Merge pull request #3523 from yurydelendik/csp

Bug 889320 - [CSP] removes inlined styles and scripts, also HTTP headers
2013-08-06 13:10:33 -07:00 · 2013-08-06 13:10:33 -07:00 · 820145da05
commit 820145da05
parent 6736cca8c4 7a43492e5f
4 changed files with 36 additions and 10 deletions
--- a/extensions/firefox/components/PdfStreamConverter.js
+++ b/extensions/firefox/components/PdfStreamConverter.js
@ -720,6 +720,15 @@ PdfStreamConverter.prototype = {
    // Change the content type so we don't get stuck in a loop.
    aRequest.setProperty('contentType', aRequest.contentType);
    aRequest.contentType = 'text/html';
+    if (isHttpRequest) {
+      // We trust PDF viewer, using no CSP
+      aRequest.setResponseHeader('Content-Security-Policy', '', false);
+      aRequest.setResponseHeader('Content-Security-Policy-Report-Only', '',
+                                 false);
+      aRequest.setResponseHeader('X-Content-Security-Policy', '', false);
+      aRequest.setResponseHeader('X-Content-Security-Policy-Report-Only', '',
+                                 false);
+    }

    if (!rangeRequest) {
      // Creating storage for PDF data
--- a/web/ui_utils.js
+++ b/web/ui_utils.js
@ -117,6 +117,13 @@ function scrollIntoView(element, spot) {
  parent.scrollTop = offsetY;
 }

+/**
+ * Event handler to suppress context menu.
+ */
+function noContextMenuHandler(e) {
+  e.preventDefault();
+}
+
 /**
 * Returns the filename or guessed filename from the url (see issue 3455).
 * url {String} The original PDF location.
--- a/web/viewer.html
+++ b/web/viewer.html
@ -158,8 +158,6 @@ limitations under the License.
                <span id="numPages" class="toolbarLabel"></span>
              </div>
              <div id="toolbarViewerRight">
-                <input id="fileInput" class="fileInput" type="file" oncontextmenu="return false;" style="visibility: hidden; position: fixed; right: 0; top: 0" />
-
                <button id="presentationMode" class="toolbarButton presentationMode hiddenSmallView" title="Switch to Presentation Mode" tabindex="12" data-l10n-id="presentation_mode">
                  <span data-l10n-id="presentation_mode_label">Presentation Mode</span>
                </button>
@ -190,7 +188,7 @@ limitations under the License.
                     </button>
                  </div>
                  <span id="scaleSelectContainer" class="dropdownToolbarButton">
-                     <select id="scaleSelect" title="Zoom" oncontextmenu="return false;" tabindex="11" data-l10n-id="zoom">
+                     <select id="scaleSelect" title="Zoom" tabindex="11" data-l10n-id="zoom">
                      <option id="pageAutoOption" value="auto" selected="selected" data-l10n-id="page_scale_auto">Automatic Zoom</option>
                      <option id="pageActualOption" value="page-actual" data-l10n-id="page_scale_actual">Actual Size</option>
                      <option id="pageFitOption" value="page-fit" data-l10n-id="page_scale_fit">Fit Page</option>
--- a/web/viewer.js
+++ b/web/viewer.js
@ -17,7 +17,7 @@
 /* globals PDFJS, PDFBug, FirefoxCom, Stats, Cache, PDFFindBar, CustomStyle,
           PDFFindController, ProgressBar, TextLayerBuilder, DownloadManager,
           getFileName, getOutputScale, scrollIntoView, getPDFFileNameFromURL,
-           PDFHistory */
+           PDFHistory, noContextMenuHandler */

 'use strict';

@ -796,11 +796,9 @@ var PDFView = {
      moreInfoButton.removeAttribute('hidden');
      lessInfoButton.setAttribute('hidden', 'true');
    };
-    moreInfoButton.oncontextmenu =
-    lessInfoButton.oncontextmenu =
-    closeButton.oncontextmenu = function(e) {
-      e.preventDefault();
-    };
+    moreInfoButton.oncontextmenu = noContextMenuHandler;
+    lessInfoButton.oncontextmenu = noContextMenuHandler;
+    closeButton.oncontextmenu = noContextMenuHandler;
    moreInfoButton.removeAttribute('hidden');
    lessInfoButton.setAttribute('hidden', 'true');
    errorMoreInfo.value = moreInfoText;
@ -2218,7 +2216,16 @@ document.addEventListener('DOMContentLoaded', function webViewerLoad(evt) {
 //var file = window.location.href.split('#')[0];
 //#endif

-//#if !(FIREFOX || MOZCENTRAL)
+//#if !(FIREFOX || MOZCENTRAL || CHROME)
+  var fileInput = document.createElement('input');
+  fileInput.id = 'fileInput';
+  fileInput.className = 'fileInput';
+  fileInput.setAttribute('type', 'file');
+  fileInput.setAttribute('style',
+    'visibility: hidden; position: fixed; right: 0; top: 0');
+  fileInput.oncontextmenu = noContextMenuHandler;
+  document.body.appendChild(fileInput);
+
  if (!window.File || !window.FileReader || !window.FileList || !window.Blob) {
    document.getElementById('openFile').setAttribute('hidden', 'true');
  } else {
@ -2310,6 +2317,9 @@ document.addEventListener('DOMContentLoaded', function webViewerLoad(evt) {
    }
  });

+  // Suppress context menus for some controls
+  document.getElementById('scaleSelect').oncontextmenu = noContextMenuHandler;
+
  var mainContainer = document.getElementById('mainContainer');
  var outerContainer = document.getElementById('outerContainer');
  mainContainer.addEventListener('transitionend', function(e) {
@ -2365,10 +2375,12 @@ document.addEventListener('DOMContentLoaded', function webViewerLoad(evt) {
      PDFView.presentationMode();
    });

+//#if !(FIREFOX || MOZCENTRAL || CHROME)
  document.getElementById('openFile').addEventListener('click',
    function() {
      document.getElementById('fileInput').click();
    });
+//#endif

  document.getElementById('print').addEventListener('click',
    function() {