlauncher/LauncherProcessWin.h
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_LauncherProcessWin_h
+#define mozilla_LauncherProcessWin_h
+
+#include "mozilla/Maybe.h"
+#include "mozilla/TypedEnumBits.h"
+
+#include <stdint.h>
+
+namespace mozilla {
+
+// Forward declaration
+struct StaticXREAppData;
+
+/**
+ * Determine whether or not the current process should be run as the launcher
+ * process, and run if so. If we are not supposed to run as the launcher
+ * process, or in the event of a launcher process failure, return Nothing, thus
+ * indicating that we should continue on the original startup code path.
+ */
+Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
+ const StaticXREAppData& aAppData);
+
+enum class LauncherFlags : uint32_t {
+ eNone = 0,
+ eWaitForBrowser = (1 << 0), // Launcher should block until browser finishes
+ eNoDeelevate = (1 << 1), // If elevated, do not attempt to de-elevate
+};
+
+MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(LauncherFlags)
+
+} // namespace mozilla
+
+#endif // mozilla_LauncherProcessWin_h
diff --git a/browser/app/winlauncher/NtLoaderAPI.cpp b/browser/app/winlauncher/NtLoaderAPI.cpp
new file mode 100644
index 0000000000..b183ba5278
--- /dev/null
+++ b/browser/app/winlauncher/NtLoaderAPI.cpp
@@ -0,0 +1,49 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/LoaderAPIInterfaces.h"
+
+#include "freestanding/LoaderPrivateAPI.h"
+
+#if defined(_MSC_VER)
+# include <intrin.h>
+# pragma intrinsic(_ReturnAddress)
+# define RETURN_ADDRESS() _ReturnAddress()
+#elif defined(__GNUC__) || defined(__clang__)
+# define RETURN_ADDRESS() \
+ __builtin_extract_return_addr(__builtin_return_address(0))
+#endif
+
+static bool CheckForMozglue(void* aReturnAddress) {
+ HMODULE callingModule;
+ if (!::GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
+ GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
+ reinterpret_cast<LPCWSTR>(aReturnAddress),
+ &callingModule)) {
+ return false;
+ }
+
+ return callingModule && callingModule == ::GetModuleHandleW(L"mozglue.dll");
+}
+
+namespace mozilla {
+
+extern "C" MOZ_EXPORT nt::LoaderAPI* GetNtLoaderAPI(
+ nt::LoaderObserver* aNewObserver) {
+ const bool isCallerMozglue = CheckForMozglue(RETURN_ADDRESS());
+ MOZ_ASSERT(isCallerMozglue);
+ if (!isCallerMozglue) {
+ return nullptr;
+ }
+
+ freestanding::EnsureInitialized();
+ freestanding::LoaderPrivateAPI& api = freestanding::gLoaderPrivateAPI;
+ api.SetObserver(aNewObserver);
+
+ return &api;
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/ProcThreadAttributes.h b/browser/app/winlauncher/ProcThreadAttributes.h
new file mode 100644
index 0000000000..74d5fee06c
--- /dev/null
+++ b/browser/app/winlauncher/ProcThreadAttributes.h
@@ -0,0 +1,159 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ProcThreadAttributes_h
+#define mozilla_ProcThreadAttributes_h
+
+#include <windows.h>
+
+#include <utility>
+
+#include "mozilla/Attributes.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Vector.h"
+
+namespace mozilla {
+
+class MOZ_RAII ProcThreadAttributes final {
+ struct ProcThreadAttributeListDeleter {
+ void operator()(LPPROC_THREAD_ATTRIBUTE_LIST aList) {
+ ::DeleteProcThreadAttributeList(aList);
+ delete[] reinterpret_cast<char*>(aList);
+ }
+ };
+
+ using ProcThreadAttributeListPtr =
+ UniquePtr<_PROC_THREAD_ATTRIBUTE_LIST, ProcThreadAttributeListDeleter>;
+
+ public:
+ ProcThreadAttributes() : mMitigationPolicies(0) {}
+
+ ~ProcThreadAttributes() = default;
+
+ ProcThreadAttributes(const ProcThreadAttributes&) = delete;
+ ProcThreadAttributes(ProcThreadAttributes&&) = delete;
+ ProcThreadAttributes& operator=(const ProcThreadAttributes&) = delete;
+ ProcThreadAttributes& operator=(ProcThreadAttributes&&) = delete;
+
+ void AddMitigationPolicy(DWORD64 aPolicy) { mMitigationPolicies |= aPolicy; }
+
+ bool AddInheritableHandle(HANDLE aHandle) {
+ DWORD type = ::GetFileType(aHandle);
+ if (type != FILE_TYPE_DISK && type != FILE_TYPE_PIPE) {
+ return false;
+ }
+
+ if (!::SetHandleInformation(aHandle, HANDLE_FLAG_INHERIT,
+ HANDLE_FLAG_INHERIT)) {
+ return false;
+ }
+
+ return mInheritableHandles.append(aHandle);
+ }
+
+ template <size_t N>
+ bool AddInheritableHandles(HANDLE (&aHandles)[N]) {
+ bool ok = true;
+ for (auto handle : aHandles) {
+ ok &= AddInheritableHandle(handle);
+ }
+
+ return ok;
+ }
+
+ bool HasMitigationPolicies() const { return !!mMitigationPolicies; }
+
+ bool HasInheritableHandles() const { return !mInheritableHandles.empty(); }
+
+ /**
+ * @return false if the STARTUPINFOEXW::lpAttributeList was set to null
+ * as expected based on the state of |this|;
+ * true if the STARTUPINFOEXW::lpAttributeList was set to
+ * non-null;
+ */
+ LauncherResult<bool> AssignTo(STARTUPINFOEXW& aSiex) {
+ ZeroMemory(&aSiex, sizeof(STARTUPINFOEXW));
+
+ // We'll set the size to sizeof(STARTUPINFOW) until we determine whether the
+ // extended fields will be used.
+ aSiex.StartupInfo.cb = sizeof(STARTUPINFOW);
+
+ DWORD numAttributes = 0;
+ if (HasMitigationPolicies()) {
+ ++numAttributes;
+ }
+
+ if (HasInheritableHandles()) {
+ ++numAttributes;
+ }
+
+ if (!numAttributes) {
+ return false;
+ }
+
+ SIZE_T listSize = 0;
+ if (!::InitializeProcThreadAttributeList(nullptr, numAttributes, 0,
+ &listSize)) {
+ DWORD err = ::GetLastError();
+ if (err != ERROR_INSUFFICIENT_BUFFER) {
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+ }
+
+ auto buf = MakeUnique<char[]>(listSize);
+
+ LPPROC_THREAD_ATTRIBUTE_LIST tmpList =
+ reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(buf.get());
+
+ if (!::InitializeProcThreadAttributeList(tmpList, numAttributes, 0,
+ &listSize)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ // Transfer buf to a ProcThreadAttributeListPtr - now that the list is
+ // initialized, we are no longer dealing with a plain old char array. We
+ // must now deinitialize the attribute list before deallocating the
+ // underlying buffer.
+ ProcThreadAttributeListPtr attrList(
+ reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(buf.release()));
+
+ if (mMitigationPolicies) {
+ if (!::UpdateProcThreadAttribute(
+ attrList.get(), 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
+ &mMitigationPolicies, sizeof(mMitigationPolicies), nullptr,
+ nullptr)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ }
+
+ if (!mInheritableHandles.empty()) {
+ if (!::UpdateProcThreadAttribute(
+ attrList.get(), 0, PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
+ mInheritableHandles.begin(),
+ mInheritableHandles.length() * sizeof(HANDLE), nullptr,
+ nullptr)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ }
+
+ mAttrList = std::move(attrList);
+ aSiex.lpAttributeList = mAttrList.get();
+ aSiex.StartupInfo.cb = sizeof(STARTUPINFOEXW);
+ return true;
+ }
+
+ private:
+ static const uint32_t kNumInline = 3; // Inline storage for the std handles
+
+ DWORD64 mMitigationPolicies;
+ Vector<HANDLE, kNumInline> mInheritableHandles;
+ ProcThreadAttributeListPtr mAttrList;
+};
+
+} // namespace mozilla
+
+#endif // mozilla_ProcThreadAttributes_h
diff --git a/browser/app/winlauncher/SameBinary.h b/browser/app/winlauncher/SameBinary.h
new file mode 100644
index 0000000000..ca913dc94c
--- /dev/null
+++ b/browser/app/winlauncher/SameBinary.h
@@ -0,0 +1,142 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SameBinary_h
+#define mozilla_SameBinary_h
+
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "mozilla/NativeNt.h"
+#include "nsWindowsHelpers.h"
+
+namespace mozilla {
+
+class ProcessImagePath final {
+ PathType mType;
+ LauncherVoidResult mLastError;
+
+ // Using a larger buffer because an NT path may exceed MAX_PATH.
