1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/b2g/chrome/content/aboutCertError.xhtml Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,233 @@
1.4 +<?xml version="1.0" encoding="UTF-8"?>
1.5 +
1.6 +<!DOCTYPE html [
1.7 + <!ENTITY % htmlDTD
1.8 + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
1.9 + "DTD/xhtml1-strict.dtd">
1.10 + %htmlDTD;
1.11 + <!ENTITY % globalDTD
1.12 + SYSTEM "chrome://global/locale/global.dtd">
1.13 + %globalDTD;
1.14 + <!ENTITY % certerrorDTD
1.15 + SYSTEM "chrome://b2g-l10n/locale/aboutCertError.dtd">
1.16 + %certerrorDTD;
1.17 +]>
1.18 +
1.19 +<!-- This Source Code Form is subject to the terms of the Mozilla Public
1.20 + - License, v. 2.0. If a copy of the MPL was not distributed with this
1.21 + - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
1.22 +<html xmlns="http://www.w3.org/1999/xhtml">
1.23 + <head>
1.24 + <title>&certerror.pagetitle;</title>
1.25 + <meta name="viewport" content="width=device-width; user-scalable=false" />
1.26 + <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
1.27 + <!-- This page currently uses the same favicon as neterror.xhtml.
1.28 + If the location of the favicon is changed for both pages, the
1.29 + FAVICON_ERRORPAGE_URL symbol in toolkit/components/places/src/nsFaviconService.h
1.30 + should be updated. If this page starts using a different favicon
1.31 + than neterrorm nsFaviconService->SetAndLoadFaviconForPage
1.32 + should be updated to ignore this one as well. -->
1.33 + <link rel="icon" type="image/png" id="favicon" sizes="64x64" href="chrome://global/skin/icons/warning-64.png"/>
1.34 +
1.35 + <script type="application/javascript"><![CDATA[
1.36 + // Error url MUST be formatted like this:
1.37 + // about:certerror?e=error&u=url&d=desc
1.38 +
1.39 + // Note that this file uses document.documentURI to get
1.40 + // the URL (with the format from above). This is because
1.41 + // document.location.href gets the current URI off the docshell,
1.42 + // which is the URL displayed in the location bar, i.e.
1.43 + // the URI that the user attempted to load.
1.44 +
1.45 + function getCSSClass()
1.46 + {
1.47 + var url = document.documentURI;
1.48 + var matches = url.match(/s\=([^&]+)\&/);
1.49 + // s is optional, if no match just return nothing
1.50 + if (!matches || matches.length < 2)
1.51 + return "";
1.52 +
1.53 + // parenthetical match is the second entry
1.54 + return decodeURIComponent(matches[1]);
1.55 + }
1.56 +
1.57 + function getDescription()
1.58 + {
1.59 + var url = document.documentURI;
1.60 + var desc = url.search(/d\=/);
1.61 +
1.62 + // desc == -1 if not found; if so, return an empty string
1.63 + // instead of what would turn out to be portions of the URI
1.64 + if (desc == -1)
1.65 + return "";
1.66 +
1.67 + return decodeURIComponent(url.slice(desc + 2));
1.68 + }
1.69 +
1.70 + function initPage()
1.71 + {
1.72 + // Replace the "#1" string in the intro with the hostname. Trickier
1.73 + // than it might seem since we want to preserve the <b> tags, but
1.74 + // not allow for any injection by just using innerHTML. Instead,
1.75 + // just find the right target text node.
1.76 + var intro = document.getElementById('introContentP1');
1.77 + function replaceWithHost(node) {
1.78 + if (node.textContent == "#1")
1.79 + node.textContent = location.host;
1.80 + else
1.81 + for(var i = 0; i < node.childNodes.length; i++)
1.82 + replaceWithHost(node.childNodes[i]);
1.83 + };
1.84 + replaceWithHost(intro);
1.85 +
1.86 + if (getCSSClass() == "expertBadCert") {
1.87 + toggle('technicalContent');
1.88 + toggle('expertContent');
1.89 + }
1.90 +
1.91 + var tech = document.getElementById("technicalContentText");
1.92 + if (tech)
1.93 + tech.textContent = getDescription();
1.94 +
1.95 + addDomainErrorLink();
1.96 + }
1.97 +
1.98 + /* In the case of SSL error pages about domain mismatch, see if
1.99 + we can hyperlink the user to the correct site. We don't want
1.100 + to do this generically since it allows MitM attacks to redirect
1.101 + users to a site under attacker control, but in certain cases
1.102 + it is safe (and helpful!) to do so. Bug 402210
1.103 + */
1.104 + function addDomainErrorLink() {
1.105 + // Rather than textContent, we need to treat description as HTML
1.106 + var sd = document.getElementById("technicalContentText");
1.107 + if (sd) {
1.108 + var desc = getDescription();
1.109 +
1.110 + // sanitize description text - see bug 441169
1.111 +
1.112 + // First, find the index of the <a> tag we care about, being careful not to
1.113 + // use an over-greedy regex
1.114 + var re = /<a id="cert_domain_link" title="([^"]+)">/;
1.115 + var result = re.exec(desc);
1.116 + if(!result)
1.117 + return;
1.118 +
1.119 + // Remove sd's existing children
1.120 + sd.textContent = "";
1.121 +
1.122 + // Everything up to the link should be text content
1.123 + sd.appendChild(document.createTextNode(desc.slice(0, result.index)));
1.124 +
1.125 + // Now create the link itself
1.126 + var anchorEl = document.createElement("a");
1.127 + anchorEl.setAttribute("id", "cert_domain_link");
1.128 + anchorEl.setAttribute("title", result[1]);
1.129 + anchorEl.appendChild(document.createTextNode(result[1]));
1.130 + sd.appendChild(anchorEl);
1.131 +
1.132 + // Finally, append text for anything after the closing </a>
1.133 + sd.appendChild(document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length)));
1.134 + }
1.135 +
1.136 + var link = document.getElementById('cert_domain_link');
1.137 + if (!link)
1.138 + return;
1.139 +
1.140 + var okHost = link.getAttribute("title");
1.141 + var thisHost = document.location.hostname;
1.142 + var proto = document.location.protocol;
1.143 +
1.144 + // If okHost is a wildcard domain ("*.example.com") let's
1.145 + // use "www" instead. "*.example.com" isn't going to
1.146 + // get anyone anywhere useful. bug 432491
1.147 + okHost = okHost.replace(/^\*\./, "www.");
1.148 +
1.149 + /* case #1:
1.150 + * example.com uses an invalid security certificate.
1.151 + *
1.152 + * The certificate is only valid for www.example.com
1.153 + *
1.154 + * Make sure to include the "." ahead of thisHost so that
1.155 + * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com"
1.156 + *
1.157 + * We'd normally just use a RegExp here except that we lack a
1.158 + * library function to escape them properly (bug 248062), and
1.159 + * domain names are famous for having '.' characters in them,
1.160 + * which would allow spurious and possibly hostile matches.
1.161 + */
1.162 + if (endsWith(okHost, "." + thisHost))
1.163 + link.href = proto + okHost;
1.164 +
1.165 + /* case #2:
1.166 + * browser.garage.maemo.org uses an invalid security certificate.
1.167 + *
1.168 + * The certificate is only valid for garage.maemo.org
1.169 + */
1.170 + if (endsWith(thisHost, "." + okHost))
1.171 + link.href = proto + okHost;
1.172 +
1.173 + // If we set a link, meaning there's something helpful for
1.174 + // the user here, expand the section by default
1.175 + if (link.href && getCSSClass() != "expertBadCert")
1.176 + toggle("technicalContent");
1.177 + }
1.178 +
1.179 + function endsWith(haystack, needle) {
1.180 + return haystack.slice(-needle.length) == needle;
1.181 + }
1.182 +
1.183 + function toggle(id) {
1.184 + var el = document.getElementById(id);
1.185 + if (el.getAttribute("collapsed"))
1.186 + el.setAttribute("collapsed", false);
1.187 + else
1.188 + el.setAttribute("collapsed", true);
1.189 + }
1.190 + ]]></script>
1.191 + </head>
1.192 +
1.193 + <body id="errorPage" class="certerror" dir="&locale.dir;">
1.194 +
1.195 + <!-- Error Title -->
1.196 + <div id="errorTitle">
1.197 + <h1 class="errorTitleText">&certerror.longpagetitle;</h1>
1.198 + </div>
1.199 +
1.200 + <!-- PAGE CONTAINER (for styling purposes only) -->
1.201 + <div id="errorPageContainer">
1.202 +
1.203 + <!-- LONG CONTENT (the section most likely to require scrolling) -->
1.204 + <div id="errorLongContent">
1.205 + <div id="introContent">
1.206 + <p id="introContentP1">&certerror.introPara1;</p>
1.207 + </div>
1.208 +
1.209 + <!-- The following sections can be unhidden by default by setting the
1.210 + "browser.xul.error_pages.expert_bad_cert" pref to true -->
1.211 + <div id="technicalContent" collapsed="true">
1.212 + <h2 onclick="toggle('technicalContent');" id="technicalContentHeading">&certerror.technical.heading;</h2>
1.213 + <p id="technicalContentText"/>
1.214 + </div>
1.215 +
1.216 + <div id="expertContent" collapsed="true">
1.217 + <h2 onclick="toggle('expertContent');" id="expertContentHeading">&certerror.expert.heading;</h2>
1.218 + <div>
1.219 + <p>&certerror.expert.content;</p>
1.220 + <p>&certerror.expert.contentPara2;</p>
1.221 + <button id="temporaryExceptionButton">&certerror.addTemporaryException.label;</button>
1.222 + <button id="permanentExceptionButton">&certerror.addPermanentException.label;</button>
1.223 + </div>
1.224 + </div>
1.225 + </div>
1.226 + </div>
1.227 +
1.228 + <!--
1.229 + - Note: It is important to run the script this way, instead of using
1.230 + - an onload handler. This is because error pages are loaded as
1.231 + - LOAD_BACKGROUND, which means that onload handlers will not be executed.
1.232 + -->
1.233 + <script type="application/javascript">initPage();</script>
1.234 +
1.235 + </body>
1.236 +</html>
