OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=41

2008-10-23 20:35:22 +00:00 · 2008-10-23 20:35:22 +00:00 · 0c3753fe9c
commit 0c3753fe9c
parent 04b672ff97
4 changed files with 701 additions and 22 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
+
+- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
+  * Lockdown: FATE#302023, FATE#302024
+
 -------------------------------------------------------------------
 Mon Oct  6 14:55:48 CEST 2008 - sbrabec@suse.cz

--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -27,7 +27,7 @@ License:        GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL
 Provides:       web_browser
 Provides:       firefox
 Version:        3.0.3
-Release:        2
+Release:        3
 Summary:        Mozilla Firefox Web Browser
 Url:            http://www.mozilla.org/
 Group:          Productivity/Networking/Web/Browsers
@ -46,6 +46,10 @@ Patch1:         firefox-libxul-sdk.patch
 Patch2:         firefox-no-update.patch
 Patch14:        credits.patch
 Patch17:        firefox-appname.patch
+# PATCH-FEATURE-SLED firefox-ui-lockdown.patch FATE#302023, FATE#302024 - hfiguiere@novell.com
+Patch20:        firefox-ui-lockdown.patch
+# PATCH-FEATURE-SLED gecko-lockdown.patch FATE#302023, FATE#302024 - hfiguiere@novell.com
+Patch21:        gecko-lockdown.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         coreutils /bin/sh gconf2 shared-mime-info desktop-file-utils
 Requires:       mozilla-xulrunner190 >= %(rpm -q --queryformat '%{VERSION}-%{RELEASE}' mozilla-xulrunner190)
@ -54,7 +58,7 @@ Requires:       %{name}-branding >= 3.0
 %define _use_internal_dependency_generator 0
 %define __find_requires sh %{SOURCE4}
 %define __find_provides %{nil}
-%define releasedate 2008092700
+%define releasedate 2008092701
 %define progname firefox
 %define progdir %{_prefix}/%_lib/%{progname}
 %if %suse_version > 1020
@ -136,6 +140,8 @@ cd $RPM_BUILD_DIR/mozilla
 %patch2
 %patch14
 %patch17
+%patch20 -p2 
+%patch21 -p2

 %build
 export MOZ_BUILD_DATE=%{releasedate}
@ -161,7 +167,7 @@ ac_add_options --with-libxul-sdk=$SDKDIR
 ac_add_options --with-system-jpeg
 #ac_add_options --with-system-png     # doesn't work because of missing APNG support
 ac_add_options --with-system-zlib
-#ac_add_options --enable-gconf # not ported yet
+ac_add_options --enable-gconf # not ported yet
 ac_add_options --disable-installer
 ac_add_options --disable-tests
 ac_add_options --disable-debug
@ -363,6 +369,9 @@ fi
 %{progdir}/defaults/preferences/firefox-build.js

 %changelog
+* Thu Oct 23 2008 hfiguiere@suse.de
+- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
+  * Lockdown: FATE#302023, FATE#302024
 * Mon Oct 06 2008 sbrabec@suse.cz
 - Conflict with other branding providers (FATE#304881).
 * Mon Sep 29 2008 maw@suse.de
@ -385,7 +394,7 @@ fi
 - brought man-page up to date for the firefox stub
  (removing firefox-bin reference)
 - en-US locale not longer packaged in translations subpackage
-* Sat Aug 16 2008 maw@novell.com
+* Fri Aug 15 2008 maw@novell.com
 - Review and approve changes.
 * Mon Aug 04 2008 wr@rosenauer.org
 - Tweak branding split
@ -416,9 +425,9 @@ fi
 - network.protocol-handler.app.* prefs are no longer supported;
  remove references to them from firefox-suse-default-prefs.js
  (bnc#383697).
-* Thu Apr 03 2008 maw@suse.de
+* Wed Apr 02 2008 maw@suse.de
 - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
-* Wed Mar 26 2008 maw@suse.de
+* Tue Mar 25 2008 maw@suse.de
 - Merge changes from the build service (thanks, Wolfgang)
 - Update to the fourth Firefox 3.0 Beta (2.9.94):
  + Based upon the Gecko 1.9 Web rendering platform, which improves
@ -528,7 +537,7 @@ fi
 - Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
 * Fri Dec 21 2007 maw@suse.de
 - Add firefox-348446-empty-lists.patch (bnc#348446).
-* Wed Dec 05 2007 maw@suse.de
+* Tue Dec 04 2007 maw@suse.de
 - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
 * Tue Nov 27 2007 maw@suse.de
 - Security update to version 2.0.0.10 (#341905, #341591):
@ -543,7 +552,7 @@ fi
 - Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
 * Tue Nov 13 2007 maw@suse.de
 - Add firefox-gcc4.3-fixes.patch.
-* Fri Oct 19 2007 maw@suse.de
+* Thu Oct 18 2007 maw@suse.de
 - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
  * MFSA 2007-29 Crashes with evidence of memory corruption
  * MFSA 2007-30 onUnload Tailgating
@ -556,7 +565,7 @@ fi
  http://www.mozilla.org/projects/security/known-vulnerabilities.html
 * Sun Sep 23 2007 maw@suse.de
 - Don't explicitly require libaoss.so (#326751).
