Bug 1450309 - Allow nSIContentPolicy to reject based on enterprise policy. r=ckerschb, a=RyanVM
Differential Revision:
https://phabricator.services.mozilla.com/D91487
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8091,18 +8091,23 @@ nsresult nsDocShell::PerformRetargeting(
secCheckLoadInfo->SetSkipContentPolicyCheckForWebRequest(true);
int16_t shouldLoad = nsIContentPolicy::ACCEPT;
rv = NS_CheckContentLoadPolicy(aLoadState->URI(), secCheckLoadInfo,
EmptyCString(), // mime guess
&shouldLoad);
if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
- if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
- return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+ if (NS_SUCCEEDED(rv)) {
+ if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+ return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+ }
+ if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+ return NS_ERROR_BLOCKED_BY_POLICY;
+ }
}
return NS_ERROR_CONTENT_BLOCKED;
}
}
//
// Resolve the window target before going any further...
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@@ -439,16 +439,22 @@ interface nsIContentPolicy : nsISupports
* based on some other criteria. Mozilla callers will handle this like
* REJECT_REQUEST; third-party implementors may, for example, use this to
* direct their own callers to consult the extra parameter for additional
* details.
*/
const short REJECT_OTHER = -4;
/**
+ * Returned from shouldLoad or shouldProcess if the load/process is forbiddden
+ * based on enterprise policy.
+ */
+ const short REJECT_POLICY = -5;
+
+ /**
* Returned from shouldLoad or shouldProcess if the load or process request
* is not rejected.
*/
const short ACCEPT = 1;
/**
* Should the resource at this location be loaded?
* ShouldLoad will be called before loading the resource at aContentLocation
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -575,21 +575,26 @@ static nsresult DoContentSecurityChecks(
int16_t shouldLoad = nsIContentPolicy::ACCEPT;
rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad,
nsContentUtils::GetContentPolicy());
if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
NS_SetRequestBlockingReasonIfNull(
aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL);
- if ((NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) &&
+ if (NS_SUCCEEDED(rv) &&
(contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
- // for docshell loads we might have to return SHOW_ALT.
- return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+ if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+ // for docshell loads we might have to return SHOW_ALT.
+ return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+ }
+ if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+ return NS_ERROR_BLOCKED_BY_POLICY;
+ }
}
return NS_ERROR_CONTENT_BLOCKED;
}
return NS_OK;
}
static void LogPrincipal(nsIPrincipal* aPrincipal,