From 2a5d4dae27586430568c8126bd9b357f10e884f9 Mon Sep 17 00:00:00 2001
From: Neil Rashbrook <neil@parkwaycc.co.uk>
Date: Wed, 4 Nov 2015 22:31:46 +0000
Subject: [PATCH] Bug 1211708 Allow themes to specify XBL bindings even in
 unprivileged documents r=sicking

---
 dom/xbl/nsXBLService.cpp | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/dom/xbl/nsXBLService.cpp b/dom/xbl/nsXBLService.cpp
index 4e0e5f0d721..569fcdb72c0 100644
--- a/dom/xbl/nsXBLService.cpp
+++ b/dom/xbl/nsXBLService.cpp
@@ -843,6 +843,21 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI,
   return NS_OK;
 }
 
+static bool
+IsSystemOrChromeURLPrincipal(nsIPrincipal* aPrincipal)
+{
+  if (nsContentUtils::IsSystemPrincipal(aPrincipal)) {
+    return true;
+  }
+
+  nsCOMPtr<nsIURI> uri;
+  aPrincipal->GetURI(getter_AddRefs(uri));
+  NS_ENSURE_TRUE(uri, false);
+
+  bool isChrome = false;
+  return NS_SUCCEEDED(uri->SchemeIs("chrome", &isChrome)) && isChrome;
+}
+
 nsresult
 nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement,
                                       nsIDocument* aBoundDocument,
@@ -856,7 +871,9 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement,
                   "If we're doing a security check, we better have a document!");
 
   *aResult = nullptr;
-  if (aOriginPrincipal && !nsContentUtils::IsSystemPrincipal(aOriginPrincipal)) {
+  // Allow XBL in unprivileged documents if it's specified in a privileged or
+  // chrome: stylesheet. This allows themes to specify XBL bindings.
+  if (aOriginPrincipal && !IsSystemOrChromeURLPrincipal(aOriginPrincipal)) {
     NS_ENSURE_TRUE(!aBoundDocument || aBoundDocument->AllowXULXBL(),
                    NS_ERROR_XBL_BLOCKED);
   }