From 038d6caf4dac19286d3e54a89720724aeefb3898 Mon Sep 17 00:00:00 2001
From: Daniel Holbert <dholbert@cs.stanford.edu>
Date: Mon, 7 Nov 2011 13:45:42 -0800
Subject: [PATCH] Bug 693940: Restrict SVG-as-an-image to load URIs with
 URI_INHERITS_SECURITY_CONTEXT. r=bz

---
 content/base/src/nsDataDocumentContentPolicy.cpp | 12 +++++++-----
 layout/reftests/svg/as-image/reftest.list        |  4 ++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/content/base/src/nsDataDocumentContentPolicy.cpp b/content/base/src/nsDataDocumentContentPolicy.cpp
index b0c52ed97dc..478db8c5cbd 100644
--- a/content/base/src/nsDataDocumentContentPolicy.cpp
+++ b/content/base/src/nsDataDocumentContentPolicy.cpp
@@ -87,12 +87,14 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
   }
 
   if (doc->IsBeingUsedAsImage()) {
-    // Allow local resources for SVG-as-an-image documents, but disallow
-    // everything else, to prevent data leakage
+    // Only allow SVG-as-an-image to load local resources that inherit security
+    // context (basically just data: URIs), to prevent data leakage.
     bool hasFlags;
-    nsresult rv = NS_URIChainHasFlags(aContentLocation,
-                                      nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
-                                      &hasFlags);
+    nsresult rv =
+      NS_URIChainHasFlags(aContentLocation,
+                          nsIProtocolHandler::URI_IS_LOCAL_RESOURCE |
+                          nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
+                          &hasFlags);
     if (NS_FAILED(rv) || !hasFlags) {
       // resource is not local (or we couldn't tell) - reject!
       *aDecision = nsIContentPolicy::REJECT_TYPE;
diff --git a/layout/reftests/svg/as-image/reftest.list b/layout/reftests/svg/as-image/reftest.list
index 54fc3ad9266..ce49679607e 100644
--- a/layout/reftests/svg/as-image/reftest.list
+++ b/layout/reftests/svg/as-image/reftest.list
@@ -109,11 +109,11 @@ random == img-and-image-1.html img-and-image-1-ref.svg # bug 645267
 # tests for external resources vs. data URIs in SVG as an image
 == svg-image-datauri-1.html            lime100x100.svg
 HTTP == svg-image-datauri-1.html       lime100x100.svg
-fails-if(Android) == svg-image-external-1.html           lime100x100.svg
+== svg-image-external-1.html           blue100x100.svg
 HTTP == svg-image-external-1.html      blue100x100.svg
 == svg-stylesheet-datauri-1.html       lime100x100.svg
 HTTP == svg-stylesheet-datauri-1.html  lime100x100.svg
-random == svg-stylesheet-external-1.html      lime100x100.svg # see bug 629885 comment 9
+== svg-stylesheet-external-1.html      blue100x100.svg
 HTTP == svg-stylesheet-external-1.html blue100x100.svg
 
 # test that :visited status is ignored in image documents