+ WCHAR mPathBuffer[(MAX_PATH * 2) + 1];
+
+ public:
+ // Initialize with an NT path string of a given process handle
+ explicit ProcessImagePath(const nsAutoHandle& aProcess)
+ : mType(PathType::eNtPath), mLastError(Ok()) {
+ DWORD len = mozilla::ArrayLength(mPathBuffer);
+ if (!::QueryFullProcessImageNameW(aProcess.get(), PROCESS_NAME_NATIVE,
+ mPathBuffer, &len)) {
+ mLastError = LAUNCHER_ERROR_FROM_LAST();
+ return;
+ }
+ }
+
+ // Initizlize with a DOS path string of a given imagebase address
+ explicit ProcessImagePath(HMODULE aImageBase)
+ : mType(PathType::eDosPath), mLastError(Ok()) {
+ DWORD len = ::GetModuleFileNameW(aImageBase, mPathBuffer,
+ mozilla::ArrayLength(mPathBuffer));
+ if (!len || len == mozilla::ArrayLength(mPathBuffer)) {
+ mLastError = LAUNCHER_ERROR_FROM_LAST();
+ return;
+ }
+ }
+
+ bool IsError() const { return mLastError.isErr(); }
+
+ const WindowsErrorType& GetError() const { return mLastError.inspectErr(); }
+
+ FileUniqueId GetId() const { return FileUniqueId(mPathBuffer, mType); }
+
+ bool CompareNtPaths(const ProcessImagePath& aOther) const {
+ if (mLastError.isErr() || aOther.mLastError.isErr() ||
+ mType != PathType::eNtPath || aOther.mType != PathType::eNtPath) {
+ return false;
+ }
+
+ UNICODE_STRING path1, path2;
+ ::RtlInitUnicodeString(&path1, mPathBuffer);
+ ::RtlInitUnicodeString(&path2, aOther.mPathBuffer);
+ return !!::RtlEqualUnicodeString(&path1, &path2, TRUE);
+ }
+};
+
+enum class ImageFileCompareOption {
+ Default,
+ CompareNtPathsOnly,
+};
+
+static inline mozilla::LauncherResult<bool> IsSameBinaryAsParentProcess(
+ ImageFileCompareOption aOption = ImageFileCompareOption::Default) {
+ mozilla::LauncherResult<DWORD> parentPid = mozilla::nt::GetParentProcessId();
+ if (parentPid.isErr()) {
+ return LAUNCHER_ERROR_FROM_RESULT(parentPid);
+ }
+
+ nsAutoHandle parentProcess(::OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,
+ FALSE, parentPid.unwrap()));
+ if (!parentProcess.get()) {
+ DWORD err = ::GetLastError();
+ if (err == ERROR_INVALID_PARAMETER) {
+ // The process identified by parentPid has already exited. This is a
+ // common case when the parent process is not Firefox, thus we should
+ // return false instead of erroring out.
+ return false;
+ }
+
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+
+ ProcessImagePath parentExe(parentProcess);
+ if (parentExe.IsError()) {
+ return ::mozilla::Err(parentExe.GetError());
+ }
+
+ if (aOption == ImageFileCompareOption::Default) {
+ bool skipFileIdComparison = false;
+
+ FileUniqueId id1 = parentExe.GetId();
+ if (id1.IsError()) {
+ // We saw a number of Win7 users failed to call NtOpenFile with
+ // STATUS_OBJECT_PATH_NOT_FOUND for an unknown reason. In this
+ // particular case, we fall back to the logic to compare NT path
+ // strings instead of a file id which will not fail because we don't
+ // need to open a file handle.
+#if !defined(STATUS_OBJECT_PATH_NOT_FOUND)
+ constexpr NTSTATUS STATUS_OBJECT_PATH_NOT_FOUND = 0xc000003a;
+#endif
+ const LauncherError& err = id1.GetError();
+ if (err.mError !=
+ WindowsError::FromNtStatus(STATUS_OBJECT_PATH_NOT_FOUND)) {
+ return ::mozilla::Err(err);
+ }
+
+ skipFileIdComparison = true;
+ }
+
+ if (!skipFileIdComparison) {
+ ProcessImagePath ourExe(nullptr);
+ if (ourExe.IsError()) {
+ return ::mozilla::Err(ourExe.GetError());
+ }
+
+ FileUniqueId id2 = ourExe.GetId();
+ if (id2.IsError()) {
+ return ::mozilla::Err(id2.GetError());
+ }
+ return id1 == id2;
+ }
+ }
+
+ nsAutoHandle ourProcess(::GetCurrentProcess());
+ ProcessImagePath ourExeNt(ourProcess);
+ if (ourExeNt.IsError()) {
+ return ::mozilla::Err(ourExeNt.GetError());
+ }
+ return parentExe.CompareNtPaths(ourExeNt);
+}
+
+} // namespace mozilla
+
+#endif // mozilla_SameBinary_h
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.cpp b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
new file mode 100644
index 0000000000..5b09231f28
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
@@ -0,0 +1,389 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Types.h"
+#include "mozilla/WindowsDllBlocklist.h"
+
+#include "DllBlocklist.h"
+#include "FunctionTableResolver.h"
+#include "LoaderPrivateAPI.h"
+#include "ModuleLoadFrame.h"
+
+// clang-format off
+#define MOZ_LITERAL_UNICODE_STRING(s) \
+ { \
+ /* Length of the string in bytes, less the null terminator */ \
+ sizeof(s) - sizeof(wchar_t), \
+ /* Length of the string in bytes, including the null terminator */ \
+ sizeof(s), \
+ /* Pointer to the buffer */ \
+ const_cast<wchar_t*>(s) \
+ }
+// clang-format on
+
+#define DLL_BLOCKLIST_ENTRY(name, ...) \
+ {MOZ_LITERAL_UNICODE_STRING(L##name), __VA_ARGS__},
+#define DLL_BLOCKLIST_STRING_TYPE UNICODE_STRING
+
+#if defined(MOZ_LAUNCHER_PROCESS) || defined(NIGHTLY_BUILD)
+# include "mozilla/WindowsDllBlocklistLauncherDefs.h"
+#else
+# include "mozilla/WindowsDllBlocklistCommon.h"
+DLL_BLOCKLIST_DEFINITIONS_BEGIN
+DLL_BLOCKLIST_DEFINITIONS_END
+#endif
+
+class MOZ_STATIC_CLASS MOZ_TRIVIAL_CTOR_DTOR NativeNtBlockSet final {
+ struct NativeNtBlockSetEntry {
+ NativeNtBlockSetEntry() = default;
+ ~NativeNtBlockSetEntry() = default;
+ NativeNtBlockSetEntry(const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSetEntry* aNext)
+ : mName(aName), mVersion(aVersion), mNext(aNext) {}
+ UNICODE_STRING mName;
+ uint64_t mVersion;
+ NativeNtBlockSetEntry* mNext;
+ };
+
+ public:
+ // Constructor and destructor MUST be trivial
+ constexpr NativeNtBlockSet() : mFirstEntry(nullptr) {}
+ ~NativeNtBlockSet() = default;
+
+ void Add(const UNICODE_STRING& aName, uint64_t aVersion);
+ void Write(HANDLE aFile);
+
+ private:
+ static NativeNtBlockSetEntry* NewEntry(const UNICODE_STRING& aName,
+ uint64_t aVersion,
+ NativeNtBlockSetEntry* aNextEntry);
+
+ private:
+ NativeNtBlockSetEntry* mFirstEntry;
+ mozilla::nt::SRWLock mLock;
+};
+
+NativeNtBlockSet::NativeNtBlockSetEntry* NativeNtBlockSet::NewEntry(
+ const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSet::NativeNtBlockSetEntry* aNextEntry) {
+ return mozilla::freestanding::RtlNew<NativeNtBlockSetEntry>(aName, aVersion,
+ aNextEntry);
+}
+
+void NativeNtBlockSet::Add(const UNICODE_STRING& aName, uint64_t aVersion) {
+ mozilla::nt::AutoExclusiveLock lock(mLock);
+
+ for (NativeNtBlockSetEntry* entry = mFirstEntry; entry;
+ entry = entry->mNext) {
+ if (::RtlEqualUnicodeString(&entry->mName, &aName, TRUE) &&
+ aVersion == entry->mVersion) {
+ return;
+ }
+ }
+
+ // Not present, add it
+ NativeNtBlockSetEntry* newEntry = NewEntry(aName, aVersion, mFirstEntry);
+ if (newEntry) {
+ mFirstEntry = newEntry;
+ }
+}
+
+void NativeNtBlockSet::Write(HANDLE aFile) {
+ // NB: If this function is called, it is long after kernel32 is initialized,
+ // so it is safe to use Win32 calls here.
+ DWORD nBytes;
+ char buf[MAX_PATH];
+
+ // It would be nicer to use RAII here. However, its destructor
+ // might not run if an exception occurs, in which case we would never release
+ // the lock (MSVC warns about this possibility). So we acquire and release
+ // manually.
