diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes
index f0b1edf..4099d1f 100644
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
+
+- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
+ * Lockdown: FATE#302023, FATE#302024
+
-------------------------------------------------------------------
Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz
diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec
index 24e3a60..76b54a1 100644
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@@ -27,7 +27,7 @@ License: GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL
Provides: web_browser
Provides: firefox
Version: 3.0.3
-Release: 2
+Release: 3
Summary: Mozilla Firefox Web Browser
Url: http://www.mozilla.org/
Group: Productivity/Networking/Web/Browsers
@@ -46,6 +46,10 @@ Patch1: firefox-libxul-sdk.patch
Patch2: firefox-no-update.patch
Patch14: credits.patch
Patch17: firefox-appname.patch
+# PATCH-FEATURE-SLED firefox-ui-lockdown.patch FATE#302023, FATE#302024 - hfiguiere@novell.com
+Patch20: firefox-ui-lockdown.patch
+# PATCH-FEATURE-SLED gecko-lockdown.patch FATE#302023, FATE#302024 - hfiguiere@novell.com
+Patch21: gecko-lockdown.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: coreutils /bin/sh gconf2 shared-mime-info desktop-file-utils
Requires: mozilla-xulrunner190 >= %(rpm -q --queryformat '%{VERSION}-%{RELEASE}' mozilla-xulrunner190)
@@ -54,7 +58,7 @@ Requires: %{name}-branding >= 3.0
%define _use_internal_dependency_generator 0
%define __find_requires sh %{SOURCE4}
%define __find_provides %{nil}
-%define releasedate 2008092700
+%define releasedate 2008092701
%define progname firefox
%define progdir %{_prefix}/%_lib/%{progname}
%if %suse_version > 1020
@@ -136,6 +140,8 @@ cd $RPM_BUILD_DIR/mozilla
%patch2
%patch14
%patch17
+%patch20 -p2
+%patch21 -p2
%build
export MOZ_BUILD_DATE=%{releasedate}
@@ -161,7 +167,7 @@ ac_add_options --with-libxul-sdk=$SDKDIR
ac_add_options --with-system-jpeg
#ac_add_options --with-system-png # doesn't work because of missing APNG support
ac_add_options --with-system-zlib
-#ac_add_options --enable-gconf # not ported yet
+ac_add_options --enable-gconf # not ported yet
ac_add_options --disable-installer
ac_add_options --disable-tests
ac_add_options --disable-debug
@@ -363,6 +369,9 @@ fi
%{progdir}/defaults/preferences/firefox-build.js
%changelog
+* Thu Oct 23 2008 hfiguiere@suse.de
+- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
+ * Lockdown: FATE#302023, FATE#302024
* Mon Oct 06 2008 sbrabec@suse.cz
- Conflict with other branding providers (FATE#304881).
* Mon Sep 29 2008 maw@suse.de
@@ -385,7 +394,7 @@ fi
- brought man-page up to date for the firefox stub
(removing firefox-bin reference)
- en-US locale not longer packaged in translations subpackage
-* Sat Aug 16 2008 maw@novell.com
+* Fri Aug 15 2008 maw@novell.com
- Review and approve changes.
* Mon Aug 04 2008 wr@rosenauer.org
- Tweak branding split
@@ -416,9 +425,9 @@ fi
- network.protocol-handler.app.* prefs are no longer supported;
remove references to them from firefox-suse-default-prefs.js
(bnc#383697).
-* Thu Apr 03 2008 maw@suse.de
+* Wed Apr 02 2008 maw@suse.de
- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
-* Wed Mar 26 2008 maw@suse.de
+* Tue Mar 25 2008 maw@suse.de
- Merge changes from the build service (thanks, Wolfgang)
- Update to the fourth Firefox 3.0 Beta (2.9.94):
+ Based upon the Gecko 1.9 Web rendering platform, which improves
@@ -528,7 +537,7 @@ fi
- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
* Fri Dec 21 2007 maw@suse.de
- Add firefox-348446-empty-lists.patch (bnc#348446).
-* Wed Dec 05 2007 maw@suse.de
+* Tue Dec 04 2007 maw@suse.de
- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
* Tue Nov 27 2007 maw@suse.de
- Security update to version 2.0.0.10 (#341905, #341591):
@@ -543,7 +552,7 @@ fi
- Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
* Tue Nov 13 2007 maw@suse.de
- Add firefox-gcc4.3-fixes.patch.
-* Fri Oct 19 2007 maw@suse.de
+* Thu Oct 18 2007 maw@suse.de
- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
* MFSA 2007-29 Crashes with evidence of memory corruption
* MFSA 2007-30 onUnload Tailgating
@@ -556,7 +565,7 @@ fi
http://www.mozilla.org/projects/security/known-vulnerabilities.html
* Sun Sep 23 2007 maw@suse.de
- Don't explicitly require libaoss.so (#326751).
-* Sat Sep 15 2007 maw@suse.de
+* Fri Sep 14 2007 maw@suse.de
- Update the Novell Support search plugin in search-addons.tar.bz2
(#297261)
- Set the browser.tabs.loadFolderAndReplace preference to false
@@ -566,7 +575,7 @@ fi
* Thu Sep 06 2007 maw@suse.de
- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
to the default bookmarks (#308223).
-* Tue Sep 04 2007 ro@suse.de
+* Mon Sep 03 2007 ro@suse.de
- move last change a bit further in specfile
* Fri Aug 31 2007 maw@suse.de
- Mark a .png file as nonexecutable.
