update ESR base to 115; update EV roots, certs, HSTS, pins, TLDs, TZs…

…; update usrsctp; security pullup; more comprehensive nuisance script blocking; fixes for #488, #566
classilla · Aug 31, 2023 · 55284dd · 55284dd
1 parent 17b2369
commit 55284dd
Show file tree

Hide file tree

Showing 89 changed files with 58,725 additions and 34,161 deletions.
diff --git a/104fx_import_esr91_stspreload.pl → 104fx_import_esr115_stspreload.pl b/104fx_import_esr91_stspreload.pl → 104fx_import_esr115_stspreload.pl
@@ -10,7 +10,7 @@
 /* nsSiteSecurityService.cpp, you shouldn't be #including it.                */
 /*****************************************************************************/
 
-/* imported from ESR91 by TenFourFox conversion script */
+/* imported from ESR115 by TenFourFox conversion script */
 
 #include <stdint.h>
 EOF

diff --git a/104fx_import_shavar_cryptominers.pl b/104fx_import_shavar_cryptominers.pl
@@ -390,7 +390,14 @@ sub genericnetworkjson {
 
 select(STDOUT); $|++;
 %dupedupe = ();
-foreach $a (@{ $json_ref->{'categories'}->{'Cryptomining'} }) {
+&emit('Cryptomining');
+&emit('FingerprintingInvasive');
+# considering
+#&emit('Analytics');
+
+sub emit {
+my $cat = shift(@_);
+foreach $a (@{ $json_ref->{'categories'}->{$cat} }) {
 	foreach $b (keys(%{ $a })) {
 		die("illegal newline: $b\n") if ($b =~ /[\r\n]/s);
 		print "// $b\n";
@@ -404,8 +411,15 @@ sub genericnetworkjson {
 				die("illegal quote: $d\n") if ($d =~ /"/);
 				next if ($dupedupe{$d}++);
 
+				# whitelist (with regrets)
+				next if (0 ||
+					$d eq 'ibm.com' ||
+					$d eq 'godaddy.com' ||
+				0);
 				print "        BLOK(\"$d\") ||\n";
+				print "        BLOKD(\".$d\") ||\n";
 			}
 		}
 	}
 }
+}
diff --git a/104fx_upcerts.sh b/104fx_upcerts.sh
@@ -10,7 +10,7 @@ endif
 # if we update NSS, we need to remove that patch (TenFourFox issue 512).
 
 set verbose
-set release_url=https://hg.mozilla.org/releases/mozilla-esr102/raw-file/tip/
+set release_url=https://hg.mozilla.org/releases/mozilla-esr115/raw-file/tip/
 
 # self test to ensure certificates and encryption methods are correct
 curl ${release_url}/config/milestone.txt || exit

diff --git a/CLOBBER b/CLOBBER
@@ -22,4 +22,4 @@
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Rebuild for 102ESR base
+Rebuild for 115ESR base
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
@@ -738,6 +738,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
         if (MOZ_LIKELY(NS_SUCCEEDED(targetBaseURI->GetHost(hostname)))) {
             ToLowerCase(hostname);
 #define BLOK(q) hostname.EqualsLiteral(q)
+#define BLOKD(q) (StringEndsWith(hostname, NS_LITERAL_CSTRING(q)))
             if (0 ||
                 // This is used as a data source by a lot of UIs,
                 // so we shouldn't block it (e.g., nytimes).
@@ -1273,6 +1274,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
 #include "shavar-blocklist.h"
 
                     0) {
+#undef BLOKD
 #undef BLOK
                 // Yup.
 #ifndef DEBUG