+ ::AcquireSRWLockExclusive(&mLock);
+
+ MOZ_SEH_TRY {
+ for (auto entry = mFirstEntry; entry; entry = entry->mNext) {
+ int convOk = ::WideCharToMultiByte(CP_UTF8, 0, entry->mName.Buffer,
+ entry->mName.Length / sizeof(wchar_t),
+ buf, sizeof(buf), nullptr, nullptr);
+ if (!convOk) {
+ continue;
+ }
+
+ // write name[,v.v.v.v];
+ if (!WriteFile(aFile, buf, convOk, &nBytes, nullptr)) {
+ continue;
+ }
+
+ if (entry->mVersion != DllBlockInfo::ALL_VERSIONS) {
+ WriteFile(aFile, ",", 1, &nBytes, nullptr);
+ uint16_t parts[4];
+ parts[0] = entry->mVersion >> 48;
+ parts[1] = (entry->mVersion >> 32) & 0xFFFF;
+ parts[2] = (entry->mVersion >> 16) & 0xFFFF;
+ parts[3] = entry->mVersion & 0xFFFF;
+ for (size_t p = 0; p < mozilla::ArrayLength(parts); ++p) {
+ ltoa(parts[p], buf, 10);
+ WriteFile(aFile, buf, strlen(buf), &nBytes, nullptr);
+ if (p != mozilla::ArrayLength(parts) - 1) {
+ WriteFile(aFile, ".", 1, &nBytes, nullptr);
+ }
+ }
+ }
+ WriteFile(aFile, ";", 1, &nBytes, nullptr);
+ }
+ }
+ MOZ_SEH_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {}
+
+ ::ReleaseSRWLockExclusive(&mLock);
+}
+
+static NativeNtBlockSet gBlockSet;
+
+extern "C" void MOZ_EXPORT NativeNtBlockSet_Write(HANDLE aHandle) {
+ gBlockSet.Write(aHandle);
+}
+
+enum class BlockAction {
+ Allow,
+ SubstituteLSP,
+ Error,
+ Deny,
+ NoOpEntryPoint,
+};
+
+static BlockAction CheckBlockInfo(const DllBlockInfo* aInfo,
+ const mozilla::nt::PEHeaders& aHeaders,
+ uint64_t& aVersion) {
+ aVersion = DllBlockInfo::ALL_VERSIONS;
+
+ if (aInfo->mFlags & DllBlockInfo::BLOCK_WIN8_AND_OLDER) {
+ RTL_OSVERSIONINFOW osv = {sizeof(osv)};
+ NTSTATUS ntStatus = ::RtlGetVersion(&osv);
+ if (!NT_SUCCESS(ntStatus)) {
+ return BlockAction::Error;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::BLOCK_WIN8_AND_OLDER) &&
+ (osv.dwMajorVersion > 6 ||
+ (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 2))) {
+ return BlockAction::Allow;
+ }
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::CHILD_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::BROWSER_PROCESS_ONLY) &&
+ (gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if (aInfo->mMaxVersion == DllBlockInfo::ALL_VERSIONS) {
+ return BlockAction::Deny;
+ }
+
+ if (!aHeaders) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->mFlags & DllBlockInfo::USE_TIMESTAMP) {
+ DWORD timestamp;
+ if (!aHeaders.GetTimeStamp(timestamp)) {
+ return BlockAction::Error;
+ }
+
+ if (timestamp > aInfo->mMaxVersion) {
+ return BlockAction::Allow;
+ }
+
+ return BlockAction::Deny;
+ }
+
+ // Else we try to get the file version information. Note that we don't have
+ // access to GetFileVersionInfo* APIs.
+ if (!aHeaders.GetVersionInfo(aVersion)) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->IsVersionBlocked(aVersion)) {
+ return BlockAction::Deny;
+ }
+
+ return BlockAction::Allow;
+}
+
+struct DllBlockInfoComparator {
+ explicit DllBlockInfoComparator(const UNICODE_STRING& aTarget)
+ : mTarget(&aTarget) {}
+
+ int operator()(const DllBlockInfo& aVal) const {
+ return static_cast<int>(
+ ::RtlCompareUnicodeString(mTarget, &aVal.mName, TRUE));
+ }
+
+ PCUNICODE_STRING mTarget;
+};
+
+static BOOL WINAPI NoOp_DllMain(HINSTANCE, DWORD, LPVOID) { return TRUE; }
+
+static BlockAction DetermineBlockAction(const UNICODE_STRING& aLeafName,
+ void* aBaseAddress) {
+ if (mozilla::nt::Contains12DigitHexString(aLeafName) ||
+ mozilla::nt::IsFileNameAtLeast16HexDigits(aLeafName)) {
+ return BlockAction::Deny;
+ }
+
+ DECLARE_POINTER_TO_FIRST_DLL_BLOCKLIST_ENTRY(info);
+ DECLARE_DLL_BLOCKLIST_NUM_ENTRIES(infoNumEntries);
+
+ DllBlockInfoComparator comp(aLeafName);
+
+ size_t match;
+ if (!BinarySearchIf(info, 0, infoNumEntries, comp, &match)) {
+ return BlockAction::Allow;
+ }
+
+ const DllBlockInfo& entry = info[match];
+
+ mozilla::nt::PEHeaders headers(aBaseAddress);
+ uint64_t version;
+ BlockAction checkResult = CheckBlockInfo(&entry, headers, version);
+ if (checkResult == BlockAction::Allow) {
+ return checkResult;
+ }
+
+ gBlockSet.Add(entry.mName, version);
+
+ if (entry.mFlags & DllBlockInfo::REDIRECT_TO_NOOP_ENTRYPOINT) {
+ // For modules with REDIRECT_TO_NOOP_ENTRYPOINT, we allow a module to be
+ // loaded but detour the entrypoint to NoOp_DllMain so that the module has
+ // no chance to interact with our code. We need this technique to safely
+ // block a module injected by IAT tampering because blocking such a module
+ // makes a process fail to launch.
+ // If we fail to detour a module's entrypoint, we reluctantly allow the
+ // module for free.
+
+ static RTL_RUN_ONCE sRunOnce = RTL_RUN_ONCE_INIT;
+ mozilla::freestanding::gK32.Resolve(sRunOnce);
+ if (!mozilla::freestanding::gK32.IsResolved()) {
+ return BlockAction::Allow;
+ }
+
+ mozilla::interceptor::WindowsDllEntryPointInterceptor interceptor(
+ mozilla::freestanding::gK32);
+ if (!interceptor.Set(headers, NoOp_DllMain)) {
+ return BlockAction::Allow;
+ }
+
+ return BlockAction::NoOpEntryPoint;
+ }
+
+ return checkResult;
+}
+
+namespace mozilla {
+namespace freestanding {
+
+CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName,
+ PHANDLE aOutHandle) {
+ ModuleLoadFrame frame(aDllName);
+
+ NTSTATUS ntStatus = stub_LdrLoadDll(aDllPath, aFlags, aDllName, aOutHandle);
+
+ return frame.SetLoadStatus(ntStatus, aOutHandle);
+}
+
+CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags) {
+ // We always map first, then we check for additional info after.
+ NTSTATUS stubStatus = stub_NtMapViewOfSection(
+ aSection, aProcess, aBaseAddress, aZeroBits, aCommitSize, aSectionOffset,
+ aViewSize, aInheritDisposition, aAllocationType, aProtectionFlags);
+ if (!NT_SUCCESS(stubStatus)) {
+ return stubStatus;
+ }
+
+ if (aProcess != nt::kCurrentProcess) {
+ // We're only interested in mapping for the current process.
+ return stubStatus;
+ }
+
+ // Do a query to see if the memory is MEM_IMAGE. If not, continue
+ MEMORY_BASIC_INFORMATION mbi;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(aProcess, *aBaseAddress, MemoryBasicInformation,
+ &mbi, sizeof(mbi), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // We don't care about mappings that aren't MEM_IMAGE
+ if (!(mbi.Type & MEM_IMAGE)) {
+ return stubStatus;
+ }
+
+ // Get the section name
+ nt::MemorySectionNameBuf sectionFileName(
+ gLoaderPrivateAPI.GetSectionNameBuffer(*aBaseAddress));
+ if (sectionFileName.IsEmpty()) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // Find the leaf name
+ UNICODE_STRING leafOnStack;
+ nt::GetLeafName(&leafOnStack, sectionFileName);
+
+ // Check blocklist
+ BlockAction blockAction = DetermineBlockAction(leafOnStack, *aBaseAddress);
+
+ if (blockAction == BlockAction::Allow) {
+ if (nt::RtlGetProcessHeap()) {
+ ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString(sectionFileName), *aBaseAddress,
+ stubStatus);
+ }
+ return stubStatus;
+ }
+
+ if (blockAction == BlockAction::SubstituteLSP) {
+ // The process heap needs to be available here because
+ // NotifyLSPSubstitutionRequired below copies a given string into the heap.
+ // We use a soft assert here, assuming LSP load always occurs after the heap
+ // is initialized.
+ MOZ_ASSERT(nt::RtlGetProcessHeap());
+
+ // Notify patched_LdrLoadDll that it will be necessary to perform a
+ // substitution before returning.