@@ -620,7 +629,7 @@ fi
- Use mozilla.sh.in from the build service (#230681).
* Tue Jun 05 2007 sbrabec@suse.cz
- Removed invalid desktop category "Application" (#254654).
-* Tue Jun 05 2007 maw@suse.de
+* Mon Jun 04 2007 maw@suse.de
- Security update to version 2.0.0.4
- Refresh configure.patch, startup.patch, and visibility.patch
- Now use l10n-%%{version}.tar.bz2 instead of l10n.tar.bz2.
@@ -632,7 +641,7 @@ fi
U+3099 U+309A (see bugzilla #262718 comment #29).
* Mon Mar 12 2007 maw@suse.de
- Package gconf stuff.
-* Thu Feb 22 2007 maw@suse.de
+* Wed Feb 21 2007 maw@suse.de
- Security update to 2.0.0.2 (#244923), which covers:
+ mfsa2007-01
* CVE-2007-0775 - layout engine crashes
@@ -670,7 +679,7 @@ fi
- readd MozillaFirebird provides (was incorrect in removing it).
* Mon Jan 08 2007 meissner@suse.de
- Do not provide MozillaFirebird, just obsolete it.
-* Fri Dec 01 2006 maw@suse.de
+* Thu Nov 30 2006 maw@suse.de
- Update gecko-lockdown.patch (#220616).
* Thu Nov 30 2006 maw@suse.de
- Update firefox-suse-default-prefs.js, adding
@@ -748,7 +757,7 @@ fi
* Thu Jun 29 2006 stark@suse.de
- fixed printing crash if the last used printer is not available
anymore (#187013)
-* Sat Jun 17 2006 stark@suse.de
+* Fri Jun 16 2006 stark@suse.de
- added 48x48 icon (#185777)
* Mon Jun 12 2006 stark@suse.de
- fix overwrite confirmation for GTK filesaver (#179531)
@@ -925,7 +934,7 @@ fi
- unlocalize bookmarks (#114279)
* Thu Sep 08 2005 stark@suse.de
- fixed some filemodes (#114849)
-* Sun Sep 04 2005 stark@suse.de
+* Sat Sep 03 2005 stark@suse.de
- fixed gconf-backend patch to be able to use
system prefs (#114054)
* Thu Sep 01 2005 stark@suse.de
@@ -1025,13 +1034,13 @@ fi
* Sat Apr 23 2005 stark@suse.de
- activate usage of system NSPR for distributions after 9.3
- add patch to be able to use systen NSPR at all
-* Fri Apr 22 2005 ro@suse.de
+* Thu Apr 21 2005 ro@suse.de
- use mozilla-gcc4.patch
* Thu Apr 21 2005 stark@suse.de
- don't execute gconf magic within build environment
* Sat Apr 16 2005 stark@suse.de
- update to final 1.0.3 release
-* Fri Apr 15 2005 ro@suse.de
+* Thu Apr 14 2005 ro@suse.de
- fix problem in postinstall script
* Thu Apr 14 2005 stark@suse.de
- included fixed lockdown patch for NLD
@@ -1176,13 +1185,13 @@ fi
* Fri Oct 15 2004 stark@suse.de
- inherit locale from system
- fixed chrome registration
-* Thu Oct 07 2004 joeshaw@suse.de
+* Wed Oct 06 2004 joeshaw@suse.de
- disable gconf settings as default (Ximian #67718)
* Wed Oct 06 2004 stark@suse.de
- fixed inclusion of RealPlayer plugin again
* Tue Oct 05 2004 stark@suse.de
- small important fix in firefox-download.patch (Ximian #65472)
-* Sun Oct 03 2004 stark@suse.de
+* Sat Oct 02 2004 stark@suse.de
- added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
* Fri Oct 01 2004 stark@suse.de
- final fix for downloading to Desktop folder (Ximian #65756)
@@ -1215,7 +1224,7 @@ fi
- throbber linked to Novell (Ximian #66283) by rganesan@novell.com
- make industrial the default theme for NLD
(Ximian #65542) by joeshaw@suse.de
-* Tue Sep 21 2004 joeshaw@suse.de
+* Mon Sep 20 2004 joeshaw@suse.de
- Add default bookmarks. Ximian #65546.
- Add the industrial theme, but it's not the default yet.
- Remove acroread from add-plugins because it's badly behaved.
@@ -1245,7 +1254,7 @@ fi
- update to 1.0PR (aka 0.10)
* Fri Sep 03 2004 stark@suse.de
- added ppc64 patch
-* Thu Sep 02 2004 dave@suse.de
+* Wed Sep 01 2004 dave@suse.de
- Fixed up the .desktop installation on nld
* Wed Sep 01 2004 shprasad@suse.de
- Doesn't ask to set Firefox as default web-browser.
