The Tor Browser / annotate

browser/metro/base/content/pages/aboutCertError.xhtml@b8a032363ba2 (annotated)

browser/metro/base/content/pages/aboutCertError.xhtml

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 <?xml version="1.0" encoding="UTF-8"?>
michael@0 2
michael@0 3 <!DOCTYPE html [
michael@0 4 <!ENTITY % htmlDTD
michael@0 5 PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
michael@0 6 "DTD/xhtml1-strict.dtd">
michael@0 7 %htmlDTD;
michael@0 8 <!ENTITY % globalDTD
michael@0 9 SYSTEM "chrome://global/locale/global.dtd">
michael@0 10 %globalDTD;
michael@0 11 <!ENTITY % certerrorDTD
michael@0 12 SYSTEM "chrome://browser/locale/aboutCertError.dtd">
michael@0 13 %certerrorDTD;
michael@0 14 ]>
michael@0 15
michael@0 16 <!-- This Source Code Form is subject to the terms of the Mozilla Public
michael@0 17 - License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 18 - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
michael@0 19 <html xmlns="http://www.w3.org/1999/xhtml">
michael@0 20 <head>
michael@0 21 <title>&certerror.pagetitle;</title>
michael@0 22 <meta name="viewport" content="width=device-width; user-scalable=false" />
michael@0 23 <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
michael@0 24 <!-- This page currently uses the same favicon as neterror.xhtml.
michael@0 25 If the location of the favicon is changed for both pages, the
michael@0 26 FAVICON_ERRORPAGE_URL symbol in toolkit/components/places/src/nsFaviconService.h
michael@0 27 should be updated. If this page starts using a different favicon
michael@0 28 than neterror, nsFaviconService->SetAndFetchFaviconForPage
michael@0 29 should be updated to ignore this one as well. -->
michael@0 30 <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning-16.png"/>
michael@0 31
michael@0 32 <script type="application/javascript"><![CDATA[
michael@0 33 // Error url MUST be formatted like this:
michael@0 34 // about:certerror?e=error&u=url&d=desc
michael@0 35
michael@0 36 // Note that this file uses document.documentURI to get
michael@0 37 // the URL (with the format from above). This is because
michael@0 38 // document.location.href gets the current URI off the docshell,
michael@0 39 // which is the URL displayed in the location bar, i.e.
michael@0 40 // the URI that the user attempted to load.
michael@0 41
michael@0 42 function getCSSClass()
michael@0 43 {
michael@0 44 var url = document.documentURI;
michael@0 45 var matches = url.match(/s\=([^&]+)\&/);
michael@0 46 // s is optional, if no match just return nothing
michael@0 47 if (!matches || matches.length < 2)
michael@0 48 return "";
michael@0 49
michael@0 50 // parenthetical match is the second entry
michael@0 51 return decodeURIComponent(matches[1]);
michael@0 52 }
michael@0 53
michael@0 54 function getDescription()
michael@0 55 {
michael@0 56 var url = document.documentURI;
michael@0 57 var desc = url.search(/d\=/);
michael@0 58
michael@0 59 // desc == -1 if not found; if so, return an empty string
michael@0 60 // instead of what would turn out to be portions of the URI
michael@0 61 if (desc == -1)
michael@0 62 return "";
michael@0 63
michael@0 64 return decodeURIComponent(url.slice(desc + 2));
michael@0 65 }
michael@0 66
michael@0 67 function initPage()
michael@0 68 {
michael@0 69 // Replace the "#1" string in the intro with the hostname. Trickier
michael@0 70 // than it might seem since we want to preserve the <b> tags, but
michael@0 71 // not allow for any injection by just using innerHTML. Instead,
michael@0 72 // just find the right target text node.