-* Sat Sep 15 2007 maw@suse.de
+* Fri Sep 14 2007 maw@suse.de
 - Update the Novell Support search plugin in search-addons.tar.bz2
  (#297261)
 - Set the browser.tabs.loadFolderAndReplace preference to false
@ -566,7 +575,7 @@ fi
 * Thu Sep 06 2007 maw@suse.de
 - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
  to the default bookmarks (#308223).
-* Tue Sep 04 2007 ro@suse.de
+* Mon Sep 03 2007 ro@suse.de
 - move last change a bit further in specfile
 * Fri Aug 31 2007 maw@suse.de
 - Mark a .png file as nonexecutable.
@ -620,7 +629,7 @@ fi
 - Use mozilla.sh.in from the build service (#230681).
 * Tue Jun 05 2007 sbrabec@suse.cz
 - Removed invalid desktop category "Application" (#254654).
-* Tue Jun 05 2007 maw@suse.de
+* Mon Jun 04 2007 maw@suse.de
 - Security update to version 2.0.0.4
 - Refresh configure.patch, startup.patch, and visibility.patch
 - Now use l10n-%%{version}.tar.bz2 instead of l10n.tar.bz2.
@ -632,7 +641,7 @@ fi
  U+3099 U+309A (see bugzilla #262718 comment #29).
 * Mon Mar 12 2007 maw@suse.de
 - Package gconf stuff.
-* Thu Feb 22 2007 maw@suse.de
+* Wed Feb 21 2007 maw@suse.de
 - Security update to 2.0.0.2 (#244923), which covers:
  + mfsa2007-01
  * CVE-2007-0775 - layout engine crashes
@ -670,7 +679,7 @@ fi
 - readd MozillaFirebird provides (was incorrect in removing it).
 * Mon Jan 08 2007 meissner@suse.de
 - Do not provide MozillaFirebird, just obsolete it.
-* Fri Dec 01 2006 maw@suse.de
+* Thu Nov 30 2006 maw@suse.de
 - Update gecko-lockdown.patch (#220616).
 * Thu Nov 30 2006 maw@suse.de
 - Update firefox-suse-default-prefs.js, adding
@ -748,7 +757,7 @@ fi
 * Thu Jun 29 2006 stark@suse.de
 - fixed printing crash if the last used printer is not available
  anymore (#187013)
-* Sat Jun 17 2006 stark@suse.de
+* Fri Jun 16 2006 stark@suse.de
 - added 48x48 icon (#185777)
 * Mon Jun 12 2006 stark@suse.de
 - fix overwrite confirmation for GTK filesaver (#179531)
@ -925,7 +934,7 @@ fi
 - unlocalize bookmarks (#114279)
 * Thu Sep 08 2005 stark@suse.de
 - fixed some filemodes (#114849)
-* Sun Sep 04 2005 stark@suse.de
+* Sat Sep 03 2005 stark@suse.de
 - fixed gconf-backend patch to be able to use
  system prefs (#114054)
 * Thu Sep 01 2005 stark@suse.de
@ -1025,13 +1034,13 @@ fi
 * Sat Apr 23 2005 stark@suse.de
 - activate usage of system NSPR for distributions after 9.3
 - add patch to be able to use systen NSPR at all
-* Fri Apr 22 2005 ro@suse.de
+* Thu Apr 21 2005 ro@suse.de
 - use mozilla-gcc4.patch
 * Thu Apr 21 2005 stark@suse.de
 - don't execute gconf magic within build environment
 * Sat Apr 16 2005 stark@suse.de
 - update to final 1.0.3 release
-* Fri Apr 15 2005 ro@suse.de
+* Thu Apr 14 2005 ro@suse.de
 - fix problem in postinstall script
 * Thu Apr 14 2005 stark@suse.de
 - included fixed lockdown patch for NLD
@ -1176,13 +1185,13 @@ fi
 * Fri Oct 15 2004 stark@suse.de
 - inherit locale from system
 - fixed chrome registration
-* Thu Oct 07 2004 joeshaw@suse.de
+* Wed Oct 06 2004 joeshaw@suse.de
 - disable gconf settings as default (Ximian #67718)
 * Wed Oct 06 2004 stark@suse.de
 - fixed inclusion of RealPlayer plugin again
 * Tue Oct 05 2004 stark@suse.de
 - small important fix in firefox-download.patch (Ximian #65472)
-* Sun Oct 03 2004 stark@suse.de
+* Sat Oct 02 2004 stark@suse.de
 - added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
 * Fri Oct 01 2004 stark@suse.de
 - final fix for downloading to Desktop folder (Ximian #65756)
@ -1215,7 +1224,7 @@ fi
 - throbber linked to Novell (Ximian #66283) by rganesan@novell.com
 - make industrial the default theme for NLD
  (Ximian #65542) by joeshaw@suse.de
-* Tue Sep 21 2004 joeshaw@suse.de
+* Mon Sep 20 2004 joeshaw@suse.de
 - Add default bookmarks.  Ximian #65546.
 - Add the industrial theme, but it's not the default yet.
 - Remove acroread from add-plugins because it's badly behaved.
@ -1245,7 +1254,7 @@ fi
 - update to 1.0PR (aka 0.10)
 * Fri Sep 03 2004 stark@suse.de
 - added ppc64 patch
-* Thu Sep 02 2004 dave@suse.de
+* Wed Sep 01 2004 dave@suse.de
 - Fixed up the .desktop installation on nld
 * Wed Sep 01 2004 shprasad@suse.de
 - Doesn't ask to set Firefox as default web-browser.
