diff options
Diffstat (limited to 'docshell/resources/content')
-rw-r--r-- | docshell/resources/content/jar.mn | 7 | ||||
-rw-r--r-- | docshell/resources/content/moz.build | 7 | ||||
-rw-r--r-- | docshell/resources/content/netError.js | 286 | ||||
-rw-r--r-- | docshell/resources/content/netError.xhtml | 132 |
4 files changed, 432 insertions, 0 deletions
diff --git a/docshell/resources/content/jar.mn b/docshell/resources/content/jar.mn new file mode 100644 index 0000000000..5b9ae94fca --- /dev/null +++ b/docshell/resources/content/jar.mn @@ -0,0 +1,7 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +toolkit.jar: + content/global/netError.xhtml + content/global/netError.js diff --git a/docshell/resources/content/moz.build b/docshell/resources/content/moz.build new file mode 100644 index 0000000000..d988c0ff9b --- /dev/null +++ b/docshell/resources/content/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +JAR_MANIFESTS += ["jar.mn"] diff --git a/docshell/resources/content/netError.js b/docshell/resources/content/netError.js new file mode 100644 index 0000000000..a8569c5ce0 --- /dev/null +++ b/docshell/resources/content/netError.js @@ -0,0 +1,286 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Error url MUST be formatted like this: +// moz-neterror:page?e=error&u=url&d=desc +// +// or optionally, to specify an alternate CSS class to allow for +// custom styling and favicon: +// +// moz-neterror:page?e=error&u=url&s=classname&d=desc + +// Note that this file uses document.documentURI to get +// the URL (with the format from above). This is because +// document.location.href gets the current URI off the docshell, +// which is the URL displayed in the location bar, i.e. +// the URI that the user attempted to load. + +function getErrorCode() { + var url = document.documentURI; + var error = url.search(/e\=/); + var duffUrl = url.search(/\&u\=/); + return decodeURIComponent(url.slice(error + 2, duffUrl)); +} + +function getCSSClass() { + var url = document.documentURI; + var matches = url.match(/s\=([^&]+)\&/); + // s is optional, if no match just return nothing + if (!matches || matches.length < 2) { + return ""; + } + + // parenthetical match is the second entry + return decodeURIComponent(matches[1]); +} + +function getDescription() { + var url = document.documentURI; + var desc = url.search(/d\=/); + + // desc == -1 if not found; if so, return an empty string + // instead of what would turn out to be portions of the URI + if (desc == -1) { + return ""; + } + + return decodeURIComponent(url.slice(desc + 2)); +} + +function retryThis(buttonEl) { + // Note: The application may wish to handle switching off "offline mode" + // before this event handler runs, but using a capturing event handler. + + // Session history has the URL of the page that failed + // to load, not the one of the error page. So, just call + // reload(), which will also repost POST data correctly. + try { + location.reload(); + } catch (e) { + // We probably tried to reload a URI that caused an exception to + // occur; e.g. a nonexistent file. + } + + buttonEl.disabled = true; +} + +function initPage() { + var err = getErrorCode(); + + // if it's an unknown error or there's no title or description + // defined, get the generic message + var errTitle = document.getElementById("et_" + err); + var errDesc = document.getElementById("ed_" + err); + if (!errTitle || !errDesc) { + errTitle = document.getElementById("et_generic"); + errDesc = document.getElementById("ed_generic"); + } + + var title = document.getElementById("errorTitleText"); + if (title) { + title.parentNode.replaceChild(errTitle, title); + // change id to the replaced child's id so styling works + errTitle.id = "errorTitleText"; + } + + var sd = document.getElementById("errorShortDescText"); + if (sd) { + sd.textContent = getDescription(); + } + + var ld = document.getElementById("errorLongDesc"); + if (ld) { + ld.parentNode.replaceChild(errDesc, ld); + // change id to the replaced child's id so styling works + errDesc.id = "errorLongDesc"; + } + + // remove undisplayed errors to avoid bug 39098 + var errContainer = document.getElementById("errorContainer"); + errContainer.remove(); + + var className = getCSSClass(); + if (className && className != "expertBadCert") { + // Associate a CSS class with the root of the page, if one was passed in, + // to allow custom styling. + // Not "expertBadCert" though, don't want to deal with the favicon + document.documentElement.className = className; + + // Also, if they specified a CSS class, they must supply their own + // favicon. In order to trigger the browser to repaint though, we + // need to remove/add the link element. + var favicon = document.getElementById("favicon"); + var faviconParent = favicon.parentNode; + faviconParent.removeChild(favicon); + favicon.setAttribute( + "href", + "chrome://global/skin/icons/" + className + "_favicon.png" + ); + faviconParent.appendChild(favicon); + } + if (className == "expertBadCert") { + showSecuritySection(); + } + + if (err == "remoteXUL") { + // Remove the "Try again" button for remote XUL errors given that + // it is useless. + document.getElementById("errorTryAgain").style.display = "none"; + } + + if (err == "cspBlocked" || err == "xfoBlocked") { + // Remove the "Try again" button for XFO and CSP violations, since it's + // almost certainly useless. (Bug 553180) + document.getElementById("errorTryAgain").style.display = "none"; + } + + if (err == "nssBadCert") { + // Remove the "Try again" button for security exceptions, since it's + // almost certainly useless. + document.getElementById("errorTryAgain").style.display = "none"; + document + .getElementById("errorPageContainer") + .setAttribute("class", "certerror"); + addDomainErrorLink(); + } else { + // Remove the override block for non-certificate errors. CSS-hiding + // isn't good enough here, because of bug 39098 + var secOverride = document.getElementById("securityOverrideDiv"); + secOverride.remove(); + } + + if (err == "inadequateSecurityError" || err == "blockedByPolicy") { + // Remove the "Try again" button from pages that don't need it. + // For HTTP/2 inadequate security or pages blocked by policy, trying + // again won't help. + document.getElementById("errorTryAgain").style.display = "none"; + + var container = document.getElementById("errorLongDesc"); + for (var span of container.querySelectorAll("span.hostname")) { + span.textContent = document.location.hostname; + } + } + + if (document.getElementById("errorTryAgain").style.display != "none") { + addAutofocus("errorTryAgain"); + } +} + +function showSecuritySection() { + // Swap link out, content in + document.getElementById("securityOverrideContent").style.display = ""; + document.getElementById("securityOverrideLink").style.display = "none"; +} + +/* In the case of SSL error pages about domain mismatch, see if + we can hyperlink the user to the correct site. We don't want + to do this generically since it allows MitM attacks to redirect + users to a site under attacker control, but in certain cases + it is safe (and helpful!) to do so. Bug 402210 + */ +function addDomainErrorLink() { + // Rather than textContent, we need to treat description as HTML + var sd = document.getElementById("errorShortDescText"); + if (sd) { + var desc = getDescription(); + + // sanitize description text - see bug 441169 + + // First, find the index of the <a> tag we care about, being careful not to + // use an over-greedy regex + var re = /<a id="cert_domain_link" title="([^"]+)">/; + var result = re.exec(desc); + if (!result) { + return; + } + + // Remove sd's existing children + sd.textContent = ""; + + // Everything up to the link should be text content + sd.appendChild(document.createTextNode(desc.slice(0, result.index))); + + // Now create the link itself + var anchorEl = document.createElement("a"); + anchorEl.setAttribute("id", "cert_domain_link"); + anchorEl.setAttribute("title", result[1]); + anchorEl.appendChild(document.createTextNode(result[1])); + sd.appendChild(anchorEl); + + // Finally, append