michael@0 73 var intro = document.getElementById('introContentP1');
michael@0 74 function replaceWithHost(node) {
michael@0 75 if (node.textContent == "#1")
michael@0 76 node.textContent = location.host;
michael@0 77 else
michael@0 78 for(var i = 0; i < node.childNodes.length; i++)
michael@0 79 replaceWithHost(node.childNodes[i]);
michael@0 80 };
michael@0 81 replaceWithHost(intro);
michael@0 82
michael@0 83 if (getCSSClass() == "expertBadCert") {
michael@0 84 toggle('technicalContent');
michael@0 85 toggle('expertContent');
michael@0 86 }
michael@0 87
michael@0 88 var tech = document.getElementById("technicalContentText");
michael@0 89 if (tech)
michael@0 90 tech.textContent = getDescription();
michael@0 91
michael@0 92 addDomainErrorLink();
michael@0 93 }
michael@0 94
michael@0 95 /* In the case of SSL error pages about domain mismatch, see if
michael@0 96 we can hyperlink the user to the correct site. We don't want
michael@0 97 to do this generically since it allows MitM attacks to redirect
michael@0 98 users to a site under attacker control, but in certain cases
michael@0 99 it is safe (and helpful!) to do so. Bug 402210
michael@0 100 */
michael@0 101 function addDomainErrorLink() {
michael@0 102 // Rather than textContent, we need to treat description as HTML
michael@0 103 var sd = document.getElementById("technicalContentText");
michael@0 104 if (sd) {
michael@0 105 var desc = getDescription();
michael@0 106
michael@0 107 // sanitize description text - see bug 441169
michael@0 108
michael@0 109 // First, find the index of the <a> tag we care about, being careful not to
michael@0 110 // use an over-greedy regex
michael@0 111 var re = /<a id="cert_domain_link" title="([^"]+)">/;
michael@0 112 var result = re.exec(desc);
michael@0 113 if(!result)
michael@0 114 return;
michael@0 115
michael@0 116 // Remove sd's existing children
michael@0 117 sd.textContent = "";
michael@0 118
michael@0 119 // Everything up to the link should be text content
michael@0 120 sd.appendChild(document.createTextNode(desc.slice(0, result.index)));
michael@0 121
michael@0 122 // Now create the link itself
michael@0 123 var anchorEl = document.createElement("a");
michael@0 124 anchorEl.setAttribute("id", "cert_domain_link");
michael@0 125 anchorEl.setAttribute("title", result[1]);
michael@0 126 anchorEl.appendChild(document.createTextNode(result[1]));
michael@0 127 sd.appendChild(anchorEl);
michael@0 128
michael@0 129 // Finally, append text for anything after the closing </a>
michael@0 130 sd.appendChild(document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length)));
michael@0 131 }
michael@0 132
michael@0 133 var link = document.getElementById('cert_domain_link');
michael@0 134 if (!link)
michael@0 135 return;
michael@0 136
michael@0 137 var okHost = link.getAttribute("title");
michael@0 138 var thisHost = document.location.hostname;
michael@0 139 var proto = document.location.protocol;
michael@0 140
michael@0 141 // If okHost is a wildcard domain ("*.example.com") let's
michael@0 142 // use "www" instead. "*.example.com" isn't going to
michael@0 143 // get anyone anywhere useful. bug 432491
michael@0 144 okHost = okHost.replace(/^\*\./, "www.");
michael@0 145
michael@0 146 /* case #1:
michael@0 147 * example.com uses an invalid security certificate.
michael@0 148 *
michael@0 149 * The certificate is only valid for www.example.com
michael@0 150 *
michael@0 151 * Make sure to include the "." ahead of thisHost so that
michael@0 152 * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com"
michael@0 153 *
michael@0 154 * We'd normally just use a RegExp here except that we lack a
michael@0 155 * library function to escape them properly (bug 248062), and
michael@0 156 * domain names are famous for having '.' characters in them,
michael@0 157 * which would allow spurious and possibly hostile matches.
michael@0 158 */
michael@0 159 if (endsWith(okHost, "." + thisHost))
michael@0 160 link.href = proto + okHost;
michael@0 161
michael@0 162 /* case #2:
michael@0 163 * browser.garage.maemo.org uses an invalid security certificate.