+ ModuleLoadFrame::NotifyLSPSubstitutionRequired(&leafOnStack);
+ }
+
+ if (blockAction == BlockAction::NoOpEntryPoint) {
+ return stubStatus;
+ }
+
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.h b/browser/app/winlauncher/freestanding/DllBlocklist.h
new file mode 100644
index 0000000000..153a1dfb28
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.h
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_DllBlocklist_h
+#define mozilla_freestanding_DllBlocklist_h
+
+#include "mozilla/NativeNt.h"
+#include "nsWindowsDllInterceptor.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+namespace freestanding {
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName, PHANDLE aOutHandle);
+
+NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags);
+
+using LdrLoadDllPtr = decltype(&::LdrLoadDll);
+
+extern CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+using NtMapViewOfSectionPtr = decltype(&::NtMapViewOfSection);
+
+extern CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_DllBlocklist_h
diff --git a/browser/app/winlauncher/freestanding/Freestanding.h b/browser/app/winlauncher/freestanding/Freestanding.h
new file mode 100644
index 0000000000..35886f7231
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/Freestanding.h
@@ -0,0 +1,66 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_Freestanding_h
+#define mozilla_freestanding_Freestanding_h
+
+/**
+ * This header is automatically included in all source code residing in the
+ * /browser/app/winlauncher/freestanding directory.
+ */
+
+#if defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+# error "This header should only be included by freestanding code"
+#endif // defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+
+#include "mozilla/NativeNt.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * Since this library is the only part of firefox.exe that needs special
+ * treatment with respect to the heap, we implement |RtlNew| and |RtlDelete|
+ * to be used instead of |new| and |delete| for any heap allocations inside
+ * the freestanding library.
+ */
+template <typename T, typename... Args>
+inline static T* RtlNew(Args&&... aArgs) {
+ HANDLE processHeap = nt::RtlGetProcessHeap();
+ if (!processHeap) {
+ // Handle the case where the process heap is not initialized because
+ // passing nullptr to RtlAllocateHeap crashes the process.
+ return nullptr;
+ }
+
+ void* ptr = ::RtlAllocateHeap(processHeap, 0, sizeof(T));
+ if (!ptr) {
+ return nullptr;
+ }
+
+ return new (ptr) T(std::forward<Args>(aArgs)...);
+}
+
+template <typename T>
+inline static void RtlDelete(T* aPtr) {
+ if (!aPtr) {
+ return;
+ }
+
+ aPtr->~T();
+ ::RtlFreeHeap(nt::RtlGetProcessHeap(), 0, aPtr);
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+// Initialization code for all statically-allocated data in freestanding is
+// placed into a separate section. This allows us to initialize any
+// freestanding statics without needing to initialize everything else in this
+// binary.
+#pragma init_seg(".freestd$g")
+
+#endif // mozilla_freestanding_Freestanding_h
diff --git a/browser/app/winlauncher/freestanding/FunctionTableResolver.cpp b/browser/app/winlauncher/freestanding/FunctionTableResolver.cpp
new file mode 100644
index 0000000000..a71d7e4d18
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/FunctionTableResolver.cpp
@@ -0,0 +1,113 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "FunctionTableResolver.h"
+
+namespace mozilla {
+namespace freestanding {
+
+Kernel32ExportsSolver gK32;
+
+bool Kernel32ExportsSolver::IsInitialized() const {
+ return mState == State::Initialized || IsResolved();
+}
+
+bool Kernel32ExportsSolver::IsResolved() const {
+ return mState == State::Resolved;
+}
+
+// Why don't we use ::GetProcAddress?
+// If the export table of kernel32.dll is tampered in the current process,
+// we cannot transfer an RVA because the function pointed by the RVA may not
+// exist in a target process.
+// We can use ::GetProcAddress with additional check to detect tampering, but
+// FindExportAddressTableEntry fits perfectly here because it returns nullptr
+// if the target entry is outside the image, which means it's tampered or
+// forwarded to another DLL.
+#define INIT_FUNCTION(exports, name) \
+ do { \
+ auto rvaToFunction = exports.FindExportAddressTableEntry(#name); \
+ if (!rvaToFunction) { \
+ return; \
+ } \
+ mOffsets.m##name = *rvaToFunction; \
+ } while (0)
+
+#define RESOLVE_FUNCTION(base, name) \
+ m##name = reinterpret_cast<decltype(m##name)>(base + mOffsets.m##name)
+
+void Kernel32ExportsSolver::Init() {
+ if (mState == State::Initialized || mState == State::Resolved) {
+ return;
+ }
+
+ interceptor::MMPolicyInProcess policy;
+ auto k32Exports = nt::PEExportSection<interceptor::MMPolicyInProcess>::Get(
+ ::GetModuleHandleW(L"kernel32.dll"), policy);
+ if (!k32Exports) {
+ return;
+ }
+
+ // Please make sure these functions are not forwarded to another DLL.
+ INIT_FUNCTION(k32Exports, FlushInstructionCache);
+ INIT_FUNCTION(k32Exports, GetSystemInfo);
+ INIT_FUNCTION(k32Exports, VirtualProtect);
+
+ mState = State::Initialized;
+}
+
+void Kernel32ExportsSolver::ResolveInternal() {
+ if (mState == State::Resolved) {
+ return;
+ }
+
+ MOZ_RELEASE_ASSERT(mState == State::Initialized);
+
+ UNICODE_STRING k32Name;
+ ::RtlInitUnicodeString(&k32Name, L"kernel32.dll");
+
+ // We cannot use GetModuleHandleW because this code can be called
+ // before IAT is resolved.
+ auto k32Module = nt::GetModuleHandleFromLeafName(k32Name);
+ MOZ_RELEASE_ASSERT(k32Module.isOk());
+
+ uintptr_t k32Base =
+ nt::PEHeaders::HModuleToBaseAddr<uintptr_t>(k32Module.unwrap());
+
+ RESOLVE_FUNCTION(k32Base, FlushInstructionCache);
+ RESOLVE_FUNCTION(k32Base, GetSystemInfo);
+ RESOLVE_FUNCTION(k32Base, VirtualProtect);
+
+ mState = State::Resolved;
+}
+
+/* static */
+ULONG NTAPI Kernel32ExportsSolver::ResolveOnce(PRTL_RUN_ONCE aRunOnce,
+ PVOID aParameter, PVOID*) {
+ reinterpret_cast<Kernel32ExportsSolver*>(aParameter)->ResolveInternal();
+ return TRUE;
+}
+
+void Kernel32ExportsSolver::Resolve(RTL_RUN_ONCE& aRunOnce) {
+ ::RtlRunOnceExecuteOnce(&aRunOnce, &ResolveOnce, this, nullptr);
+}
+
+void Kernel32ExportsSolver::Transfer(
+ HANDLE aTargetProcess, Kernel32ExportsSolver* aTargetAddress) const {
+ SIZE_T bytesWritten = 0;
+ BOOL ok = ::WriteProcessMemory(aTargetProcess, &aTargetAddress->mOffsets,
+ &mOffsets, sizeof(mOffsets), &bytesWritten);
+ if (!ok) {
+ return;
+ }
+
+ State stateInChild = State::Initialized;
+ ::WriteProcessMemory(aTargetProcess, &aTargetAddress->mState, &stateInChild,
+ sizeof(stateInChild), &bytesWritten);
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/FunctionTableResolver.h b/browser/app/winlauncher/freestanding/FunctionTableResolver.h
new file mode 100644
index 0000000000..ec9aa5c651
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/FunctionTableResolver.h
@@ -0,0 +1,60 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_FunctionTableResolver_h
+#define mozilla_freestanding_FunctionTableResolver_h
+
+#include "mozilla/NativeNt.h"
+#include "mozilla/interceptor/MMPolicies.h"
+
+namespace mozilla {
+namespace freestanding {
+
+// This class calculates RVAs of kernel32's functions and transfers them
+// to a target process, where the transferred RVAs are resolved into
+// function addresses so that the target process can use them after
+// kernel32.dll is loaded and before IAT is resolved.
+class MOZ_TRIVIAL_CTOR_DTOR Kernel32ExportsSolver final
+ : public interceptor::MMPolicyInProcessEarlyStage::Kernel32Exports {
+ enum class State {
+ Uninitialized,
+ Initialized,
+ Resolved,
+ } mState;
+
+ struct FunctionOffsets {
+ uint32_t mFlushInstructionCache;
+ uint32_t mGetSystemInfo;
+ uint32_t mVirtualProtect;
+ } mOffsets;
+
+ static ULONG NTAPI ResolveOnce(PRTL_RUN_ONCE aRunOnce, PVOID aParameter,
+ PVOID*);
+ void ResolveInternal();
+
+ public:
+ Kernel32ExportsSolver() = default;
+
+ Kernel32ExportsSolver(const Kernel32ExportsSolver&) = delete;
+ Kernel32ExportsSolver(Kernel32ExportsSolver&&) = delete;
+ Kernel32ExportsSolver& operator=(const Kernel32ExportsSolver&) = delete;
+ Kernel32ExportsSolver& operator=(Kernel32ExportsSolver&&) = delete;
+
+ bool IsInitialized() const;
+ bool IsResolved() const;
+
+ void Init();
+ void Resolve(RTL_RUN_ONCE& aRunOnce);
+ void Transfer(HANDLE aTargetProcess,
+ Kernel32ExportsSolver* aTargetAddress) const;
+};
+
+extern Kernel32ExportsSolver gK32;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_FunctionTableResolver_h
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
new file mode 100644
index 0000000000..40bc8ac639
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
@@ -0,0 +1,280 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "LoaderPrivateAPI.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Types.h"
+#include "mozilla/Unused.h"
+#include "../DllBlocklistInit.h"
+
+using GlobalInitializerFn = void(__cdecl*)(void);
+
+// Allocation of static initialization section for the freestanding library
+#pragma section(".freestd$a", read)
+__declspec(allocate(".freestd$a")) static const GlobalInitializerFn
+ FreeStdStart = reinterpret_cast<GlobalInitializerFn>(0);
+
+#pragma section(".freestd$z", read)
+__declspec(allocate(".freestd$z")) static const GlobalInitializerFn FreeStdEnd =
+ reinterpret_cast<GlobalInitializerFn>(0);
+
+namespace mozilla {
+namespace freestanding {
+
+static RTL_RUN_ONCE gRunOnce = RTL_RUN_ONCE_INIT;
+
+// The contract for this callback is identical to the InitOnceCallback from
+// Win32 land; we're just using ntdll-layer types instead.
+static ULONG NTAPI DoOneTimeInit(PRTL_RUN_ONCE aRunOnce, PVOID aParameter,
+ PVOID* aContext) {
+ // Invoke every static initializer in the .freestd section
+ const GlobalInitializerFn* cur = &FreeStdStart + 1;
+ while (cur < &FreeStdEnd) {
+ if (*cur) {
+ (*cur)();
+ }
+
+ ++cur;
+ }
+
+ return TRUE;
+}
+
+/**
+ * This observer is only used until the mozglue observer connects itself.
+ * All we do here is accumulate the module loads into a vector.
+ * As soon as mozglue connects, we call |Forward| on mozglue's LoaderObserver
+ * to pass our vector on for further processing. This object then becomes
+ * defunct.
+ */
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS DefaultLoaderObserver final
+ : public nt::LoaderObserver {
+ public:
+ constexpr DefaultLoaderObserver() : mModuleLoads(nullptr) {}
+
+ void OnBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final {}
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final {
+ return false;
+ }
+ void OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ void Forward(nt::LoaderObserver* aNext) final;
+ void OnForward(ModuleLoadInfoVec&& aInfo) final {
+ MOZ_ASSERT_UNREACHABLE("Not valid in freestanding::DefaultLoaderObserver");
+ }
+
+ private:
+ mozilla::nt::SRWLock mLock;
+ ModuleLoadInfoVec* mModuleLoads;
+};
+
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS LoaderPrivateAPIImp final
+ : public LoaderPrivateAPI {
+ public:
+ // LoaderAPI
+ ModuleLoadInfo ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) final;
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final;
+ void NotifyEndDllLoad(void* aContext, NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ nt::AllocatedUnicodeString GetSectionName(void* aSectionAddr) final;
+ nt::LoaderAPI::InitDllBlocklistOOPFnPtr GetDllBlocklistInitFn() final;
+
+ // LoaderPrivateAPI
+ void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void SetObserver(nt::LoaderObserver* aNewObserver) final;
+ bool IsDefaultObserver() const final;
+ nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) final;
+};
+
+static void Init() {
+ DebugOnly<NTSTATUS> ntStatus =
+ ::RtlRunOnceExecuteOnce(&gRunOnce, &DoOneTimeInit, nullptr, nullptr);
+ MOZ_ASSERT(NT_SUCCESS(ntStatus));
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+static mozilla::freestanding::DefaultLoaderObserver gDefaultObserver;
+static mozilla::freestanding::LoaderPrivateAPIImp gPrivateAPI;
+
+static mozilla::nt::SRWLock gLoaderObserverLock;
+static mozilla::nt::LoaderObserver* gLoaderObserver = &gDefaultObserver;
+
+namespace mozilla {
+namespace freestanding {
+
+LoaderPrivateAPI& gLoaderPrivateAPI = gPrivateAPI;
+
+void DefaultLoaderObserver::OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ // If the DLL load failed, or if the DLL was loaded by a previous request
+ // and thus was not mapped by this request, we do not save the ModuleLoadInfo.
+ if (!NT_SUCCESS(aNtStatus) || !aModuleLoadInfo.WasMapped()) {
+ return;
+ }
+
+ nt::AutoExclusiveLock lock(mLock);
+ if (!mModuleLoads) {
+ mModuleLoads = RtlNew<ModuleLoadInfoVec>();
+ if (!mModuleLoads) {
+ return;
+ }
+ }
+
+ Unused << mModuleLoads->emplaceBack(
+ std::forward<ModuleLoadInfo>(aModuleLoadInfo));
+}
+
+/**
+ * Pass mModuleLoads's data off to |aNext| for further processing.
+ */
+void DefaultLoaderObserver::Forward(nt::LoaderObserver* aNext) {
+ MOZ_ASSERT(aNext);
+ if (!aNext) {
+ return;
+ }
+
+ ModuleLoadInfoVec* moduleLoads = nullptr;
+
+ { // Scope for lock
+ nt::AutoExclusiveLock lock(mLock);
+ moduleLoads = mModuleLoads;
+ mModuleLoads = nullptr;
+ }
+
+ if (!moduleLoads) {
+ return;
+ }
+
+ aNext->OnForward(std::move(*moduleLoads));
+ RtlDelete(moduleLoads);
+}
+
+ModuleLoadInfo LoaderPrivateAPIImp::ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ ModuleLoadInfo loadInfo(aRequestedDllName);
+
+ NotifyBeginDllLoad(loadInfo, aContext, aRequestedDllName);
+
+ return loadInfo;
+}
+
+bool LoaderPrivateAPIImp::SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver->SubstituteForLSP(aLSPLeafName, aOutHandle);
+}
+
+void LoaderPrivateAPIImp::NotifyEndDllLoad(void* aContext,
+ NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ aModuleLoadInfo.SetEndLoadTimeStamp();
+
+ if (NT_SUCCESS(aLoadNtStatus)) {
+ aModuleLoadInfo.CaptureBacktrace();
+ }
+
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+
+ // We need to notify the observer that the DLL load has ended even when
+ // |aLoadNtStatus| indicates a failure. This is to ensure that any resources
+ // acquired by the observer during OnBeginDllLoad are cleaned up.
+ gLoaderObserver->OnEndDllLoad(aContext, aLoadNtStatus,
+ std::move(aModuleLoadInfo));
+}
+
+nt::AllocatedUnicodeString LoaderPrivateAPIImp::GetSectionName(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::AllocatedUnicodeString();
+ }
+
+ return nt::AllocatedUnicodeString(&buf.mSectionFileName);
+}
+
+nt::LoaderAPI::InitDllBlocklistOOPFnPtr
+LoaderPrivateAPIImp::GetDllBlocklistInitFn() {
+ return &InitializeDllBlocklistOOP;
+}
+
+nt::MemorySectionNameBuf LoaderPrivateAPIImp::GetSectionNameBuffer(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::MemorySectionNameBuf();
+ }
+
+ return buf;
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ gLoaderObserver->OnBeginDllLoad(aContext, aRequestedDllName);
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) {
+ NotifyBeginDllLoad(aContext, aRequestedDllName);
+ aModuleLoadInfo.SetBeginLoadTimeStamp();
+}
+
+void LoaderPrivateAPIImp::SetObserver(nt::LoaderObserver* aNewObserver) {
+ nt::LoaderObserver* prevLoaderObserver = nullptr;
+
+ nt::AutoExclusiveLock lock(gLoaderObserverLock);
+
+ MOZ_ASSERT(aNewObserver);
+ if (!aNewObserver) {
+ // This is unlikely, but we always want a valid observer, so use the
+ // gDefaultObserver if necessary.
+ gLoaderObserver = &gDefaultObserver;
+ return;
+ }
+
+ prevLoaderObserver = gLoaderObserver;
+ gLoaderObserver = aNewObserver;
+
+ MOZ_ASSERT(prevLoaderObserver);
+ if (!prevLoaderObserver) {
+ return;
+ }
+
+ // Now that we have a new observer, the previous observer must forward its
+ // data on to the new observer for processing.
+ prevLoaderObserver->Forward(aNewObserver);
+}
+
+bool LoaderPrivateAPIImp::IsDefaultObserver() const {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver == &gDefaultObserver;
+}
+
+void EnsureInitialized() { Init(); }
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
new file mode 100644
index 0000000000..f21472d689
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_LoaderPrivateAPI_h
+#define mozilla_freestanding_LoaderPrivateAPI_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This part of the API is available only to the launcher process.
+ */
+class NS_NO_VTABLE LoaderPrivateAPI : public nt::LoaderAPI {
+ public:
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning
+ */
+ virtual void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning and set the
+ * begin load timestamp on |aModuleLoadInfo|.
+ */
+ virtual void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo,
+ void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+
+ /**
+ * Set a new nt::LoaderObserver to be used by the launcher process. NB: This
+ * should only happen while the current process is still single-threaded!
+ */
+ virtual void SetObserver(nt::LoaderObserver* aNewObserver) = 0;
+
+ /**
+ * Returns true if the current nt::LoaderObserver is the launcher process's
+ * built-in observer.