text for anything after the closing </a> + sd.appendChild( + document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length)) + ); + } + + var link = document.getElementById("cert_domain_link"); + if (!link) { + return; + } + + var okHost = link.getAttribute("title"); + var thisHost = document.location.hostname; + var proto = document.location.protocol; + + // If okHost is a wildcard domain ("*.example.com") let's + // use "www" instead. "*.example.com" isn't going to + // get anyone anywhere useful. bug 432491 + okHost = okHost.replace(/^\*\./, "www."); + + /* case #1: + * example.com uses an invalid security certificate. + * + * The certificate is only valid for www.example.com + * + * Make sure to include the "." ahead of thisHost so that + * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com" + * + * We'd normally just use a RegExp here except that we lack a + * library function to escape them properly (bug 248062), and + * domain names are famous for having '.' characters in them, + * which would allow spurious and possibly hostile matches. + */ + if (endsWith(okHost, "." + thisHost)) { + link.href = proto + okHost; + } + + /* case #2: + * browser.garage.maemo.org uses an invalid security certificate. + * + * The certificate is only valid for garage.maemo.org + */ + if (endsWith(thisHost, "." + okHost)) { + link.href = proto + okHost; + } +} + +function endsWith(haystack, needle) { + return haystack.slice(-needle.length) == needle; +} + +/* Only do autofocus if we're the toplevel frame; otherwise we + don't want to call attention to ourselves! The key part is + that autofocus happens on insertion into the tree, so we + can remove the button, add @autofocus, and reinsert the + button. + */ +function addAutofocus(buttonId, position = "afterbegin") { + if (window.top == window) { + var button = document.getElementById(buttonId); + var parent = button.parentNode; + button.remove(); + button.setAttribute("autofocus", "true"); + parent.insertAdjacentElement(position, button); + } +} + +let errorTryAgain = document.getElementById("errorTryAgain"); +errorTryAgain.addEventListener("click", function() { + retryThis(this); +}); + +// Note: It is important to run the script this way, instead of using +// an onload handler. This is because error pages are loaded as +// LOAD_BACKGROUND, which means that onload handlers will not be executed. +initPage(); diff --git a/docshell/resources/content/netError.xhtml b/docshell/resources/content/netError.xhtml new file mode 100644 index 0000000000..48b263d8c8 --- /dev/null +++ b/docshell/resources/content/netError.xhtml @@ -0,0 +1,132 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!DOCTYPE html [ + <!ENTITY % htmlDTD + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "DTD/xhtml1-strict.dtd"> + %htmlDTD; + <!ENTITY % netErrorAppDTD + SYSTEM "chrome://global/locale/netErrorApp.dtd"> + %netErrorAppDTD; + <!ENTITY % netErrorDTD + SYSTEM "chrome://global/locale/netError.dtd"> + %netErrorDTD; + <!ENTITY % globalDTD + SYSTEM "chrome://global/locale/global.dtd"> + %globalDTD; +]> + +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'" /> + <title>&loadError.label;</title> + <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" /> + <!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in + toolkit/components/places/src/nsFaviconService.h should be updated. --> + <link rel="icon" id="favicon" href="chrome://global/skin/icons/warning.svg"/> + </head> + + <body dir="&locale.dir;"> + + <!