michael@0 164 *
michael@0 165 * The certificate is only valid for garage.maemo.org
michael@0 166 */
michael@0 167 if (endsWith(thisHost, "." + okHost))
michael@0 168 link.href = proto + okHost;
michael@0 169
michael@0 170 // If we set a link, meaning there's something helpful for
michael@0 171 // the user here, expand the section by default
michael@0 172 if (link.href && getCSSClass() != "expertBadCert")
michael@0 173 toggle("technicalContent");
michael@0 174 }
michael@0 175
michael@0 176 function endsWith(haystack, needle) {
michael@0 177 return haystack.slice(-needle.length) == needle;
michael@0 178 }
michael@0 179
michael@0 180 function toggle(id) {
michael@0 181 var element = document.getElementById(id);
michael@0 182 if (element.hasAttribute("collapsed")) {
michael@0 183 element.removeAttribute("collapsed");
michael@0 184 } else {
michael@0 185 element.setAttribute("collapsed", true);
michael@0 186 }
michael@0 187 }
michael@0 188 ]]></script>
michael@0 189 </head>
michael@0 190
michael@0 191 <body id="errorPage" class="certerror" dir="&locale.dir;">
michael@0 192 <div class="top-decoration"></div>
michael@0 193
michael@0 194 <!-- PAGE CONTAINER (for styling purposes only) -->
michael@0 195 <div id="errorPageContainer" class="section">
michael@0 196
michael@0 197 <!-- Error Title -->
michael@0 198 <div id="errorTitle" class="section-header">
michael@0 199 <span id="errorTitleIcon"></span>
michael@0 200 <h1 class="errorTitleText">&certerror.longpagetitle;</h1>
michael@0 201 </div>
michael@0 202
michael@0 203 <!-- LONG CONTENT (the section most likely to require scrolling) -->
michael@0 204 <div id="errorLongContent" class="section-details">
michael@0 205 <div id="introContent">
michael@0 206 <p id="introContentP1">&certerror.introPara1;</p>
michael@0 207 </div>
michael@0 208
michael@0 209 <div id="whatShouldIDoContent">
michael@0 210 <h2>&certerror.whatShouldIDo.heading;</h2>
michael@0 211 <div id="whatShouldIDoContentText">
michael@0 212 <p>&certerror.whatShouldIDo.content;</p>
michael@0 213 <xul:button xmlns:xul='http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul' id='getMeOutOfHereButton' label='&certerror.getMeOutOfHere.label;'/>
michael@0 214 </div>
michael@0 215 </div>
michael@0 216
michael@0 217 <!-- The following sections can be unhidden by default by setting the
michael@0 218 "browser.xul.error_pages.expert_bad_cert" pref to true -->
michael@0 219 <div id="technicalContent" class="expandable-section" collapsed="true">
michael@0 220 <h2 onclick="toggle('technicalContent');" id="technicalContentHeading" class="expandable-heading">&certerror.technical.heading;</h2>
michael@0 221 <p class="expandable-content" id="technicalContentText"/>
michael@0 222 </div>
michael@0 223
michael@0 224 <div id="expertContent" class="expandable-section" collapsed="true">
michael@0 225 <h2 onclick="toggle('expertContent');" id="expertContentHeading" class="expandable-heading">&certerror.expert.heading;</h2>
michael@0 226 <div class="expandable-content">
michael@0 227 <p>&certerror.expert.content;</p>
michael@0 228 <p>&certerror.expert.contentPara2;</p>
michael@0 229 <xul:button xmlns:xul='http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul' id='temporaryExceptionButton' label='&certerror.addTemporaryException.label;'/>
michael@0 230 <xul:button xmlns:xul='http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul' id='permanentExceptionButton' label='&certerror.addPermanentException.label;'/>
michael@0 231 </div>
michael@0 232 </div>
michael@0 233 </div>
michael@0 234
michael@0 235 </div>
michael@0 236 <!--
michael@0 237 - Note: It is important to run the script this way, instead of using
michael@0 238 - an onload handler. This is because error pages are loaded as
michael@0 239 - LOAD_BACKGROUND, which means that onload handlers will not be executed.
michael@0 240 -->
michael@0 241 <script type="application/javascript">initPage();</script>
michael@0 242
michael@0 243 </body>
michael@0 244 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial