1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/mobile/android/chrome/content/aboutCertError.xhtml Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,247 @@
1.4 +<?xml version="1.0" encoding="UTF-8"?>
1.5 +
1.6 +<!DOCTYPE html [
1.7 + <!ENTITY % htmlDTD
1.8 + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
1.9 + "DTD/xhtml1-strict.dtd">
1.10 + %htmlDTD;
1.11 + <!ENTITY % globalDTD
1.12 + SYSTEM "chrome://global/locale/global.dtd">
1.13 + %globalDTD;
1.14 + <!ENTITY % certerrorDTD
1.15 + SYSTEM "chrome://browser/locale/aboutCertError.dtd">
1.16 + %certerrorDTD;
1.17 +]>
1.18 +
1.19 +<!-- This Source Code Form is subject to the terms of the Mozilla Public
1.20 + - License, v. 2.0. If a copy of the MPL was not distributed with this
1.21 + - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
1.22 +<html xmlns="http://www.w3.org/1999/xhtml">
1.23 + <head>
1.24 + <title>&certerror.pagetitle;</title>
1.25 + <meta name="viewport" content="width=device-width; user-scalable=false" />
1.26 + <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
1.27 + <!-- This page currently uses the same favicon as neterror.xhtml.
1.28 + If the location of the favicon is changed for both pages, the
1.29 + FAVICON_ERRORPAGE_URL symbol in toolkit/components/places/src/nsFaviconService.h
1.30 + should be updated. If this page starts using a different favicon
1.31 + than neterrorm nsFaviconService->SetAndLoadFaviconForPage
1.32 + should be updated to ignore this one as well. -->
1.33 + <link rel="icon" type="image/png" id="favicon" sizes="64x64" href="chrome://browser/skin/images/certerror-warning.png"/>
1.34 +
1.35 + <script type="application/javascript"><![CDATA[
1.36 + // Error url MUST be formatted like this:
1.37 + // about:certerror?e=error&u=url&d=desc
1.38 +
1.39 + // Note that this file uses document.documentURI to get
1.40 + // the URL (with the format from above). This is because
1.41 + // document.location.href gets the current URI off the docshell,
1.42 + // which is the URL displayed in the location bar, i.e.
1.43 + // the URI that the user attempted to load.
1.44 +
1.45 + function getCSSClass()
1.46 + {
1.47 + var url = document.documentURI;
1.48 + var matches = url.match(/s\=([^&]+)\&/);
1.49 + // s is optional, if no match just return nothing
1.50 + if (!matches || matches.length < 2)
1.51 + return "";
1.52 +
1.53 + // parenthetical match is the second entry
1.54 + return decodeURIComponent(matches[1]);
1.55 + }
1.56 +
1.57 + function getDescription()
1.58 + {
1.59 + var url = document.documentURI;
1.60 + var desc = url.search(/d\=/);
1.61 +
1.62 + // desc == -1 if not found; if so, return an empty string
1.63 + // instead of what would turn out to be portions of the URI
1.64 + if (desc == -1)
1.65 + return "";
1.66 +
1.67 + return decodeURIComponent(url.slice(desc + 2));
1.68 + }
1.69 +
1.70 + function initPage()
1.71 + {
1.72 + // Replace the "#1" string in the intro with the hostname. Trickier
1.73 + // than it might seem since we want to preserve the <b> tags, but
1.74 + // not allow for any injection by just using innerHTML. Instead,
1.75 + // just find the right target text node.
1.76 + var intro = document.getElementById('introContentP1');
1.77 + function replaceWithHost(node) {
1.78 + if (node.textContent == "#1")
1.79 + node.textContent = location.host;
1.80 + else
1.81 + for(var i = 0; i < node.childNodes.length; i++)
1.82 + replaceWithHost(node.childNodes[i]);
1.83 + };
1.84 + replaceWithHost(intro);
1.85 +
1.86 + if (getCSSClass() == "expertBadCert") {
1.87 + toggle('technicalContent');
1.88 + toggle('expertContent');
1.89 + }
1.90 +
1.91 + // Disallow overrides if this is a Strict-Transport-Security
1.92 + // host and the cert is bad (STS Spec section 7.3) or if the
1.93 + // certerror is in a frame (bug 633691).
1.94 + if (getCSSClass() == "badStsCert" || window != top)
1.95 + document.getElementById("expertContent").setAttribute("hidden", "true");
1.96 +
1.97 + var tech = document.getElementById("technicalContentText");
1.98 + if (tech)
1.99 + tech.textContent = getDescription();
1.100 +
1.101 + addDomainErrorLink();
1.102 + }
1.103 +
1.104 + /* In the case of SSL error pages about domain mismatch, see if
1.105 + we can hyperlink the user to the correct site. We don't want
1.106 + to do this generically since it allows MitM attacks to redirect
1.107 + users to a site under attacker control, but in certain cases
1.108 + it is safe (and helpful!) to do so. Bug 402210
1.109 + */
1.110 + function addDomainErrorLink() {
1.111 + // Rather than textContent, we need to treat description as HTML
1.112 + var sd = document.getElementById("technicalContentText");
1.113 + if (sd) {
1.114 + var desc = getDescription();
1.115 +
1.116 + // sanitize description text - see bug 441169
1.117 +
1.118 + // First, find the index of the <a> tag we care about, being careful not to
1.119 + // use an over-greedy regex
1.120 + var re = /<a id="cert_domain_link" title="([^"]+)">/;
1.121 + var result = re.exec(desc);
1.122 + if(!result)
1.123 + return;
1.124 +
1.125 + // Remove sd's existing children
1.126 + sd.textContent = "";
1.127 +
1.128 + // Everything up to the link should be text content
1.129 + sd.appendChild(document.createTextNode(desc.slice(0, result.index)));
1.130 +
1.131 + // Now create the link itself
1.132 + var anchorEl = document.createElement("a");
1.133 + anchorEl.setAttribute("id", "cert_domain_link");
1.134 + anchorEl.setAttribute("title", result[1]);
1.135 + anchorEl.appendChild(document.createTextNode(result[1]));
1.136 + sd.appendChild(anchorEl);
1.137 +
1.138 + // Finally, append text for anything after the closing </a>
1.139 + sd.appendChild(document.createTextNode(desc.slice(desc.indexOf("</a>") + "</a>".length)));
1.140 + }
1.141 +
1.142 + var link = document.getElementById('cert_domain_link');
1.143 + if (!link)
1.144 + return;
1.145 +
1.146 + var okHost = link.getAttribute("title");
1.147 + var thisHost = document.location.hostname;
1.148 + var proto = document.location.protocol;
1.149 +
1.150 + // If okHost is a wildcard domain ("*.example.com") let's
1.151 + // use "www" instead. "*.example.com" isn't going to
1.152 + // get anyone anywhere useful. bug 432491
1.153 + okHost = okHost.replace(/^\*\./, "www.");
1.154 +
1.155 + /* case #1:
1.156 + * example.com uses an invalid security certificate.
1.157 + *
1.158 + * The certificate is only valid for www.example.com
1.159 + *
1.160 + * Make sure to include the "." ahead of thisHost so that
1.161 + * a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com"
1.162 + *
1.163 + * We'd normally just use a RegExp here except that we lack a
1.164 + * library function to escape them properly (bug 248062), and
1.165 + * domain names are famous for having '.' characters in them,
1.166 + * which would allow spurious and possibly hostile matches.
1.167 + */
1.168 + if (endsWith(okHost, "." + thisHost))
1.169 + link.href = proto + okHost;
1.170 +
1.171 + /* case #2:
1.172 + * browser.garage.maemo.org uses an invalid security certificate.
1.173 + *
1.174 + * The certificate is only valid for garage.maemo.org
1.175 + */
1.176 + if (endsWith(thisHost, "." + okHost))
1.177 + link.href = proto + okHost;
1.178 +
1.179 + // If we set a link, meaning there's something helpful for
1.180 + // the user here, expand the section by default
1.181 + if (link.href && getCSSClass() != "expertBadCert")
1.182 + toggle("technicalContent");
1.183 + }
1.184 +
1.185 + function endsWith(haystack, needle) {
1.186 + return haystack.slice(-needle.length) == needle;
1.187 + }
1.188 +
1.189 + function toggle(id) {
1.190 + var el = document.getElementById(id);
1.191 + if (el.hasAttribute("collapsed"))
1.192 + el.removeAttribute("collapsed");
1.193 + else
1.194 + el.setAttribute("collapsed", true);
1.195 + }
1.196 + ]]></script>
1.197 + </head>
1.198 +
1.199 + <body id="errorPage" class="certerror" dir="&locale.dir;">
1.200 +
1.201 + <!-- PAGE CONTAINER (for styling purposes only) -->
1.202 + <div id="errorPageContainer">
1.203 +
1.204 + <!-- Error Title -->
1.205 + <div id="errorTitle">
1.206 + <h1 class="errorTitleText">&certerror.longpagetitle;</h1>
1.207 + </div>
1.208 +
1.209 + <!-- LONG CONTENT (the section most likely to require scrolling) -->
1.210 + <div id="errorLongContent">
1.211 + <div id="introContent">
1.212 + <p id="introContentP1">&certerror.introPara1;</p>
1.213 + </div>
1.214 +
1.215 + <div id="whatShouldIDoContent">
1.216 + <h2>&certerror.whatShouldIDo.heading;</h2>
1.217 + <div id="whatShouldIDoContentText">
1.218 + <p>&certerror.whatShouldIDo.content;</p>
1.219 + <button id="getMeOutOfHereButton">&certerror.getMeOutOfHere.label;</button>
1.220 + </div>
1.221 + </div>
1.222 +
1.223 + <!-- The following sections can be unhidden by default by setting the
1.224 + "browser.xul.error_pages.expert_bad_cert" pref to true -->
1.225 + <div id="technicalContent" collapsed="true">
1.226 + <h2 class="expander" onclick="toggle('technicalContent');" id="technicalContentHeading">&certerror.technical.heading;</h2>
1.227 + <p id="technicalContentText"/>
1.228 + </div>
1.229 +
1.230 + <div id="expertContent" collapsed="true">
1.231 + <h2 class="expander" onclick="toggle('expertContent');" id="expertContentHeading">&certerror.expert.heading;</h2>
1.232 + <div>
1.233 + <p>&certerror.expert.content;</p>
1.234 + <p>&certerror.expert.contentPara2;</p>
1.235 + <button id="temporaryExceptionButton">&certerror.addTemporaryException.label;</button>
1.236 + <button id="permanentExceptionButton">&certerror.addPermanentException.label;</button>
1.237 + </div>
1.238 + </div>
1.239 + </div>
1.240 + </div>
1.241 +
1.242 + <!--
1.243 + - Note: It is important to run the script this way, instead of using
1.244 + - an onload handler. This is because error pages are loaded as
1.245 + - LOAD_BACKGROUND, which means that onload handlers will not be executed.
1.246 + -->
1.247 + <script type="application/javascript">initPage();</script>
1.248 +
1.249 + </body>
1.250 +</html>