-- ERROR ITEM CONTAINER (removed during loading to avoid bug 39098) --> + <div id="errorContainer"> + <div id="errorTitlesContainer"> + <h1 id="et_generic">&generic.title;</h1> + <h1 id="et_dnsNotFound">&dnsNotFound.title;</h1> + <h1 id="et_fileNotFound">&fileNotFound.title;</h1> + <h1 id="et_fileAccessDenied">&fileAccessDenied.title;</h1> + <h1 id="et_malformedURI">&malformedURI.title;</h1> + <h1 id="et_unknownProtocolFound">&unknownProtocolFound.title;</h1> + <h1 id="et_connectionFailure">&connectionFailure.title;</h1> + <h1 id="et_netTimeout">&netTimeout.title;</h1> + <h1 id="et_redirectLoop">&redirectLoop.title;</h1> + <h1 id="et_unknownSocketType">&unknownSocketType.title;</h1> + <h1 id="et_netReset">&netReset.title;</h1> + <h1 id="et_notCached">¬Cached.title;</h1> + <h1 id="et_netOffline">&netOffline.title;</h1> + <h1 id="et_netInterrupt">&netInterrupt.title;</h1> + <h1 id="et_deniedPortAccess">&deniedPortAccess.title;</h1> + <h1 id="et_proxyResolveFailure">&proxyResolveFailure.title;</h1> + <h1 id="et_proxyConnectFailure">&proxyConnectFailure.title;</h1> + <h1 id="et_contentEncodingError">&contentEncodingError.title;</h1> + <h1 id="et_unsafeContentType">&unsafeContentType.title;</h1> + <h1 id="et_nssFailure2">&nssFailure2.title;</h1> + <h1 id="et_nssBadCert">&nssBadCert.title;</h1> + <h1 id="et_cspBlocked">&cspBlocked.title;</h1> + <h1 id="et_xfoBlocked">&xfoBlocked.title;</h1> + <h1 id="et_remoteXUL">&remoteXUL.title;</h1> + <h1 id="et_corruptedContentErrorv2">&corruptedContentErrorv2.title;</h1> + <h1 id="et_inadequateSecurityError">&inadequateSecurityError.title;</h1> + <h1 id="et_blockedByPolicy">&blockedByPolicy.title;</h1> + <h1 id="et_networkProtocolError">&networkProtocolError.title;</h1> + </div> + <div id="errorDescriptionsContainer"> + <div id="ed_generic">&generic.longDesc;</div> + <div id="ed_dnsNotFound">&dnsNotFound.longDesc;</div> + <div id="ed_fileNotFound">&fileNotFound.longDesc;</div> + <div id="ed_fileAccessDenied">&fileAccessDenied.longDesc;</div> + <div id="ed_malformedURI">&malformedURI.longDesc;</div> + <div id="ed_unknownProtocolFound">&unknownProtocolFound.longDesc;</div> + <div id="ed_connectionFailure">&connectionFailure.longDesc;</div> + <div id="ed_netTimeout">&netTimeout.longDesc;</div> + <div id="ed_redirectLoop">&redirectLoop.longDesc;</div> + <div id="ed_unknownSocketType">&unknownSocketType.longDesc;</div> + <div id="ed_netReset">&netReset.longDesc;</div> + <div id="ed_notCached">¬Cached.longDesc;</div> + <div id="ed_netOffline">&netOffline.longDesc2;</div> + <div id="ed_netInterrupt">&netInterrupt.longDesc;</div> + <div id="ed_deniedPortAccess">&deniedPortAccess.longDesc;</div> + <div id="ed_proxyResolveFailure">&proxyResolveFailure.longDesc;</div> + <div id="ed_proxyConnectFailure">&proxyConnectFailure.longDesc;</div> + <div id="ed_contentEncodingError">&contentEncodingError.longDesc;</div> + <div id="ed_unsafeContentType">&unsafeContentType.longDesc;</div> + <div id="ed_nssFailure2">&nssFailure2.longDesc2;</div> + <div id="ed_nssBadCert">&nssBadCert.longDesc2;</div> + <div id="ed_cspBlocked">&cspBlocked.longDesc;</div> + <div id="ed_xfoBlocked">&xfoBlocked.longDesc;</div> + <div id="ed_remoteXUL">&remoteXUL.longDesc;</div> + <div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div> + <div id="ed_inadequateSecurityError">&inadequateSecurityError.longDesc;</div> + <div id="ed_blockedByPolicy"></div> + <div id="ed_networkProtocolError">&networkProtocolError.longDesc;</div> + </div> + </div> + + <!-- PAGE CONTAINER (for styling purposes only) --> + <div id="errorPageContainer"> + + <!-- Error Title --> + <div id="errorTitle"> + <h1 id="errorTitleText" /> + </div> + + <!-- LONG CONTENT (the section most likely to require scrolling) --> + <div id="errorLongContent"> + + <!-- Short Description --> + <div id="errorShortDesc"> + <p id="errorShortDescText" /> + </div> + + <!-- Long Description (Note: See netError.dtd for used XHTML tags) --> + <div id="errorLongDesc" /> + + <!-- Override section - For ssl errors only. Removed on init for other + error types. --> + <div id="securityOverrideDiv"> + <a id="securityOverrideLink" href="javascript:showSecuritySection();" >&securityOverride.linkText;</a> + <div id="securityOverrideContent">&securityOverride.warningContent;</div> + </div> + </div> + + <!-- Retry Button --> + <button id="errorTryAgain" autocomplete="off">&retry.label;</button> + </div> + + <script src="chrome://global/content/netError.js"/> + </body> +</html> |