+ */
+ virtual bool IsDefaultObserver() const = 0;
+
+ /**
+ * Returns the name of a given mapped section address as a local instance of
+ * nt::MemorySectionNameBuf. This does not involve heap allocation.
+ */
+ virtual nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) = 0;
+};
+
+/**
+ * Ensures that any statics in the freestanding library are initialized.
+ */
+void EnsureInitialized();
+
+extern LoaderPrivateAPI& gLoaderPrivateAPI;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_LoaderPrivateAPI_h
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
new file mode 100644
index 0000000000..ecd9d434ff
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
@@ -0,0 +1,129 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ModuleLoadFrame.h"
+
+#include "LoaderPrivateAPI.h"
+
+namespace mozilla {
+namespace freestanding {
+
+ModuleLoadFrame::ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(STATUS_UNSUCCESSFUL),
+ mLoadInfo(aRequestedDllName) {
+ EnsureInitialized();
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(mLoadInfo, &mContext, aRequestedDllName);
+}
+
+ModuleLoadFrame::ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(aNtStatus),
+ mLoadInfo(std::move(aSectionName), aMapBaseAddr) {
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(&mContext, mLoadInfo.mSectionName);
+}
+
+ModuleLoadFrame::~ModuleLoadFrame() {
+ gLoaderPrivateAPI.NotifyEndDllLoad(mContext, mLoadNtStatus,
+ std::move(mLoadInfo));
+ sTopFrame.set(mPrev);
+}
+
+/* static */
+void ModuleLoadFrame::NotifyLSPSubstitutionRequired(
+ PCUNICODE_STRING aLeafName) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ return;
+ }
+
+ topFrame->SetLSPSubstitutionRequired(aLeafName);
+}
+
+void ModuleLoadFrame::SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName) {
+ MOZ_ASSERT(!mLoadInfo.mBaseAddr);
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // should not be the case for a LSP substitution, so we bail.
+ return;
+ }
+
+ // Save aLeafName, as it will be used by SetLoadStatus when invoking
+ // SubstituteForLSP
+ mLoadInfo.mRequestedDllName = aLeafName;
+ mLSPSubstitutionRequired = true;
+}
+
+/* static */
+void ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ // The only time that this data is useful is during initial mapping of
+ // the executable's dependent DLLs. If mozglue is present then
+ // IsDefaultObserver will return false, indicating that we are beyond
+ // initial process startup.
+ if (gLoaderPrivateAPI.IsDefaultObserver()) {
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus);
+ }
+ return;
+ }
+
+ topFrame->OnSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus);
+}
+
+void ModuleLoadFrame::OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus) {
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // means that we are witnessing a bare section map.
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus);
+ return;
+ }
+
+ mLoadInfo.mSectionName = std::move(aSectionName);
+ mLoadInfo.mBaseAddr = aMapBaseAddr;
+}
+
+/* static */
+void ModuleLoadFrame::OnBareSectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus) {
+ // We call the special constructor variant that is used for bare mappings.
+ ModuleLoadFrame frame(std::move(aSectionName), aMapBaseAddr, aMapNtStatus);
+}
+
+NTSTATUS ModuleLoadFrame::SetLoadStatus(NTSTATUS aNtStatus,
+ PHANDLE aOutHandle) {
+ mLoadNtStatus = aNtStatus;
+
+ if (!mLSPSubstitutionRequired) {
+ return aNtStatus;
+ }
+
+ if (!gLoaderPrivateAPI.SubstituteForLSP(mLoadInfo.mRequestedDllName,
+ aOutHandle)) {
+ return aNtStatus;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+SafeThreadLocal<ModuleLoadFrame*> ModuleLoadFrame::sTopFrame;
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.h b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
new file mode 100644
index 0000000000..044a4caafb
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
@@ -0,0 +1,90 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_ModuleLoadFrame_h
+#define mozilla_freestanding_ModuleLoadFrame_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+#include "SafeThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This class holds information about a DLL load at a particular frame in the
+ * current thread's stack. Each instance adds itself to a thread-local linked
+ * list of ModuleLoadFrames, enabling us to query information about the
+ * previous module load on the stack.
+ */
+class MOZ_RAII ModuleLoadFrame final {
+ public:
+ /**
+ * This constructor is for use by the LdrLoadDll hook.
+ */
+ explicit ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName);
+ ~ModuleLoadFrame();
+
+ static void NotifyLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+
+ /**
+ * This static method is called by the NtMapViewOfSection hook.
+ */
+ static void NotifySectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus);
+
+ /**
+ * Called by the LdrLoadDll hook to indicate the status of the load and for
+ * us to provide a substitute output handle if necessary.
+ */
+ NTSTATUS SetLoadStatus(NTSTATUS aNtStatus, PHANDLE aOutHandle);
+
+ ModuleLoadFrame(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame(ModuleLoadFrame&&) = delete;
+ ModuleLoadFrame& operator=(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame& operator=(ModuleLoadFrame&&) = delete;
+
+ private:
+ /**
+ * Called by OnBareSectionMap to construct a frame for a bare load.
+ */
+ ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus);
+
+ void SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+ void OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus);
+
+ /**
+ * A "bare" section mapping is one that was mapped without the code passing
+ * through a call to ntdll!LdrLoadDll. This method is invoked when we detect
+ * that condition.
+ */
+ static void OnBareSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus);
+
+ private:
+ // Link to the previous frame
+ ModuleLoadFrame* mPrev;
+ // Pointer to context managed by the nt::LoaderObserver implementation
+ void* mContext;
+ // Set to |true| when we need to block a WinSock LSP
+ bool mLSPSubstitutionRequired;
+ // NTSTATUS code from the |LdrLoadDll| call
+ NTSTATUS mLoadNtStatus;
+ // Telemetry information that will be forwarded to the nt::LoaderObserver
+ ModuleLoadInfo mLoadInfo;
+
+ // Head of the linked list
+ static SafeThreadLocal<ModuleLoadFrame*> sTopFrame;
+};
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_ModuleLoadFrame_h
diff --git a/browser/app/winlauncher/freestanding/SafeThreadLocal.h b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
new file mode 100644
index 0000000000..e4b869f649
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
@@ -0,0 +1,96 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_SafeThreadLocal_h
+#define mozilla_freestanding_SafeThreadLocal_h
+
+#include <type_traits>
+
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+// We cannot fall back to the Tls* APIs because kernel32 might not have been
+// loaded yet.
+#if defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+# error "This code requires the compiler to have native TLS support"
+#endif // defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+
+/**
+ * This class holds data as a thread-local variable, or as a global variable
+ * if the thread local storage is not initialized yet. It should be safe
+ * because in that early stage we assume there is no more than a single thread.
+ */
+template <typename T>
+class SafeThreadLocal final {
+ static MOZ_THREAD_LOCAL(T) sThreadLocal;
+ static T sGlobal;
+ static bool sIsTlsUsed;
+
+ // In normal cases, TLS is always available and the class uses sThreadLocal
+ // without changing sMainThreadId. So sMainThreadId is likely to be 0.
+ //
+ // If TLS is not available, we use sGlobal instead and update sMainThreadId
+ // so that that thread keeps using sGlobal even after TLS is initialized
+ // later.
+ static DWORD sMainThreadId;
+
+ // Need non-inline accessors to prevent the compiler from generating code
+ // accessing sThreadLocal before checking a condition.
+ MOZ_NEVER_INLINE static void SetGlobalValue(T aValue) { sGlobal = aValue; }
+ MOZ_NEVER_INLINE static T GetGlobalValue() { return sGlobal; }
+
+ public:
+ static void set(T aValue) {
+ static_assert(std::is_pointer_v<T>,
+ "SafeThreadLocal must be used with a pointer");
+
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ SetGlobalValue(aValue);
+ } else if (sIsTlsUsed) {
+ MOZ_ASSERT(mozilla::nt::RtlGetThreadLocalStoragePointer(),
+ "Once TLS is used, TLS should be available till the end.");
+ sThreadLocal.set(aValue);
+ } else if (mozilla::nt::RtlGetThreadLocalStoragePointer()) {
+ sIsTlsUsed = true;
+ sThreadLocal.set(aValue);
+ } else {
+ MOZ_ASSERT(sMainThreadId == 0,
+ "A second thread cannot be created before TLS is available.");
+ sMainThreadId = mozilla::nt::RtlGetCurrentThreadId();
+ SetGlobalValue(aValue);
+ }
+ }
+
+ static T get() {
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ return GetGlobalValue();
+ } else if (sIsTlsUsed) {
+ return sThreadLocal.get();
+ }
+ return GetGlobalValue();
+ }
+};
+
+template <typename T>
+MOZ_THREAD_LOCAL(T)
+SafeThreadLocal<T>::sThreadLocal;
+
+template <typename T>
+T SafeThreadLocal<T>::sGlobal = nullptr;
+
+template <typename T>
+bool SafeThreadLocal<T>::sIsTlsUsed = false;
+
+template <typename T>
+DWORD SafeThreadLocal<T>::sMainThreadId = 0;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_SafeThreadLocal_h
diff --git a/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
new file mode 100644
index 0000000000..6a91f63fbc
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
@@ -0,0 +1,30 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from __future__ import absolute_import
+
+import os
+import subprocess
+import tempfile
+
+
+def main(output_fd, def_file, llvm_dlltool, *llvm_dlltool_args):
+ # llvm-dlltool can't output to stdout, so we create a temp file, use that
+ # to write out the lib, and then copy it over to output_fd
+ (tmp_fd, tmp_output) = tempfile.mkstemp()
+ os.close(tmp_fd)
+
+ try:
+ cmd = [llvm_dlltool]
+ cmd.extend(llvm_dlltool_args)
+ cmd += ['-d', def_file, '-l', tmp_output]
+
+ subprocess.check_call(cmd)
+
+ with open(tmp_output, 'rb') as tmplib:
+ output_fd.write(tmplib.read())
+ finally:
+ os.remove(tmp_output)
diff --git a/browser/app/winlauncher/freestanding/moz.build b/browser/app/winlauncher/freestanding/moz.build
new file mode 100644
index 0000000000..460f8ec4cb
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/moz.build
@@ -0,0 +1,56 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library('winlauncher-freestanding')
+
+FORCE_STATIC_LIB = True
+
+# Our patched NtMapViewOfSection can be called before the process's import
+# table is populated. Don't let the compiler insert any instrumentation
+# that might call an import.