@@ -1328,7 +1337,7 @@ fi
- build as user
* Fri Aug 22 2003 stark@suse.de
- upstream sync for 0.6.1post
-* Mon Aug 11 2003 stark@suse.de
+* Sun Aug 10 2003 stark@suse.de
- removed dmoz from searchplugins-filelist
* Fri Aug 08 2003 stark@suse.de
- update to 0.6.1post (TRUNK)
diff --git a/firefox-ui-lockdown.patch b/firefox-ui-lockdown.patch
new file mode 100644
index 0000000..cf520db
--- /dev/null
+++ b/firefox-ui-lockdown.patch
@@ -0,0 +1,323 @@
+diff --git a/mozilla/browser/base/content/browser-menubar.inc b/mozilla/browser/base/content/browser-menubar.inc
+index 07795f1..c035302 100644
+--- a/mozilla/browser/base/content/browser-menubar.inc
++++ b/mozilla/browser/base/content/browser-menubar.inc
+@@ -68,9 +68,9 @@
+
+
+
+-
++
+ #ifndef XP_MACOSX
+-
++
+ #endif
+
+
+diff --git a/mozilla/browser/base/content/browser.js b/mozilla/browser/base/content/browser.js
+index 288becb..249d282 100644
+--- a/mozilla/browser/base/content/browser.js
++++ b/mozilla/browser/base/content/browser.js
+@@ -920,6 +920,150 @@ function prepareForStartup()
+ gBrowser.addEventListener("DOMLinkAdded", DOMLinkHandler, false);
+ }
+
++function lockdownElement(ident, disable, hideCompletely)
++{
++ var e = document.getElementById(ident);
++ if (!e) return;
++ if (hideCompletely) {
++ e.setAttribute("style", (disable) ? "display: none;" : "");
++ } else if (disable) {
++ e.setAttribute("disabled", "true");
++ } else {
++ e.removeAttribute("disabled");
++ }
++}
++
++function applyLockdown(isStartup)
++{
++ // It is important to check that Firefox code does not change the
++ // "disabled" state of these UI elements. Fortunately it mostly hides
++ // elements rather than disables them.
++ var disablePrinting = gPrefService.getBoolPref("config.lockdown.printing");
++ var disablePrintSetup = gPrefService.getBoolPref("config.lockdown.printsetup");
++ if (!isStartup || disablePrintSetup || disablePrintSetup) {
++ lockdownElement("menu_printSetup", disablePrinting || disablePrintSetup);
++ lockdownElement("menu_printPreview", disablePrinting || disablePrintSetup);
++ lockdownElement("cmd_print", disablePrinting);
++ }
++
++ var disableSave = gPrefService.getBoolPref("config.lockdown.savepage");
++ if (!isStartup || disableSave) {
++ lockdownElement("Browser:SavePage", disableSave);
++ lockdownElement("Browser:SaveFrame", disableSave);
++ lockdownElement("context-savepage", disableSave);
++ lockdownElement("context-saveframe", disableSave);
++ lockdownElement("context-savelink", disableSave);
++ lockdownElement("context-saveimage", disableSave);
++ lockdownElement("View:PageSource", disableSave);
++ lockdownElement("context-viewpartialsource-selection", disableSave);
++ lockdownElement("context-viewpartialsource-mathml", disableSave);
++ lockdownElement("context-viewsource", disableSave);
++ lockdownElement("context-viewframesource", disableSave);
++ lockdownElement("View:PageInfo", disableSave);
++ lockdownElement("context-viewinfo", disableSave);
++ lockdownElement("context-viewframeinfo", disableSave);
++ lockdownElement("Tasks:InspectPage", disableSave); // from DOMInspector extension
++ }
++
++ var disableBookmarks = gPrefService.getBoolPref("config.lockdown.hidebookmark");
++ var disableBookmarkEditing = gPrefService.getBoolPref("config.lockdown.bookmark");
++ if (!isStartup || disableBookmarks || disableBookmarkEditing) {
++ lockdownElement("bookmarks-menu", disableBookmarks, true);
++ lockdownElement("viewBookmarksSidebar", disableBookmarks);
++ lockdownElement("PersonalToolbar", disableBookmarks); // XXX check
++ lockdownElement("Browser:AddBookmarkAs", disableBookmarks || disableBookmarkEditing);
++ lockdownElement("manBookmark", disableBookmarks || disableBookmarkEditing);
++ lockdownElement("context-bookmarkpage", disableBookmarks || disableBookmarkEditing);
++ lockdownElement("context-bookmarklink", disableBookmarks || disableBookmarkEditing);
++
++ // hide the personal bookmarks toolbar if necessary
++ if (disableBookmarks) {
++ document.getElementById("PersonalToolbar").setAttribute("collapsed", "true");
++ }
++ }
++
++ var disableHistory = gPrefService.getBoolPref("config.lockdown.history");
++ if (!isStartup || disableHistory) {
++ lockdownElement("go-menu", disableHistory, true);
++ lockdownElement("viewHistorySidebar", disableHistory);
++ gURLBar.setAttribute("enablehistory", disableHistory ? "false" : "true");
++ gURLBar.disableAutoComplete = disableHistory;
++ }
++
++ var defaultPrefs = Cc["@mozilla.org/preferences-service;1"]
++ .getService(Ci.nsIPrefService).getDefaultBranch(null);
++ if (isStartup && disableHistory) {
++ if (!defaultPrefs.prefIsLocked("browser.history_expire_days")) {
++ defaultPrefs.setIntPref("browser.history_expire_days", 0);
++ defaultPrefs.lockPref("browser.history_expire_days");
++ }
++ if (!defaultPrefs.prefIsLocked("browser.formfill.enable")) {
++ defaultPrefs.setBoolPref("browser.formfill.enable", false);
++ defaultPrefs.lockPref("browser.formfill.enable");
++ }
++ if (!defaultPrefs.prefIsLocked("browser.download.manager.retention")) {
++ defaultPrefs.setIntPref("browser.download.manager.retention", 0);
++ defaultPrefs.lockPref("browser.download.manager.retention");
++ }
++ gPrefService.setBoolPref("config.lockdown.history.set", true);
++ } else if (isStartup && gPrefService.prefHasUserValue("config.lockdown.history.set")) {
++ if (!defaultPrefs.prefIsLocked("browser.history_expire_days")) {
++ defaultPrefs.clearUserPref("browser.history_expire_days");
++ }
++ if (!defaultPrefs.prefIsLocked("browser.formfill.enable")) {
++ defaultPrefs.clearUserPref("browser.formfill.enable");
++ }
++ if (!defaultPrefs.prefIsLocked("browser.download.manager.retention")) {
++ defaultPrefs.clearUserPref("browser.download.manager.retention");
++ }
++ gPrefService.clearUserPref("config.lockdown.history.set");
++ }
++
++ var disableURLBar = gPrefService.getBoolPref("config.lockdown.urlbar");
++ if (!isStartup || disableURLBar) {
++ lockdownElement("urlbar", disableURLBar);
++ lockdownElement("Browser:OpenLocation", disableURLBar);
++ lockdownElement("Browser:OpenFile", disableURLBar);
++ }
++
++ var disableSearchBar = gPrefService.getBoolPref("config.lockdown.searchbar");
++ if (!isStartup || disableSearchBar) {
++ document.getElementById("search-container")
++ .setAttribute("style", (disableSearchBar) ? "display: none;" : "");
++ }
++
++ var disableToolbarEditing = gPrefService.getBoolPref("config.lockdown.toolbarediting");
++ if (!isStartup || disableToolbarEditing) {
++ var e = document.getElementById("cmd_CustomizeToolbars");
++ if (!e.getAttribute("inCustomization")) {
++ lockdownElement("cmd_CustomizeToolbars", disableToolbarEditing);
++ }
++ }
++
++ // Close sidebar if we disabled the command that's currently in use
++ var sidebarBox = document.getElementById("sidebar-box");
++ var cmd = sidebarBox.getAttribute("sidebarcommand");
++ if (cmd) {
++ var elt = document.getElementById(cmd);
++ if (elt && elt.getAttribute("disabled") == "true") {
++ toggleSidebar(cmd, false);
++ gMustLoadSidebar = false;
++ }
++ }
++}
++
++var lockdownObserver = {
++ observe: function(aSubject, aTopic, aPrefName)
++ {
++ try {
++ applyLockdown(false);
++ } catch (ex) {
++ dump("Failed lockdown: " + ex + "\n");
++ }
++ }
++};
++
++
+ function delayedStartup()
+ {
+ var os = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
+@@ -928,7 +1072,16 @@ function delayedStartup()
+
+ if (!gPrefService)
+ gPrefService = Components.classes["@mozilla.org/preferences-service;1"]
+- .getService(Components.interfaces.nsIPrefBranch2);
++ .getService(Components.interfaces.nsIPrefBranchInternal);
++ try {
++ // do lockdown stuff in an exception handler so that if it fails
++ // catastrophically, the browser should still come up and function
++ applyLockdown(true);
++ gPrefService.addObserver("config.lockdown.", lockdownObserver, false);
++ } catch (ex) {
++ dump("Failed lockdown: " + ex + "\n");
++ }
++
+ BrowserOffline.init();
+ OfflineApps.init();
+
+@@ -940,8 +1093,8 @@ function delayedStartup()
+ Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
+
+ if (gMustLoadSidebar) {
+- var sidebar = document.getElementById("sidebar");
+ var sidebarBox = document.getElementById("sidebar-box");
++ var sidebar = document.getElementById("sidebar");
+ sidebar.setAttribute("src", sidebarBox.getAttribute("src"));
+ }
+
+@@ -1134,6 +1287,8 @@ function BrowserShutdown()
+ os.removeObserver(gSessionHistoryObserver, "browser:purge-session-history");
+ os.removeObserver(gXPInstallObserver, "xpinstall-install-blocked");
+
++ gPrefService.removeObserver("config.lockdown.", lockdownObserver);
++
+ try {
+ gBrowser.removeProgressListener(window.XULBrowserWindow);
+ } catch (ex) {
+@@ -3222,6 +3377,7 @@ function BrowserCustomizeToolbar()
+
+ var cmd = document.getElementById("cmd_CustomizeToolbars");
+ cmd.setAttribute("disabled", "true");
++ cmd.setAttribute("inCustomization", "true");
+
+ var splitter = document.getElementById("urlbar-search-splitter");
+ if (splitter)
+@@ -3253,6 +3409,15 @@ function BrowserCustomizeToolbar()
+ #endif
+ }
+
++function BrowserRestoreCustomizationDisabledState()
++{
++ var cmd = document.getElementById("cmd_CustomizeToolbars");
++ if (!gPrefService.getBoolPref("config.lockdown.toolbarediting")) {
++ cmd.removeAttribute("disabled", "true");
++ }
++ cmd.removeAttribute("inCustomization");
++}
++
+ function BrowserToolboxCustomizeDone(aToolboxChanged)
+ {
+ #ifdef TOOLBAR_CUSTOMIZATION_SHEET
+@@ -3302,8 +3467,7 @@ function BrowserToolboxCustomizeDone(aToolboxChanged)
+ var menubar = document.getElementById("main-menubar");
+ for (var i = 0; i < menubar.childNodes.length; ++i)
+ menubar.childNodes[i].setAttribute("disabled", false);
+- var cmd = document.getElementById("cmd_CustomizeToolbars");
+- cmd.removeAttribute("disabled");
++ BrowserRestoreCustomizationDisabledState();
+
+ // XXXmano bug 287105: wallpaper to bug 309953,
+ // the reload button isn't in sync with the reload command.
