[tor-commits] [Git][tpo/applications/tor-browser][base-browser-128.8.0esr-14.0-1] 5 commits: Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]

ma1 pushed to branch base-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

8ada94b2

by Tara at 2025-03-03T10:09:21+01:00

Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]

Differential Revision: https://phabricator.services.mozilla.com/D236606

ed4eb7c6

by John Schanck at 2025-03-03T10:09:22+01:00

Bug 1922357 - disallow the fido: URI scheme.  a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D237313

Differential Revision: https://phabricator.services.mozilla.com/D238681

f53d7d49

by Jeff Boek at 2025-03-03T10:09:23+01:00

Bug 1928334 - Handles animating activities  a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D238342

Differential Revision: https://phabricator.services.mozilla.com/D238845

bc8d56ec

by Tom Schuster at 2025-03-03T10:09:24+01:00

Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop

Differential Revision: https://phabricator.services.mozilla.com/D234507

276610d2

by Tom Schuster at 2025-03-03T10:09:25+01:00

Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs

Differential Revision: https://phabricator.services.mozilla.com/D234508

11 changed files:

browser/components/privatebrowsing/content/aboutPrivateBrowsing.html
browser/components/protections/content/protections.html
mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt
mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt
mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt
mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt
mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt
mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt
mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt
mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java
mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java

Changes:

browser/components/privatebrowsing/content/aboutPrivateBrowsing.html

@@ -10,7 +10,7 @@
      <meta charset="utf-8" />
      <meta
        http-equiv="Content-Security-Policy"
 -      content="default-src chrome: blob:; object-src 'none'"
 +      content="default-src chrome:; img-src chrome: blob:; object-src 'none';"
      />
      <meta name="color-scheme" content="light dark" />
      <link rel="icon" href="">"chrome://browser/skin/privatebrowsing/favicon.svg" />

browser/components/protections/content/protections.html

@@ -8,7 +8,7 @@
      <meta charset="utf-8" />
      <meta
        http-equiv="Content-Security-Policy"
 -      content="default-src chrome: blob:; object-src 'none'"
 +      content="default-src chrome:; object-src 'none'"
      />
      <meta name="color-scheme" content="light dark" />
      <link rel="localization" href="">"branding/brand.ftl" />

mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt

@@ -1818,7 +1818,7 @@ class GeckoEngineSession(
          internal const val ABOUT_BLANK = "about:blank"
          internal const val JS_SCHEME = "_javascript_"
          internal val BLOCKED_SCHEMES =
 -            listOf("file", "resource", JS_SCHEME) // See 1684761 and 1684947
 +            listOf("file", "resource", "fido", JS_SCHEME) // See 1684761 and 1684947
          /**
           * Provides an ErrorType corresponding to the error code provided.

mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt

@@ -631,6 +631,11 @@ class GeckoEngineSessionTest {
          engineSession.loadUrl("RESOURCE://package/test.text")
          verify(geckoSession, never()).load(GeckoSession.Loader().uri("resource://package/test.text"))
          verify(geckoSession, never()).load(GeckoSession.Loader().uri("RESOURCE://package/test.text"))
++
 +        engineSession.loadUrl("fido:/12345678")
 +        engineSession.loadUrl("FIDO:/12345678")
 +        verify(geckoSession, never()).load(GeckoSession.Loader().uri("fido:/12345678"))
 +        verify(geckoSession, never()).load(GeckoSession.Loader().uri("FIDO:/12345678"))
+     }
      @Test

mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt


             "https", "moz-extension", "moz-safe-about", "resource", "view-source", "ws", "wss", "blob",
         )
 
-        internal val ALWAYS_DENY_SCHEMES: Set<String> = setOf("jar", "file", "_javascript_", "data", "about", "content")
+        internal val ALWAYS_DENY_SCHEMES: Set<String> =
+            setOf("jar", "file", "_javascript_", "data", "about", "content", "fido")
     }
 }

mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt

@@ -47,6 +47,7 @@ class AppLinksUseCasesTest {
      private val _javascript_Url = "_javascript_:'hello, world'"
      private val jarUrl = "jar:file://some/path/test.html"
      private val contentUrl = "content://media/external_primary/downloads/12345"
 +    private val fidoPath = "fido:12345678"
      private val fileType = "audio/mpeg"
      private val layerUrl = "https://example.com"
      private val layerPackage = "com.example.app"
@@ -215,6 +216,15 @@ class AppLinksUseCasesTest {
          assertFalse(redirect.isRedirect())
+     }
 +    @Test
 +    fun `A fido url is not an app link`() {
 +        val context = createContext(Triple(fidoPath, appPackage, ""))
 +        val subject = AppLinksUseCases(context, { true })
++
 +        val redirect = subject.interceptedAppLinkRedirect(fidoPath)
 +        assertFalse(redirect.isRedirect())
 +    }
++
      @Test
      fun `Will not redirect app link if browser option set to false and scheme is supported`() {
          val context = createContext(Triple(appUrl, appPackage, ""))

mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt

@@ -9,6 +9,7 @@ import android.content.Intent
  import androidx.annotation.VisibleForTesting
  import androidx.annotation.VisibleForTesting.Companion.PRIVATE
  import androidx.core.view.isVisible
 +import androidx.fragment.app.DialogFragment
  import androidx.fragment.app.Fragment
  import androidx.fragment.app.FragmentManager
  import kotlinx.coroutines.CoroutineScope
@@ -1094,7 +1095,15 @@ class PromptFeature private constructor(
          emitPromptDismissedFact(promptName = promptRequest::class.simpleName.ifNullOrEmpty { "" })
+     }
 +    @VisibleForTesting
 +    internal fun redirectDialogFragmentIsActive() =
 +        (fragmentManager.findFragmentByTag("SHOULD_OPEN_APP_LINK_PROMPT_DIALOG") as? DialogFragment) != null
++
      private fun canShowThisPrompt(promptRequest: PromptRequest): Boolean {
 +        if (redirectDialogFragmentIsActive()) {
 +            return false
 +        }
++
          return when (promptRequest) {
              is SingleChoice,
              is MultipleChoice,

mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt


         return false
     }
 
-    final override fun dispatchTouchEvent(ev: MotionEvent?): Boolean {
+    override fun dispatchTouchEvent(ev: MotionEvent?): Boolean {
         ProfilerMarkers.addForDispatchTouchEvent(components.core.engine.profiler, ev)
         return super.dispatchTouchEvent(ev)
     }

mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt

@@ -7,6 +7,7 @@ package org.mozilla.fenix.customtabs
  import android.app.assist.AssistContent
  import android.net.Uri
  import android.os.Build
 +import android.view.MotionEvent
  import androidx.annotation.RequiresApi
  import androidx.annotation.VisibleForTesting
  import mozilla.components.browser.state.selector.findCustomTab
@@ -24,6 +25,8 @@ const val EXTRA_IS_SANDBOX_CUSTOM_TAB = "org.mozilla.fenix.customtabs.EXTRA_IS_S
   */
  @Suppress("TooManyFunctions")
  open class ExternalAppBrowserActivity : HomeActivity() {
 +    var isFinishedAnimating = false
++
      override fun onResume() {
          super.onResume()
@@ -74,4 +77,17 @@ open class ExternalAppBrowserActivity : HomeActivity() {
          val currentTabUrl = getExternalTab()?.content?.url
          outContent?.webUri = currentTabUrl?.let { Uri.parse(it) }
+     }
++
 +    override fun dispatchTouchEvent(ev: MotionEvent?): Boolean {
 +        if (!isFinishedAnimating) {
 +            return true
 +        }
++
 +        return super.dispatchTouchEvent(ev)
 +    }
++
 +    override fun onEnterAnimationComplete() {
 +        super.onEnterAnimationComplete()
 +        isFinishedAnimating = true
 +    }
+ }

mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java


       return getSafeIntent(aUri) != null;
     }
 
+    if ("fido".equals(scheme)) {
+      return false;
+    }
+
     return true;
   }
 

mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java

@@ -63,4 +63,10 @@ public class IntentUtilsTest {
      final String uri = "intent:non_scheme_intent#Intent;end";
      assertTrue(IntentUtils.isUriSafeForScheme(uri));
+   }
++
 +  @Test
 +  public void unsafeFidoUri() {
 +    final String uri = "fido:/12345678";
 +    assertFalse(IntentUtils.isUriSafeForScheme(uri));
 +  }
+ }