@ -1328,7 +1337,7 @@ fi
 - build as user
 * Fri Aug 22 2003 stark@suse.de
 - upstream sync for 0.6.1post
-* Mon Aug 11 2003 stark@suse.de
+* Sun Aug 10 2003 stark@suse.de
 - removed dmoz from searchplugins-filelist
 * Fri Aug 08 2003 stark@suse.de
 - update to 0.6.1post (TRUNK)
--- a/firefox-ui-lockdown.patch
+++ b/firefox-ui-lockdown.patch
@ -0,0 +1,323 @@
+diff --git a/mozilla/browser/base/content/browser-menubar.inc b/mozilla/browser/base/content/browser-menubar.inc
+index 07795f1..c035302 100644
+--- a/mozilla/browser/base/content/browser-menubar.inc
+++ b/mozilla/browser/base/content/browser-menubar.inc
+@@ -68,9 +68,9 @@
+                 <menuitem id="menu_saveFrame" label="&saveFrameCmd.label;" accesskey="&saveFrameCmd.accesskey;" command="Browser:SaveFrame" hidden="true"/>
+                 <menuitem id="menu_sendLink"  label="&sendPageCmd.label;"  accesskey="&sendPageCmd.accesskey;"  command="Browser:SendLink"/>
+                 <menuseparator/>
+-                <menuitem label="&printSetupCmd.label;" accesskey="&printSetupCmd.accesskey;" command="cmd_pageSetup"/>
+                <menuitem id="menu_printSetup" label="&printSetupCmd.label;" accesskey="&printSetupCmd.accesskey;" command="cmd_pageSetup"/>
+ #ifndef XP_MACOSX
+-                <menuitem label="&printPreviewCmd.label;" accesskey="&printPreviewCmd.accesskey;" command="cmd_printPreview"/>
+                <menuitem id="menu_printPreview" label="&printPreviewCmd.label;" accesskey="&printPreviewCmd.accesskey;" oncommand="PrintUtils.printPreview(onEnterPrintPreview, onExitPrintPreview);"/>
+ #endif
+                 <menuitem label="&printCmd.label;" accesskey="&printCmd.accesskey;" key="printKb" command="cmd_print"/>
+                 <menuseparator/>
+diff --git a/mozilla/browser/base/content/browser.js b/mozilla/browser/base/content/browser.js
+index 288becb..249d282 100644
+--- a/mozilla/browser/base/content/browser.js
+++ b/mozilla/browser/base/content/browser.js
+@@ -920,6 +920,150 @@ function prepareForStartup()
+   gBrowser.addEventListener("DOMLinkAdded", DOMLinkHandler, false);
+ }
+ 
+function lockdownElement(ident, disable, hideCompletely)
+{
+  var e = document.getElementById(ident);
+  if (!e) return;
+  if (hideCompletely) {
+    e.setAttribute("style", (disable) ? "display: none;" : "");
+  } else if (disable) {
+    e.setAttribute("disabled", "true");
+  } else {
+    e.removeAttribute("disabled");
+  }
+}
+
+function applyLockdown(isStartup)
+{
+  // It is important to check that Firefox code does not change the
+  // "disabled" state of these UI elements. Fortunately it mostly hides
+  // elements rather than disables them.
+  var disablePrinting = gPrefService.getBoolPref("config.lockdown.printing");
+  var disablePrintSetup = gPrefService.getBoolPref("config.lockdown.printsetup");
+  if (!isStartup || disablePrintSetup || disablePrintSetup) {
+    lockdownElement("menu_printSetup", disablePrinting || disablePrintSetup);
+    lockdownElement("menu_printPreview", disablePrinting || disablePrintSetup);
+    lockdownElement("cmd_print", disablePrinting);
+  }
+
+  var disableSave = gPrefService.getBoolPref("config.lockdown.savepage");
+  if (!isStartup || disableSave) {
+    lockdownElement("Browser:SavePage", disableSave);
+    lockdownElement("Browser:SaveFrame", disableSave);
+    lockdownElement("context-savepage", disableSave);
+    lockdownElement("context-saveframe", disableSave);
+    lockdownElement("context-savelink", disableSave);
+    lockdownElement("context-saveimage", disableSave);
+    lockdownElement("View:PageSource", disableSave);
+    lockdownElement("context-viewpartialsource-selection", disableSave);
+    lockdownElement("context-viewpartialsource-mathml", disableSave);
+    lockdownElement("context-viewsource", disableSave);
+    lockdownElement("context-viewframesource", disableSave);
+    lockdownElement("View:PageInfo", disableSave);
+    lockdownElement("context-viewinfo", disableSave);
+    lockdownElement("context-viewframeinfo", disableSave);
+    lockdownElement("Tasks:InspectPage", disableSave); // from DOMInspector extension
+  }
+
+  var disableBookmarks = gPrefService.getBoolPref("config.lockdown.hidebookmark");
+  var disableBookmarkEditing = gPrefService.getBoolPref("config.lockdown.bookmark");
+  if (!isStartup || disableBookmarks || disableBookmarkEditing) {
+    lockdownElement("bookmarks-menu", disableBookmarks, true);
+    lockdownElement("viewBookmarksSidebar", disableBookmarks);
+    lockdownElement("PersonalToolbar", disableBookmarks); // XXX check
+    lockdownElement("Browser:AddBookmarkAs", disableBookmarks || disableBookmarkEditing);
+    lockdownElement("manBookmark", disableBookmarks || disableBookmarkEditing);
+    lockdownElement("context-bookmarkpage", disableBookmarks || disableBookmarkEditing);
+    lockdownElement("context-bookmarklink", disableBookmarks || disableBookmarkEditing);
+
+    // hide the personal bookmarks toolbar if necessary
+    if (disableBookmarks) {
+      document.getElementById("PersonalToolbar").setAttribute("collapsed", "true");
+    }
+  }
+
+  var disableHistory = gPrefService.getBoolPref("config.lockdown.history");
+  if (!isStartup || disableHistory) {
+    lockdownElement("go-menu", disableHistory, true);
+    lockdownElement("viewHistorySidebar", disableHistory);
+    gURLBar.setAttribute("enablehistory", disableHistory ? "false" : "true");
+    gURLBar.disableAutoComplete = disableHistory;
+  }
+  
+  var defaultPrefs = Cc["@mozilla.org/preferences-service;1"]
+      .getService(Ci.nsIPrefService).getDefaultBranch(null);
+  if (isStartup && disableHistory) {
+    if (!defaultPrefs.prefIsLocked("browser.history_expire_days")) {
+      defaultPrefs.setIntPref("browser.history_expire_days", 0);
+      defaultPrefs.lockPref("browser.history_expire_days");
+    }
+    if (!defaultPrefs.prefIsLocked("browser.formfill.enable")) {
+      defaultPrefs.setBoolPref("browser.formfill.enable", false);
+      defaultPrefs.lockPref("browser.formfill.enable");
+    }
+    if (!defaultPrefs.prefIsLocked("browser.download.manager.retention")) {
+      defaultPrefs.setIntPref("browser.download.manager.retention", 0);
+      defaultPrefs.lockPref("browser.download.manager.retention");
+    }
+    gPrefService.setBoolPref("config.lockdown.history.set", true);
+  } else if (isStartup && gPrefService.prefHasUserValue("config.lockdown.history.set")) {
+    if (!defaultPrefs.prefIsLocked("browser.history_expire_days")) {
+      defaultPrefs.clearUserPref("browser.history_expire_days");
+    }
+    if (!defaultPrefs.prefIsLocked("browser.formfill.enable")) {
+      defaultPrefs.clearUserPref("browser.formfill.enable");
+    }
+    if (!defaultPrefs.prefIsLocked("browser.download.manager.retention")) {
+      defaultPrefs.clearUserPref("browser.download.manager.retention");
+    }
+    gPrefService.clearUserPref("config.lockdown.history.set");
+  }
+
+  var disableURLBar = gPrefService.getBoolPref("config.lockdown.urlbar");
+  if (!isStartup || disableURLBar) {
+    lockdownElement("urlbar", disableURLBar);
+    lockdownElement("Browser:OpenLocation", disableURLBar);
+    lockdownElement("Browser:OpenFile", disableURLBar);
+  }
+
+  var disableSearchBar = gPrefService.getBoolPref("config.lockdown.searchbar");
+  if (!isStartup || disableSearchBar) {
+    document.getElementById("search-container")
+      .setAttribute("style", (disableSearchBar) ? "display: none;" : "");
+  }
+
+  var disableToolbarEditing = gPrefService.getBoolPref("config.lockdown.toolbarediting");
+  if (!isStartup || disableToolbarEditing) {
+    var e = document.getElementById("cmd_CustomizeToolbars");
+    if (!e.getAttribute("inCustomization")) {
+      lockdownElement("cmd_CustomizeToolbars", disableToolbarEditing);
+    }
+  }
+
+  // Close sidebar if we disabled the command that's currently in use
+  var sidebarBox = document.getElementById("sidebar-box");
+  var cmd = sidebarBox.getAttribute("sidebarcommand");
+  if (cmd) {
+    var elt = document.getElementById(cmd);
+    if (elt && elt.getAttribute("disabled") == "true") {
+      toggleSidebar(cmd, false);
+      gMustLoadSidebar = false;
+    }
+  }
+}
+
+var lockdownObserver = {
+  observe: function(aSubject, aTopic, aPrefName)
+  {
+    try {
+      applyLockdown(false);
+    } catch (ex) {
+      dump("Failed lockdown: " + ex + "\n");
+    }
+  }
+};
+
+
+ function delayedStartup()
+ {
+   var os = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
+@@ -928,7 +1072,16 @@ function delayedStartup()
+ 
+   if (!gPrefService)
+     gPrefService = Components.classes["@mozilla.org/preferences-service;1"]
+-                             .getService(Components.interfaces.nsIPrefBranch2);
+                             .getService(Components.interfaces.nsIPrefBranchInternal);
+  try {
+    // do lockdown stuff in an exception handler so that if it fails
+    // catastrophically, the browser should still come up and function
+    applyLockdown(true);
+    gPrefService.addObserver("config.lockdown.", lockdownObserver, false);
+  } catch (ex) {
+    dump("Failed lockdown: " + ex + "\n");
+  }
+
+   BrowserOffline.init();
+   OfflineApps.init();
+ 
+@@ -940,8 +1093,8 @@ function delayedStartup()
+   Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
+ 
+   if (gMustLoadSidebar) {
+-    var sidebar = document.getElementById("sidebar");
+     var sidebarBox = document.getElementById("sidebar-box");
+    var sidebar = document.getElementById("sidebar");
+     sidebar.setAttribute("src", sidebarBox.getAttribute("src"));
+   }
+ 
+@@ -1134,6 +1287,8 @@ function BrowserShutdown()
+   os.removeObserver(gSessionHistoryObserver, "browser:purge-session-history");
+   os.removeObserver(gXPInstallObserver, "xpinstall-install-blocked");
+ 
+  gPrefService.removeObserver("config.lockdown.", lockdownObserver);
+
+   try {
+     gBrowser.removeProgressListener(window.XULBrowserWindow);
+   } catch (ex) {
+@@ -3222,6 +3377,7 @@ function BrowserCustomizeToolbar()
+ 
+   var cmd = document.getElementById("cmd_CustomizeToolbars");
+   cmd.setAttribute("disabled", "true");
+  cmd.setAttribute("inCustomization", "true");
+ 
+   var splitter = document.getElementById("urlbar-search-splitter");
+   if (splitter)
+@@ -3253,6 +3409,15 @@ function BrowserCustomizeToolbar()
+ #endif
+ }
+ 
+function BrowserRestoreCustomizationDisabledState()
+{
+  var cmd = document.getElementById("cmd_CustomizeToolbars");
+  if (!gPrefService.getBoolPref("config.lockdown.toolbarediting")) {
+    cmd.removeAttribute("disabled", "true");
+  }
+  cmd.removeAttribute("inCustomization");
+}
+
+ function BrowserToolboxCustomizeDone(aToolboxChanged)
+ {
+ #ifdef TOOLBAR_CUSTOMIZATION_SHEET
+@@ -3302,8 +3467,7 @@ function BrowserToolboxCustomizeDone(aToolboxChanged)
+   var menubar = document.getElementById("main-menubar");
+   for (var i = 0; i < menubar.childNodes.length; ++i)
+     menubar.childNodes[i].setAttribute("disabled", false);
+-  var cmd = document.getElementById("cmd_CustomizeToolbars");
+-  cmd.removeAttribute("disabled");
+  BrowserRestoreCustomizationDisabledState();
+ 
+   // XXXmano bug 287105: wallpaper to bug 309953,
+   // the reload button isn't in sync with the reload command.
+@@ -4481,6 +4645,9 @@ function onViewToolbarsPopupShowing(aEvent)
+       menuItem.setAttribute("toolbarindex", i);
+       menuItem.setAttribute("type", "checkbox");
+       menuItem.setAttribute("label", toolbarName);
+      if (toolbar.getAttribute("disabled") == "true") {
+        menuItem.setAttribute("disabled", "true");
+      }
+       menuItem.setAttribute("accesskey", toolbar.getAttribute("accesskey"));
+       menuItem.setAttribute("checked", toolbar.getAttribute("collapsed") != "true");
+       popup.insertBefore(menuItem, firstMenuItem);
+@@ -6353,7 +6520,7 @@ BookmarkAllTabsHandler.prototype = {
+     if (aTabClose)
+       numTabs--;
+ 
+-    if (numTabs > 1)
+    if (numTabs > 1 && !gPrefService.getBoolPref("config.lockdown.bookmark"))
+       this._command.removeAttribute("disabled");
+     else
+       this._command.setAttribute("disabled", "true");
+diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
+index cd27953..f460ccf 100644
+--- a/mozilla/modules/libpref/src/init/all.js
+++ b/mozilla/modules/libpref/src/init/all.js
+@@ -1072,6 +1072,21 @@ pref("config.use_system_prefs", false);
+ // if the system has enabled accessibility
+ pref("config.use_system_prefs.accessibility", false);
+ 
+// UI lockdown settings
+pref("config.lockdown.printing", false);
+pref("config.lockdown.printsetup", false);
+pref("config.lockdown.savepage", false);
+pref("config.lockdown.history",false);
+pref("config.lockdown.toolbarediting",false);
+pref("config.lockdown.urlbar",false);
+pref("config.lockdown.bookmark",false);
+pref("config.lockdown.disable_themes",false);
+pref("config.lockdown.disable_extensions",false);
+pref("config.lockdown.searchbar",false);
+pref("config.lockdown.hidebookmark",false);
+pref("config.lockdown.setwallpaper",false);
+pref("config.lockdown.showsavedpasswords", false);
+
+ /*
+  * What are the entities that you want Mozilla to save using mnemonic
+  * names rather than numeric codes? E.g. If set, we'll output &nbsp;
+diff --git a/mozilla/toolkit/components/printing/content/printdialog.js b/mozilla/toolkit/components/printing/content/printdialog.js
+index 3e674af..50e99c0 100644
+--- a/mozilla/toolkit/components/printing/content/printdialog.js
+++ b/mozilla/toolkit/components/printing/content/printdialog.js
+@@ -50,6 +50,7 @@ var gPrintSettings     = null;
+ var gWebBrowserPrint   = null;
+ var gPrintSetInterface = Components.interfaces.nsIPrintSettings;
+ var doDebug            = false;
+var gPrefService       = null;
+ 
+ //---------------------------------------------------
+ function initDialog()
+@@ -87,11 +88,23 @@ function initDialog()
+   dialog.fpDialog        = document.getElementById("fpDialog");
+ 
+   dialog.enabled         = false;
+
+  gPrefService = Components.classes["@mozilla.org/preferences-service;1"]
+      .getService(Components.interfaces.nsIPrefService).getBranch(null);
+  if (gPrefService.getBoolPref("config.lockdown.savepage")) {
+    dialog.fileCheck.setAttribute("disabled", "true");
+  }
+  if (gPrefService.getBoolPref("config.lockdown.printing")) {
+    dialog.printButton.setAttribute("disabled", "true");
+  }
+ }
+ 
+ //---------------------------------------------------
+ function checkInteger(element)
+ {
+  if (gPrefService.getBoolPref("config.lockdown.printing"))
+    return;
+
+   var value = element.value;
+   if (value && value.length > 0) {
+     value = value.replace(/[^0-9]/g,"");
--- a/gecko-lockdown.patch
+++ b/gecko-lockdown.patch
@ -0,0 +1,341 @@
+diff --git a/mozilla/extensions/cookie/nsCookiePermission.cpp b/mozilla/extensions/cookie/nsCookiePermission.cpp
+index 0f8a64f..985d27a 100644
+--- a/mozilla/extensions/cookie/nsCookiePermission.cpp
+++ b/mozilla/extensions/cookie/nsCookiePermission.cpp
+@@ -85,6 +85,7 @@ static const char kCookiesPrefsMigrated[] = "network.cookie.prefsMigrated";
+ // obsolete pref names for migration
+ static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled";
+ static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior";
+static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions";
+ static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies";
+ 
+ static const char kPermissionType[] = "cookie";
+@@ -123,6 +124,7 @@ nsCookiePermission::Init()
+     prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE);
+     prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE);
+     prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE);
+    prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE);
+ #ifdef MOZ_MAIL_NEWS
+     prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE);
+ #endif
+@@ -179,6 +181,10 @@ nsCookiePermission::PrefChanged(nsIPrefBranch *aPrefBranch,
+   if (PREF_CHANGED(kCookiesAlwaysAcceptSession) &&
+       NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val)))
+     mCookiesAlwaysAcceptSession = val;
+    
+  if (PREF_CHANGED(kCookiesHonorExceptions) &&
+      NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val)))
+    mCookiesHonorExceptions = val;
+ 
+ #ifdef MOZ_MAIL_NEWS
+   if (PREF_CHANGED(kCookiesDisabledForMailNews) &&
+@@ -244,6 +250,11 @@ nsCookiePermission::CanAccess(nsIURI         *aURI,
+ #endif // MOZ_MAIL_NEWS
+   
+   // finally, check with permission manager...
+  if (!mCookiesHonorExceptions) {
+    *aResult = ACCESS_DEFAULT;
+    return NS_OK;
+  }
+  
+   nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult);
+   if (NS_SUCCEEDED(rv)) {
+     switch (*aResult) {
+diff --git a/mozilla/extensions/cookie/nsCookiePermission.h b/mozilla/extensions/cookie/nsCookiePermission.h
+index 2be46ba..753b731 100644
+--- a/mozilla/extensions/cookie/nsCookiePermission.h
+++ b/mozilla/extensions/cookie/nsCookiePermission.h
+@@ -57,10 +57,11 @@ public:
+   nsCookiePermission() 
+     : mCookiesLifetimeSec(LL_MAXINT)
+     , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY
+-    , mCookiesAlwaysAcceptSession(PR_FALSE)
+    , mCookiesAlwaysAcceptSession(PR_FALSE),
+ #ifdef MOZ_MAIL_NEWS
+-    , mCookiesDisabledForMailNews(PR_TRUE)
+    , mCookiesDisabledForMailNews(PR_TRUE),
+ #endif
+      mCookiesHonorExceptions(PR_TRUE)
+     {}
+   virtual ~nsCookiePermission() {}
+ 
+@@ -76,7 +77,7 @@ private:
+ #ifdef MOZ_MAIL_NEWS
+   PRPackedBool mCookiesDisabledForMailNews;
+ #endif
+-
+  PRPackedBool mCookiesHonorExceptions;
+ };
+ 
+ // {EF565D0A-AB9A-4A13-9160-0644CDFD859A}
+diff --git a/mozilla/extensions/permissions/nsContentBlocker.cpp b/mozilla/extensions/permissions/nsContentBlocker.cpp
+index d9b5ad4..c7a0e28 100644
+--- a/mozilla/extensions/permissions/nsContentBlocker.cpp
+++ b/mozilla/extensions/permissions/nsContentBlocker.cpp
+@@ -76,6 +76,7 @@ NS_IMPL_ISUPPORTS3(nsContentBlocker,
+ nsContentBlocker::nsContentBlocker()
+ {
+   memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES);
+  memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES);
+ }
+ 
+ nsresult
+@@ -92,6 +93,11 @@ nsContentBlocker::Init()
+   rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch));
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
+  nsCOMPtr<nsIPrefBranch> honorExceptionsPrefBranch;
+  rv = prefService->GetBranch("permissions.honorExceptions.",
+                              getter_AddRefs(honorExceptionsPrefBranch));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+   // Migrate old image blocker pref
+   nsCOMPtr<nsIPrefBranch> oldPrefBranch;
+   oldPrefBranch = do_QueryInterface(prefService);
+@@ -121,8 +127,15 @@ nsContentBlocker::Init()
+   mPrefBranchInternal = do_QueryInterface(prefBranch, &rv);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
+  mHonorExceptionsPrefBranchInternal =
+    do_QueryInterface(honorExceptionsPrefBranch, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+   rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE);
+-  PrefChanged(prefBranch, nsnull);
+  NS_ENSURE_SUCCESS(rv, rv);
+  
+  rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE);
+  PrefChanged(nsnull);
+ 
+   return rv;
+ }
+@@ -131,19 +144,22 @@ nsContentBlocker::Init()
+ #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
+ 
+ void
+-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch,
+-                              const char    *aPref)
+nsContentBlocker::PrefChanged(const char *aPref)
+ {
+-  PRInt32 val;
+-
+-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P))
+-
+-  for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+-    if (PREF_CHANGED(kTypeString[i]) &&
+-        NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
+-      mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+  for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+    if (!aPref || !strcmp(kTypeString[i], aPref)) {
+      PRInt32 val;
+      PRBool b;
+      if (mPrefBranchInternal &&
+          NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) {
+        mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
+      }
+      if (mHonorExceptionsPrefBranchInternal &&
+          NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) {
+        mHonorExceptions[i] = b;
+      }
+    }
+   }
+-
+ }
+ 
+ // nsIContentPolicy Implementation
+@@ -268,11 +284,13 @@ nsContentBlocker::TestPermission(nsIURI *aCurrentURI,
+   // default prefs.
+   // Don't forget the aContentType ranges from 1..8, while the
+   // array is indexed 0..7
+-  PRUint32 permission;
+-  nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
+-                                                   kTypeString[aContentType - 1],
+-                                                   &permission);
+-  NS_ENSURE_SUCCESS(rv, rv);
+  PRUint32 permission = 0;
+  if (mHonorExceptions[aContentType - 1]) {
+    nsresult rv = mPermissionManager->TestPermission(aCurrentURI, 
+                                                     kTypeString[aContentType - 1],
+                                                     &permission);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+ 
+   // If there is nothing on the list, use the default.
+   if (!permission) {
+@@ -298,7 +316,7 @@ nsContentBlocker::TestPermission(nsIURI *aCurrentURI,
+       return NS_OK;
+ 
+     PRBool trustedSource = PR_FALSE;
+-    rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+    nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+     NS_ENSURE_SUCCESS(rv,rv);
+     if (!trustedSource) {
+       rv = aFirstURI->SchemeIs("resource", &trustedSource);
+@@ -363,8 +381,6 @@ nsContentBlocker::Observe(nsISupports     *aSubject,
+ {
+   NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic),
+                "unexpected topic - we only deal with pref changes!");
+-
+-  if (mPrefBranchInternal)
+-    PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get());
+  PrefChanged(NS_LossyConvertUTF16toASCII(aData).get());
+   return NS_OK;
+ }
+diff --git a/mozilla/extensions/permissions/nsContentBlocker.h b/mozilla/extensions/permissions/nsContentBlocker.h
+index d48eeb5..07779ff 100644
+--- a/mozilla/extensions/permissions/nsContentBlocker.h
+++ b/mozilla/extensions/permissions/nsContentBlocker.h
+@@ -66,7 +66,7 @@ public:
+ private:
+   ~nsContentBlocker() {}
+ 
+-  void PrefChanged(nsIPrefBranch *, const char *);
+  void PrefChanged(const char *);
+   nsresult TestPermission(nsIURI *aCurrentURI,
+                           nsIURI *aFirstURI,
+                           PRInt32 aContentType,
+@@ -75,7 +75,9 @@ private:
+ 
+   nsCOMPtr<nsIPermissionManager> mPermissionManager;
+   nsCOMPtr<nsIPrefBranch2> mPrefBranchInternal;
+  nsCOMPtr<nsIPrefBranch2> mHonorExceptionsPrefBranchInternal;
+   PRUint8 mBehaviorPref[NUMBER_OF_TYPES];
+  PRPackedBool mHonorExceptions[NUMBER_OF_TYPES];
+ };
+ 
+ #define NS_CONTENTBLOCKER_CID \
+diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
+index cd27953..f200124 100644
+--- a/mozilla/modules/libpref/src/init/all.js
+++ b/mozilla/modules/libpref/src/init/all.js
+@@ -785,6 +785,7 @@ pref("network.ntlm.send-lm-response", false);
+ pref("network.hosts.nntp_server",           "news.mozilla.org");
+ 
+ pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
+pref("permissions.honorExceptions.image",   true);
+ 
+ #ifndef XP_MACOSX
+ #ifdef XP_UNIX
+@@ -812,6 +813,7 @@ pref("network.proxy.no_proxies_on",         "localhost, 127.0.0.1");
+ pref("network.proxy.failover_timeout",      1800); // 30 minutes
+ pref("network.online",                      true); //online/offline
+ pref("network.cookie.cookieBehavior",       0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
+pref("network.cookie.honorExceptions",      true);
+ pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail
+ pref("network.cookie.lifetimePolicy",       0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays
+ pref("network.cookie.alwaysAcceptSessionCookies", false);
+diff --git a/mozilla/netwerk/base/src/nsIOService.cpp b/mozilla/netwerk/base/src/nsIOService.cpp
+index 0329c10..c0e49ca 100644
+--- a/mozilla/netwerk/base/src/nsIOService.cpp
+++ b/mozilla/netwerk/base/src/nsIOService.cpp
+@@ -379,6 +379,16 @@ nsIOService::GetProtocolHandler(const char* scheme, nsIProtocolHandler* *result)
+     nsCOMPtr<nsIPrefBranch2> prefBranch;
+     GetPrefBranch(getter_AddRefs(prefBranch));
+     if (prefBranch) {
+        nsCAutoString protocolBlockedPref("network.protocol-handler.blocked.");
+        protocolBlockedPref += scheme;
+        PRBool blockedProtocol = PR_FALSE;
+        rv = prefBranch->GetBoolPref(protocolBlockedPref.get(), &blockedProtocol);
+        if (NS_FAILED(rv)) {
+            rv = prefBranch->GetBoolPref("network.protocol-handler.blocked-default", &blockedProtocol);
+        }
+        if (NS_SUCCEEDED(rv) && blockedProtocol)
+            return NS_ERROR_UNKNOWN_PROTOCOL;
+        
+         nsCAutoString externalProtocolPref("network.protocol-handler.external.");
+         externalProtocolPref += scheme;
+         rv = prefBranch->GetBoolPref(externalProtocolPref.get(), &externalProtocol);
+diff --git a/mozilla/widget/src/gtk2/nsWindow.cpp b/mozilla/widget/src/gtk2/nsWindow.cpp
+index 9e0d187..b628f20 100644
+--- a/mozilla/widget/src/gtk2/nsWindow.cpp
+++ b/mozilla/widget/src/gtk2/nsWindow.cpp
+@@ -75,6 +75,7 @@
+ #include "nsIServiceManager.h"
+ #include "nsIStringBundle.h"
+ #include "nsGfxCIID.h"
+#include "nsIPrefService.h"
+ 
+ #ifdef ACCESSIBILITY
+ #include "nsIAccessibleRole.h"
+@@ -86,7 +87,6 @@
+ static PRBool sAccessibilityChecked = PR_FALSE;
+ /* static */
+ PRBool nsWindow::sAccessibilityEnabled = PR_FALSE;
+-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1";
+ static const char sAccEnv [] = "GNOME_ACCESSIBILITY";
+ static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility";
+ #endif
+@@ -3383,18 +3383,18 @@ nsWindow::NativeCreate(nsIWidget        *aParent,
+             sAccessibilityEnabled = atoi(envValue);
+             LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue));
+         }
+-        //check gconf-2 setting
+        //check preference setting
+         else {
+-            nsCOMPtr<nsIPrefBranch> sysPrefService =
+-                do_GetService(sSysPrefService, &rv);
+-            if (NS_SUCCEEDED(rv) && sysPrefService) {
+-
+-                // do the work to get gconf setting.
+-                // will be done soon later.
+-                sysPrefService->GetBoolPref(sAccessibilityKey,
+            nsCOMPtr<nsIPrefService> prefService = 
+               do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+            if (NS_SUCCEEDED(rv) && prefService) {
+                nsCOMPtr<nsIPrefBranch> prefBranch;
+                rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch));
+                if (NS_SUCCEEDED(rv) && prefBranch) {
+                    prefBranch->GetBoolPref(sAccessibilityKey,
+                                             &sAccessibilityEnabled);
+                }
+             }
+-
+         }
+     }
+     if (sAccessibilityEnabled) {
+diff --git a/mozilla/xpinstall/src/nsXPInstallManager.cpp b/mozilla/xpinstall/src/nsXPInstallManager.cpp
+index 35a2e82..6765c8e 100644
+--- a/mozilla/xpinstall/src/nsXPInstallManager.cpp
+++ b/mozilla/xpinstall/src/nsXPInstallManager.cpp
+@@ -290,6 +290,7 @@ nsXPInstallManager::InitManagerInternal()
+         //-----------------------------------------------------
+         // Get permission to install
+         //-----------------------------------------------------
+        nsCOMPtr<nsIPrefBranch> pref(do_GetService(NS_PREFSERVICE_CONTRACTID));
+ 
+ #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
+         if ( mChromeType == CHROME_SKIN )
+@@ -299,17 +300,26 @@ nsXPInstallManager::InitManagerInternal()
+ 
+             // skins get a simpler/friendlier dialog
+             // XXX currently not embeddable
+-            OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList );
+            PRBool themesDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled);
+            OKtoInstall = !themesDisabled &&
+               ConfirmChromeInstall( mParentWindow, packageList );
+         }
+         else
+         {
+ #endif
+-            rv = dlgSvc->ConfirmInstall( mParentWindow,
+-                                         packageList,
+-                                         numStrings,
+-                                         &OKtoInstall );
+-            if (NS_FAILED(rv))
+-                OKtoInstall = PR_FALSE;
+            PRBool extensionsDisabled = PR_FALSE;
+            if (pref)
+                pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled);
+            if (!extensionsDisabled) {
+                rv = dlgSvc->ConfirmInstall( mParentWindow,
+                                             packageList,
+                                             numStrings,
+                                             &OKtoInstall );
+                if (NS_FAILED(rv))
+                    OKtoInstall = PR_FALSE;
+            }
+ #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
+         }
+ #endif