+@@ -4481,6 +4645,9 @@ function onViewToolbarsPopupShowing(aEvent)
+ menuItem.setAttribute("toolbarindex", i);
+ menuItem.setAttribute("type", "checkbox");
+ menuItem.setAttribute("label", toolbarName);
++ if (toolbar.getAttribute("disabled") == "true") {
++ menuItem.setAttribute("disabled", "true");
++ }
+ menuItem.setAttribute("accesskey", toolbar.getAttribute("accesskey"));
+ menuItem.setAttribute("checked", toolbar.getAttribute("collapsed") != "true");
+ popup.insertBefore(menuItem, firstMenuItem);
+@@ -6353,7 +6520,7 @@ BookmarkAllTabsHandler.prototype = {
+ if (aTabClose)
+ numTabs--;
+
+- if (numTabs > 1)
++ if (numTabs > 1 && !gPrefService.getBoolPref("config.lockdown.bookmark"))
+ this._command.removeAttribute("disabled");
+ else
+ this._command.setAttribute("disabled", "true");
+diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
+index cd27953..f460ccf 100644
+--- a/mozilla/modules/libpref/src/init/all.js
++++ b/mozilla/modules/libpref/src/init/all.js
+@@ -1072,6 +1072,21 @@ pref("config.use_system_prefs", false);
+ // if the system has enabled accessibility
+ pref("config.use_system_prefs.accessibility", false);
+
++// UI lockdown settings
++pref("config.lockdown.printing", false);
++pref("config.lockdown.printsetup", false);
++pref("config.lockdown.savepage", false);
++pref("config.lockdown.history",false);
++pref("config.lockdown.toolbarediting",false);
++pref("config.lockdown.urlbar",false);
++pref("config.lockdown.bookmark",false);
++pref("config.lockdown.disable_themes",false);
++pref("config.lockdown.disable_extensions",false);
++pref("config.lockdown.searchbar",false);
++pref("config.lockdown.hidebookmark",false);
++pref("config.lockdown.setwallpaper",false);
++pref("config.lockdown.showsavedpasswords", false);
++
+ /*
+ * What are the entities that you want Mozilla to save using mnemonic
+ * names rather than numeric codes? E.g. If set, we'll output
+diff --git a/mozilla/toolkit/components/printing/content/printdialog.js b/mozilla/toolkit/components/printing/content/printdialog.js
+index 3e674af..50e99c0 100644
+--- a/mozilla/toolkit/components/printing/content/printdialog.js
++++ b/mozilla/toolkit/components/printing/content/printdialog.js
+@@ -50,6 +50,7 @@ var gPrintSettings = null;
+ var gWebBrowserPrint = null;
+ var gPrintSetInterface = Components.interfaces.nsIPrintSettings;
+ var doDebug = false;
++var gPrefService = null;
+
+ //---------------------------------------------------
+ function initDialog()
+@@ -87,11 +88,23 @@ function initDialog()
+ dialog.fpDialog = document.getElementById("fpDialog");
+
+ dialog.enabled = false;
++
++ gPrefService = Components.classes["@mozilla.org/preferences-service;1"]
++ .getService(Components.interfaces.nsIPrefService).getBranch(null);
++ if (gPrefService.getBoolPref("config.lockdown.savepage")) {
++ dialog.fileCheck.setAttribute("disabled", "true");
++ }
++ if (gPrefService.getBoolPref("config.lockdown.printing")) {
++ dialog.printButton.setAttribute("disabled", "true");
++ }
+ }
+
+ //---------------------------------------------------
+ function checkInteger(element)
+ {
++ if (gPrefService.getBoolPref("config.lockdown.printing"))
++ return;
++
+ var value = element.value;
+ if (value && value.length > 0) {
+ value = value.replace(/[^0-9]/g,"");
diff --git a/gecko-lockdown.patch b/gecko-lockdown.patch
new file mode 100644
index 0000000..aaa5c6f
--- /dev/null
+++ b/gecko-lockdown.patch
@@ -0,0 +1,341 @@
+diff --git a/mozilla/extensions/cookie/nsCookiePermission.cpp b/mozilla/extensions/cookie/nsCookiePermission.cpp
+index 0f8a64f..985d27a 100644
+--- a/mozilla/extensions/cookie/nsCookiePermission.cpp
++++ b/mozilla/extensions/cookie/nsCookiePermission.cpp
+@@ -85,6 +85,7 @@ static const char kCookiesPrefsMigrated[] = "network.cookie.prefsMigrated";
+ // obsolete pref names for migration
+ static const char kCookiesLifetimeEnabled[] = "network.cookie.lifetime.enabled";
+ static const char kCookiesLifetimeBehavior[] = "network.cookie.lifetime.behavior";
++static const char kCookiesHonorExceptions[] = "network.cookie.honorExceptions";
+ static const char kCookiesAskPermission[] = "network.cookie.warnAboutCookies";
+
+ static const char kPermissionType[] = "cookie";
+@@ -123,6 +124,7 @@ nsCookiePermission::Init()
+ prefBranch->AddObserver(kCookiesLifetimePolicy, this, PR_FALSE);
+ prefBranch->AddObserver(kCookiesLifetimeDays, this, PR_FALSE);
+ prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, PR_FALSE);
++ prefBranch->AddObserver(kCookiesHonorExceptions, this, PR_FALSE);
+ #ifdef MOZ_MAIL_NEWS
+ prefBranch->AddObserver(kCookiesDisabledForMailNews, this, PR_FALSE);
+ #endif
+@@ -179,6 +181,10 @@ nsCookiePermission::PrefChanged(nsIPrefBranch *aPrefBranch,
+ if (PREF_CHANGED(kCookiesAlwaysAcceptSession) &&
+ NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &val)))
+ mCookiesAlwaysAcceptSession = val;
++
++ if (PREF_CHANGED(kCookiesHonorExceptions) &&
++ NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesHonorExceptions, &val)))
++ mCookiesHonorExceptions = val;
+
+ #ifdef MOZ_MAIL_NEWS
+ if (PREF_CHANGED(kCookiesDisabledForMailNews) &&
+@@ -244,6 +250,11 @@ nsCookiePermission::CanAccess(nsIURI *aURI,
+ #endif // MOZ_MAIL_NEWS
+
+ // finally, check with permission manager...
++ if (!mCookiesHonorExceptions) {
++ *aResult = ACCESS_DEFAULT;
++ return NS_OK;
++ }
++
+ nsresult rv = mPermMgr->TestPermission(aURI, kPermissionType, (PRUint32 *) aResult);
+ if (NS_SUCCEEDED(rv)) {
+ switch (*aResult) {
+diff --git a/mozilla/extensions/cookie/nsCookiePermission.h b/mozilla/extensions/cookie/nsCookiePermission.h
+index 2be46ba..753b731 100644
+--- a/mozilla/extensions/cookie/nsCookiePermission.h
++++ b/mozilla/extensions/cookie/nsCookiePermission.h
+@@ -57,10 +57,11 @@ public:
+ nsCookiePermission()
+ : mCookiesLifetimeSec(LL_MAXINT)
+ , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY
+- , mCookiesAlwaysAcceptSession(PR_FALSE)
++ , mCookiesAlwaysAcceptSession(PR_FALSE),
+ #ifdef MOZ_MAIL_NEWS
+- , mCookiesDisabledForMailNews(PR_TRUE)
++ , mCookiesDisabledForMailNews(PR_TRUE),
+ #endif
++ mCookiesHonorExceptions(PR_TRUE)
+ {}
+ virtual ~nsCookiePermission() {}
+
+@@ -76,7 +77,7 @@ private:
+ #ifdef MOZ_MAIL_NEWS
+ PRPackedBool mCookiesDisabledForMailNews;
+ #endif
+-
++ PRPackedBool mCookiesHonorExceptions;
+ };
+
+ // {EF565D0A-AB9A-4A13-9160-0644CDFD859A}
+diff --git a/mozilla/extensions/permissions/nsContentBlocker.cpp b/mozilla/extensions/permissions/nsContentBlocker.cpp
+index d9b5ad4..c7a0e28 100644
+--- a/mozilla/extensions/permissions/nsContentBlocker.cpp
++++ b/mozilla/extensions/permissions/nsContentBlocker.cpp
+@@ -76,6 +76,7 @@ NS_IMPL_ISUPPORTS3(nsContentBlocker,
+ nsContentBlocker::nsContentBlocker()
+ {
+ memset(mBehaviorPref, BEHAVIOR_ACCEPT, NUMBER_OF_TYPES);
++ memset(mHonorExceptions, PR_TRUE, NUMBER_OF_TYPES);
+ }
+
+ nsresult
+@@ -92,6 +93,11 @@ nsContentBlocker::Init()
+ rv = prefService->GetBranch("permissions.default.", getter_AddRefs(prefBranch));
+ NS_ENSURE_SUCCESS(rv, rv);
+
++ nsCOMPtr honorExceptionsPrefBranch;
++ rv = prefService->GetBranch("permissions.honorExceptions.",
++ getter_AddRefs(honorExceptionsPrefBranch));
++ NS_ENSURE_SUCCESS(rv, rv);
++
+ // Migrate old image blocker pref
+ nsCOMPtr oldPrefBranch;
+ oldPrefBranch = do_QueryInterface(prefService);
+@@ -121,8 +127,15 @@ nsContentBlocker::Init()
+ mPrefBranchInternal = do_QueryInterface(prefBranch, &rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
++ mHonorExceptionsPrefBranchInternal =
++ do_QueryInterface(honorExceptionsPrefBranch, &rv);
++ NS_ENSURE_SUCCESS(rv, rv);
++
+ rv = mPrefBranchInternal->AddObserver("", this, PR_TRUE);
+- PrefChanged(prefBranch, nsnull);
++ NS_ENSURE_SUCCESS(rv, rv);
++
++ rv = mHonorExceptionsPrefBranchInternal->AddObserver("", this, PR_TRUE);
++ PrefChanged(nsnull);
+
+ return rv;
+ }
+@@ -131,19 +144,22 @@ nsContentBlocker::Init()
+ #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
+
+ void
+-nsContentBlocker::PrefChanged(nsIPrefBranch *aPrefBranch,
+- const char *aPref)
++nsContentBlocker::PrefChanged(const char *aPref)
+ {
+- PRInt32 val;
+-
+-#define PREF_CHANGED(_P) (!aPref || !strcmp(aPref, _P))
+-
+- for(PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
+- if (PREF_CHANGED(kTypeString[i]) &&
+- NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
+- mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
++ for (PRUint32 i = 0; i < NUMBER_OF_TYPES; ++i) {
++ if (!aPref || !strcmp(kTypeString[i], aPref)) {
++ PRInt32 val;
++ PRBool b;
++ if (mPrefBranchInternal &&
++ NS_SUCCEEDED(mPrefBranchInternal->GetIntPref(kTypeString[i], &val))) {
++ mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
++ }
++ if (mHonorExceptionsPrefBranchInternal &&
++ NS_SUCCEEDED(mHonorExceptionsPrefBranchInternal->GetBoolPref(kTypeString[i], &b))) {
++ mHonorExceptions[i] = b;
++ }
++ }
+ }
+-
+ }
+
+ // nsIContentPolicy Implementation
+@@ -268,11 +284,13 @@ nsContentBlocker::TestPermission(nsIURI *aCurrentURI,
+ // default prefs.