+NO_PGO = True
+
+UNIFIED_SOURCES += [
+ 'DllBlocklist.cpp',
+ 'FunctionTableResolver.cpp',
+ 'LoaderPrivateAPI.cpp',
+ 'ModuleLoadFrame.cpp',
+]
+
+# This library must be compiled in a freestanding environment, as its code must
+# not assume that it has access to any runtime libraries.
+if CONFIG['CC_TYPE'] == 'clang-cl':
+ CXXFLAGS += ['-Xclang']
+
+CXXFLAGS += [
+ '-ffreestanding',
+]
+
+# Forcibly include Freestanding.h into all source files in this library.
+if CONFIG['CC_TYPE'] == 'clang-cl':
+ CXXFLAGS += ['-FI']
+else:
+ CXXFLAGS += ['-include']
+
+CXXFLAGS += [ SRCDIR + '/Freestanding.h' ]
+
+OS_LIBS += [
+ 'ntdll',
+ 'ntdll_freestanding',
+]
+
+if CONFIG['COMPILE_ENVIRONMENT'] and CONFIG['LLVM_DLLTOOL']:
+ GeneratedFile(
+ '%sntdll_freestanding.%s' % (CONFIG['LIB_PREFIX'],
+ CONFIG['LIB_SUFFIX']),
+ script='gen_ntdll_freestanding_lib.py',
+ inputs=['ntdll_freestanding.def'],
+ flags=[CONFIG['LLVM_DLLTOOL']] + CONFIG['LLVM_DLLTOOL_FLAGS'])
+
+DisableStlWrapping()
+
+with Files('**'):
+ BUG_COMPONENT = ('Firefox', 'Launcher Process')
diff --git a/browser/app/winlauncher/freestanding/ntdll_freestanding.def b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
new file mode 100644
index 0000000000..6e5e2685fe
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
@@ -0,0 +1,25 @@
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+LIBRARY ntdll
+
+; When we compile with -freestanding, the compiler still requires implementation
+; of the four functions listed below.
+;
+; We could implement our own naive versions of these functions, but that
+; solution is less than ideal since the implementations must be extern and are
+; thus picked up by the entire firefox.exe binary. This denies the rest of
+; firefox.exe the benefit of optimized implementations. On Windows the
+; sandbox is linked into firefox.exe, so we cannot just shrug and
+; assume that a naive implementation will not have any effect on anything.
+;
+; There are, however, optimized implementations of these functions that are
+; exported by ntdll.dll. OTOH, they are not included in the ntdll.lib
+; import library. This .def file is used to build an import library that "fills
+; in the blanks" and allows us to link into the ntdll implementations.
+EXPORTS
+ memcmp
+ memcpy
+ memmove
+ memset
diff --git a/browser/app/winlauncher/moz.build b/browser/app/winlauncher/moz.build
new file mode 100644
index 0000000000..499396b377
--- /dev/null
+++ b/browser/app/winlauncher/moz.build
@@ -0,0 +1,51 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library('winlauncher')
+
+FORCE_STATIC_LIB = True
+
+UNIFIED_SOURCES += [
+ '/ipc/mscom/ProcessRuntime.cpp',
+ '/widget/windows/WindowsConsole.cpp',
+ 'DllBlocklistInit.cpp',
+ 'ErrorHandler.cpp',
+ 'LauncherProcessWin.cpp',
+ 'LaunchUnelevated.cpp',
+ 'NtLoaderAPI.cpp',
+]
+
+OS_LIBS += [
+ 'oleaut32',
+ 'ole32',
+ 'rpcrt4',
+ 'version',
+]
+
+DIRS += [
+ 'freestanding',
+]
+
+USE_LIBS += [
+ 'winlauncher-freestanding',
+]
+
+TEST_DIRS += [
+ 'test',
+]
+
+if CONFIG['MOZ_LAUNCHER_PROCESS']:
+ UNIFIED_SOURCES += [
+ '/toolkit/xre/LauncherRegistryInfo.cpp',
+ '/toolkit/xre/WinTokenUtils.cpp',
+ ]
+ for var in ('MOZ_APP_BASENAME', 'MOZ_APP_VENDOR'):
+ DEFINES[var] = '"%s"' % CONFIG[var]
+
+DisableStlWrapping()
+
+with Files('**'):
+ BUG_COMPONENT = ('Firefox', 'Launcher Process')
diff --git a/browser/app/winlauncher/test/TestSafeThreadLocal.cpp b/browser/app/winlauncher/test/TestSafeThreadLocal.cpp
new file mode 100644
index 0000000000..55078e8ace
--- /dev/null
+++ b/browser/app/winlauncher/test/TestSafeThreadLocal.cpp
@@ -0,0 +1,72 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "freestanding/SafeThreadLocal.h"
+
+#include "mozilla/NativeNt.h"
+#include "nsWindowsHelpers.h"
+
+#include <process.h>
+#include <stdio.h>
+
+// Need a non-inline function to bypass compiler optimization that the thread
+// local storage pointer is cached in a register before accessing a thread-local
+// variable.
+MOZ_NEVER_INLINE PVOID SwapThreadLocalStoragePointer(PVOID aNewValue) {
+ auto oldValue = mozilla::nt::RtlGetThreadLocalStoragePointer();
+ mozilla::nt::RtlSetThreadLocalStoragePointerForTestingOnly(aNewValue);
+ return oldValue;
+}
+
+static mozilla::freestanding::SafeThreadLocal<int*> gTheStorage;
+
+static unsigned int __stdcall TestNonMainThread(void* aArg) {
+ for (int i = 0; i < 100; ++i) {
+ gTheStorage.set(&i);
+ if (gTheStorage.get() != &i) {
+ printf(
+ "TEST-FAILED | TestSafeThreadLocal | "
+ "A value is not correctly stored in the thread-local storage.\n");
+ return 1;
+ }
+ }
+ return 0;
+}
+
+extern "C" int wmain(int argc, wchar_t* argv[]) {
+ int dummy = 0x1234;
+
+ auto origHead = SwapThreadLocalStoragePointer(nullptr);
+ // Setting gTheStorage when TLS is null.
+ gTheStorage.set(&dummy);
+ SwapThreadLocalStoragePointer(origHead);
+
+ nsAutoHandle handles[8];
+ for (auto& handle : handles) {
+ handle.own(reinterpret_cast<HANDLE>(
+ ::_beginthreadex(nullptr, 0, TestNonMainThread, nullptr, 0, nullptr)));
+ }
+
+ for (int i = 0; i < 100; ++i) {
+ if (gTheStorage.get() != &dummy) {
+ printf(
+ "TEST-FAILED | TestSafeThreadLocal | "
+ "A value is not correctly stored in the global scope.\n");
+ return 1;
+ }
+ }
+
+ for (auto& handle : handles) {
+ ::WaitForSingleObject(handle, INFINITE);
+
+ DWORD exitCode;
+ if (!::GetExitCodeThread(handle, &exitCode) || exitCode) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
diff --git a/browser/app/winlauncher/test/TestSameBinary.cpp b/browser/app/winlauncher/test/TestSameBinary.cpp
new file mode 100644
index 0000000000..821a9fda89
--- /dev/null
+++ b/browser/app/winlauncher/test/TestSameBinary.cpp
@@ -0,0 +1,253 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <utility>
+
+#include "SameBinary.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Unused.h"
+#include "mozilla/Vector.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "nsWindowsHelpers.h"
+
+#define EXPECT_SAMEBINARY_IS(expected, option, message) \
+ do { \
+ mozilla::LauncherResult<bool> isSame = \
+ mozilla::IsSameBinaryAsParentProcess(option); \
+ if (isSame.isErr()) { \
+ PrintLauncherError(isSame, \
+ "IsSameBinaryAsParentProcess returned error " \
+ "when we were expecting success."); \
+ return 1; \
+ } \
+ if (isSame.unwrap() != expected) { \
+ PrintErrorMsg(message); \
+ return 1; \
+ } \
+ } while (0)
+
+/**
+ * This test involves three processes:
+ * 1. The "Monitor" process, which is executed by |MonitorMain|. This process
+ * is responsible for integrating with the test harness, so it spawns the
+ * "Parent" process (2), and then waits for the other two processes to
+ * finish.