+ // Don't forget the aContentType ranges from 1..8, while the
+ // array is indexed 0..7
+- PRUint32 permission;
+- nsresult rv = mPermissionManager->TestPermission(aCurrentURI,
+- kTypeString[aContentType - 1],
+- &permission);
+- NS_ENSURE_SUCCESS(rv, rv);
++ PRUint32 permission = 0;
++ if (mHonorExceptions[aContentType - 1]) {
++ nsresult rv = mPermissionManager->TestPermission(aCurrentURI,
++ kTypeString[aContentType - 1],
++ &permission);
++ NS_ENSURE_SUCCESS(rv, rv);
++ }
+
+ // If there is nothing on the list, use the default.
+ if (!permission) {
+@@ -298,7 +316,7 @@ nsContentBlocker::TestPermission(nsIURI *aCurrentURI,
+ return NS_OK;
+
+ PRBool trustedSource = PR_FALSE;
+- rv = aFirstURI->SchemeIs("chrome", &trustedSource);
++ nsresult rv = aFirstURI->SchemeIs("chrome", &trustedSource);
+ NS_ENSURE_SUCCESS(rv,rv);
+ if (!trustedSource) {
+ rv = aFirstURI->SchemeIs("resource", &trustedSource);
+@@ -363,8 +381,6 @@ nsContentBlocker::Observe(nsISupports *aSubject,
+ {
+ NS_ASSERTION(!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic),
+ "unexpected topic - we only deal with pref changes!");
+-
+- if (mPrefBranchInternal)
+- PrefChanged(mPrefBranchInternal, NS_LossyConvertUTF16toASCII(aData).get());
++ PrefChanged(NS_LossyConvertUTF16toASCII(aData).get());
+ return NS_OK;
+ }
+diff --git a/mozilla/extensions/permissions/nsContentBlocker.h b/mozilla/extensions/permissions/nsContentBlocker.h
+index d48eeb5..07779ff 100644
+--- a/mozilla/extensions/permissions/nsContentBlocker.h
++++ b/mozilla/extensions/permissions/nsContentBlocker.h
+@@ -66,7 +66,7 @@ public:
+ private:
+ ~nsContentBlocker() {}
+
+- void PrefChanged(nsIPrefBranch *, const char *);
++ void PrefChanged(const char *);
+ nsresult TestPermission(nsIURI *aCurrentURI,
+ nsIURI *aFirstURI,
+ PRInt32 aContentType,
+@@ -75,7 +75,9 @@ private:
+
+ nsCOMPtr mPermissionManager;
+ nsCOMPtr mPrefBranchInternal;
++ nsCOMPtr mHonorExceptionsPrefBranchInternal;
+ PRUint8 mBehaviorPref[NUMBER_OF_TYPES];
++ PRPackedBool mHonorExceptions[NUMBER_OF_TYPES];
+ };
+
+ #define NS_CONTENTBLOCKER_CID \
+diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
+index cd27953..f200124 100644
+--- a/mozilla/modules/libpref/src/init/all.js
++++ b/mozilla/modules/libpref/src/init/all.js
+@@ -785,6 +785,7 @@ pref("network.ntlm.send-lm-response", false);
+ pref("network.hosts.nntp_server", "news.mozilla.org");
+
+ pref("permissions.default.image", 1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
++pref("permissions.honorExceptions.image", true);
+
+ #ifndef XP_MACOSX
+ #ifdef XP_UNIX
+@@ -812,6 +813,7 @@ pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");
+ pref("network.proxy.failover_timeout", 1800); // 30 minutes
+ pref("network.online", true); //online/offline
+ pref("network.cookie.cookieBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
++pref("network.cookie.honorExceptions", true);
+ pref("network.cookie.disableCookieForMailNews", true); // disable all cookies for mail
+ pref("network.cookie.lifetimePolicy", 0); // accept normally, 1-askBeforeAccepting, 2-acceptForSession,3-acceptForNDays
+ pref("network.cookie.alwaysAcceptSessionCookies", false);
+diff --git a/mozilla/netwerk/base/src/nsIOService.cpp b/mozilla/netwerk/base/src/nsIOService.cpp
+index 0329c10..c0e49ca 100644
+--- a/mozilla/netwerk/base/src/nsIOService.cpp
++++ b/mozilla/netwerk/base/src/nsIOService.cpp
+@@ -379,6 +379,16 @@ nsIOService::GetProtocolHandler(const char* scheme, nsIProtocolHandler* *result)
+ nsCOMPtr prefBranch;
+ GetPrefBranch(getter_AddRefs(prefBranch));
+ if (prefBranch) {
++ nsCAutoString protocolBlockedPref("network.protocol-handler.blocked.");
++ protocolBlockedPref += scheme;
++ PRBool blockedProtocol = PR_FALSE;
++ rv = prefBranch->GetBoolPref(protocolBlockedPref.get(), &blockedProtocol);
++ if (NS_FAILED(rv)) {
++ rv = prefBranch->GetBoolPref("network.protocol-handler.blocked-default", &blockedProtocol);
++ }
++ if (NS_SUCCEEDED(rv) && blockedProtocol)
++ return NS_ERROR_UNKNOWN_PROTOCOL;
++
+ nsCAutoString externalProtocolPref("network.protocol-handler.external.");
+ externalProtocolPref += scheme;
+ rv = prefBranch->GetBoolPref(externalProtocolPref.get(), &externalProtocol);
+diff --git a/mozilla/widget/src/gtk2/nsWindow.cpp b/mozilla/widget/src/gtk2/nsWindow.cpp
+index 9e0d187..b628f20 100644
+--- a/mozilla/widget/src/gtk2/nsWindow.cpp
++++ b/mozilla/widget/src/gtk2/nsWindow.cpp
+@@ -75,6 +75,7 @@
+ #include "nsIServiceManager.h"
+ #include "nsIStringBundle.h"
+ #include "nsGfxCIID.h"
++#include "nsIPrefService.h"
+
+ #ifdef ACCESSIBILITY
+ #include "nsIAccessibleRole.h"
+@@ -86,7 +87,6 @@
+ static PRBool sAccessibilityChecked = PR_FALSE;
+ /* static */
+ PRBool nsWindow::sAccessibilityEnabled = PR_FALSE;
+-static const char sSysPrefService [] = "@mozilla.org/system-preference-service;1";
+ static const char sAccEnv [] = "GNOME_ACCESSIBILITY";
+ static const char sAccessibilityKey [] = "config.use_system_prefs.accessibility";
+ #endif
+@@ -3383,18 +3383,18 @@ nsWindow::NativeCreate(nsIWidget *aParent,
+ sAccessibilityEnabled = atoi(envValue);
+ LOG(("Accessibility Env %s=%s\n", sAccEnv, envValue));
+ }
+- //check gconf-2 setting
++ //check preference setting
+ else {
+- nsCOMPtr sysPrefService =
+- do_GetService(sSysPrefService, &rv);
+- if (NS_SUCCEEDED(rv) && sysPrefService) {
+-
+- // do the work to get gconf setting.
+- // will be done soon later.
+- sysPrefService->GetBoolPref(sAccessibilityKey,
++ nsCOMPtr prefService =
++ do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
++ if (NS_SUCCEEDED(rv) && prefService) {
++ nsCOMPtr prefBranch;
++ rv = prefService->GetBranch(nsnull, getter_AddRefs(prefBranch));
++ if (NS_SUCCEEDED(rv) && prefBranch) {
++ prefBranch->GetBoolPref(sAccessibilityKey,
+ &sAccessibilityEnabled);
++ }
+ }
+-
+ }
+ }
+ if (sAccessibilityEnabled) {
+diff --git a/mozilla/xpinstall/src/nsXPInstallManager.cpp b/mozilla/xpinstall/src/nsXPInstallManager.cpp
+index 35a2e82..6765c8e 100644
+--- a/mozilla/xpinstall/src/nsXPInstallManager.cpp
++++ b/mozilla/xpinstall/src/nsXPInstallManager.cpp
+@@ -290,6 +290,7 @@ nsXPInstallManager::InitManagerInternal()
+ //-----------------------------------------------------
+ // Get permission to install
+ //-----------------------------------------------------
++ nsCOMPtr pref(do_GetService(NS_PREFSERVICE_CONTRACTID));
+
+ #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
+ if ( mChromeType == CHROME_SKIN )
+@@ -299,17 +300,26 @@ nsXPInstallManager::InitManagerInternal()
+
+ // skins get a simpler/friendlier dialog
+ // XXX currently not embeddable
+- OKtoInstall = ConfirmChromeInstall( mParentWindow, packageList );
++ PRBool themesDisabled = PR_FALSE;
++ if (pref)
++ pref->GetBoolPref("config.lockdown.disable_themes", &themesDisabled);
++ OKtoInstall = !themesDisabled &&
++ ConfirmChromeInstall( mParentWindow, packageList );
+ }
+ else
+ {
+ #endif
+- rv = dlgSvc->ConfirmInstall( mParentWindow,
+- packageList,
+- numStrings,
+- &OKtoInstall );
+- if (NS_FAILED(rv))
+- OKtoInstall = PR_FALSE;
++ PRBool extensionsDisabled = PR_FALSE;
++ if (pref)
++ pref->GetBoolPref("config.lockdown.disable_extensions", &extensionsDisabled);
++ if (!extensionsDisabled) {
++ rv = dlgSvc->ConfirmInstall( mParentWindow,
++ packageList,
++ numStrings,
++ &OKtoInstall );
++ if (NS_FAILED(rv))
++ OKtoInstall = PR_FALSE;
++ }
+ #ifdef ENABLE_SKIN_SIMPLE_INSTALLATION_UI
+ }
+ #endif