+ * 2. The "Parent" process, which is executed by |ParentMain|. This process
+ * creates the "Child" process (3) and then waits indefinitely.
+ * 3. The "Child" process, which is executed by |ChildMain| and carries out
+ * the actual test. It terminates the Parent process during its execution,
+ * using the Child PID as the Parent process's exit code. This serves as a
+ * hacky yet effective way to signal to the Monitor process which PID it
+ * should wait on to ensure that the Child process has exited.
+ */
+
+static const char kMsgStart[] = "TEST-FAILED | SameBinary | ";
+
+inline void PrintErrorMsg(const char* aMsg) {
+ printf("%s%s\n", kMsgStart, aMsg);
+}
+
+inline void PrintWinError(const char* aMsg) {
+ mozilla::WindowsError err(mozilla::WindowsError::FromLastError());
+ printf("%s%s: %S\n", kMsgStart, aMsg, err.AsString().get());
+}
+
+template <typename T>
+inline void PrintLauncherError(const mozilla::LauncherResult<T>& aResult,
+ const char* aMsg = nullptr) {
+ const char* const kSep = aMsg ? ": " : "";
+ const char* msg = aMsg ? aMsg : "";
+ const mozilla::LauncherError& err = aResult.inspectErr();
+ printf("%s%s%s%S (%s:%d)\n", kMsgStart, msg, kSep,
+ err.mError.AsString().get(), err.mFile, err.mLine);
+}
+
+static int ChildMain(DWORD aExpectedParentPid) {
+ mozilla::LauncherResult<DWORD> parentPid = mozilla::nt::GetParentProcessId();
+ if (parentPid.isErr()) {
+ PrintLauncherError(parentPid);
+ return 1;
+ }
+
+ if (parentPid.inspect() != aExpectedParentPid) {
+ PrintErrorMsg("Unexpected mismatch of parent PIDs");
+ return 1;
+ }
+
+ const DWORD kAccess = PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE;
+ nsAutoHandle parentProcess(
+ ::OpenProcess(kAccess, FALSE, parentPid.inspect()));
+ if (!parentProcess) {
+ PrintWinError("Unexpectedly failed to call OpenProcess on parent");
+ return 1;
+ }
+
+ EXPECT_SAMEBINARY_IS(
+ true, mozilla::ImageFileCompareOption::Default,
+ "IsSameBinaryAsParentProcess returned incorrect result for identical "
+ "binaries");
+ EXPECT_SAMEBINARY_IS(
+ true, mozilla::ImageFileCompareOption::CompareNtPathsOnly,
+ "IsSameBinaryAsParentProcess(CompareNtPathsOnly) returned incorrect "
+ "result for identical binaries");
+
+ // Total hack, but who cares? We'll set the parent's exit code as our PID
+ // so that the monitor process knows who to wait for!
+ if (!::TerminateProcess(parentProcess.get(), ::GetCurrentProcessId())) {
+ PrintWinError("Unexpected failure in TerminateProcess");
+ return 1;
+ }
+
+ // Close our handle to the parent process so that no references are held.
+ ::CloseHandle(parentProcess.disown());
+
+ // Querying a pid on a terminated process may still succeed some time after
+ // that process has been terminated. For the purposes of this test, we'll poll
+ // the OS until we cannot succesfully open the parentPid anymore.
+ const uint32_t kMaxAttempts = 100;
+ uint32_t curAttempt = 0;
+ while (HANDLE p = ::OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE,
+ parentPid.inspect())) {
+ ::CloseHandle(p);
+ ::Sleep(100);
+ ++curAttempt;
+ if (curAttempt >= kMaxAttempts) {
+ PrintErrorMsg(
+ "Exhausted retry attempts waiting for parent pid to become invalid");
+ return 1;
+ }
+ }
+
+ EXPECT_SAMEBINARY_IS(
+ false, mozilla::ImageFileCompareOption::Default,
+ "IsSameBinaryAsParentProcess returned incorrect result for dead parent "
+ "process");
+ EXPECT_SAMEBINARY_IS(
+ false, mozilla::ImageFileCompareOption::CompareNtPathsOnly,
+ "IsSameBinaryAsParentProcess(CompareNtPathsOnly) returned incorrect "
+ "result for dead parent process");
+
+ return 0;
+}
+
+static nsReturnRef<HANDLE> CreateSelfProcess(int argc, wchar_t* argv[]) {
+ nsAutoHandle empty;
+
+ DWORD myPid = ::GetCurrentProcessId();
+
+ wchar_t strPid[11] = {};
+#if defined(__MINGW32__)
+ _ultow(myPid, strPid, 16);
+#else
+ if (_ultow_s(myPid, strPid, 16)) {
+ PrintErrorMsg("_ultow_s failed");
+ return empty.out();
+ }
+#endif // defined(__MINGW32__)
+
+ wchar_t* extraArgs[] = {strPid};
+
+ auto cmdLine = mozilla::MakeCommandLine(
+ argc, argv, mozilla::ArrayLength(extraArgs), extraArgs);
+ if (!cmdLine) {
+ PrintErrorMsg("MakeCommandLine failed");
+ return empty.out();
+ }
+
+ STARTUPINFOW si = {sizeof(si)};
+ PROCESS_INFORMATION pi;
+ BOOL ok =
+ ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr, FALSE,
+ CREATE_UNICODE_ENVIRONMENT, nullptr, nullptr, &si, &pi);
+ if (!ok) {
+ PrintWinError("CreateProcess failed");
+ return empty.out();
+ }
+
+ nsAutoHandle proc(pi.hProcess);
+ nsAutoHandle thd(pi.hThread);
+
+ return proc.out();
+}
+
+static int ParentMain(int argc, wchar_t* argv[]) {
+ nsAutoHandle childProc(CreateSelfProcess(argc, argv));
+ if (!childProc) {
+ return 1;
+ }
+
+ if (::WaitForSingleObject(childProc.get(), INFINITE) != WAIT_OBJECT_0) {
+ PrintWinError(
+ "Unexpected result from WaitForSingleObject on child process");
+ return 1;
+ }
+
+ MOZ_ASSERT_UNREACHABLE("This process should be terminated by now");
+ return 0;
+}
+
+static int MonitorMain(int argc, wchar_t* argv[]) {
+ // In this process, "parent" means the process that will be running
+ // ParentMain, which is our child process (confusing, I know...)
+ nsAutoHandle parentProc(CreateSelfProcess(argc, argv));
+ if (!parentProc) {
+ return 1;
+ }
+
+ if (::WaitForSingleObject(parentProc.get(), 60000) != WAIT_OBJECT_0) {
+ PrintWinError("Unexpected result from WaitForSingleObject on parent");
+ return 1;
+ }
+
+ DWORD childPid;
+ if (!::GetExitCodeProcess(parentProc.get(), &childPid)) {
+ PrintWinError("GetExitCodeProcess failed");
+ return 1;
+ }
+
+ nsAutoHandle childProc(::OpenProcess(SYNCHRONIZE, FALSE, childPid));
+ if (!childProc) {
+ // Nothing to wait on anymore, which is OK.
+ return 0;
+ }
+
+ // We want no more references to parentProc
+ ::CloseHandle(parentProc.disown());
+
+ if (::WaitForSingleObject(childProc.get(), 60000) != WAIT_OBJECT_0) {
+ PrintWinError("Unexpected result from WaitForSingleObject on child");
+ return 1;
+ }
+
+ return 0;
+}
+
+extern "C" int wmain(int argc, wchar_t* argv[]) {
+ if (argc == 3) {
+ return ChildMain(wcstoul(argv[2], nullptr, 16));
+ }
+
+ if (!mozilla::SetArgv0ToFullBinaryPath(argv)) {
+ return 1;
+ }
+
+ if (argc == 1) {
+ return MonitorMain(argc, argv);
+ }
+
+ if (argc == 2) {
+ return ParentMain(argc, argv);
+ }
+
+ PrintErrorMsg("Unexpected argc");
+ return 1;
+}
diff --git a/browser/app/winlauncher/test/moz.build b/browser/app/winlauncher/test/moz.build
new file mode 100644
index 0000000000..e53a113279
--- /dev/null
+++ b/browser/app/winlauncher/test/moz.build
@@ -0,0 +1,29 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DisableStlWrapping()
+
+GeckoCppUnitTests(
+ [
+ 'TestSafeThreadLocal',
+ 'TestSameBinary',
+ ],
+ linkage=None
+)
+
+LOCAL_INCLUDES += [
+ '/browser/app/winlauncher',
+]
+
+OS_LIBS += [
+ 'ntdll',
+]
+
+if CONFIG['CC_TYPE'] in ('gcc', 'clang'):
+ # This allows us to use wmain as the entry point on mingw
+ LDFLAGS += [
+ '-municode',
+ ]