Bug 944407 - Allow scripts for an XBL binding if and only if the XBL document comes from a scriptable domain. r=bz

content/xbl/src/nsXBLBinding.cpp

@@ -1082,28 +1082,7 @@ nsXBLBinding::DoInitJSClass(JSContext *cx, JS::Handle<JSObject*> global,
 bool
 nsXBLBinding::AllowScripts()
 {
-  if (!mPrototypeBinding->GetAllowScripts())
-    return false;
-
-  // Nasty hack.  Use the JSContext of the bound node, since the
-  // security manager API expects to get the docshell type from
-  // that.  But use the nsIPrincipal of our document.
-  nsIScriptSecurityManager* mgr = nsContentUtils::GetSecurityManager();
-  if (!mgr) {
-    return false;
-  }
-
-  nsIDocument* doc = mBoundElement ? mBoundElement->OwnerDoc() : nullptr;
-  if (!doc) {
-    return false;
-  }
-
-  nsCOMPtr<nsIScriptGlobalObject> global = do_QueryInterface(doc->GetInnerWindow());
-  if (!global || !global->GetGlobalJSObject()) {
-    return false;
-  }
-
-  return mgr->ScriptAllowed(global->GetGlobalJSObject());
+  return mPrototypeBinding->GetAllowScripts();
 }
 
 nsXBLBinding*

content/xbl/src/nsXBLBinding.h

@@ -141,7 +141,7 @@ public:
                                 JS::MutableHandle<JSObject*> aClassObject,
                                 bool* aNew);
 
-  bool AllowScripts();  // XXX make const
+  bool AllowScripts();
 
   mozilla::dom::XBLChildrenElement* FindInsertionPointFor(nsIContent* aChild);
 

content/xbl/src/nsXBLDocumentInfo.cpp

@@ -403,6 +403,24 @@ nsXBLDocumentInfo::nsXBLDocumentInfo(nsIDocument* aDocument)
       mScriptAccess = allow;
     }
     mIsChrome = true;
+  } else {
+    // If this binding isn't running with system principal, then it's running
+    // from a remote-XUL whitelisted domain. This is already a not-really-
+    // supported configuration (among other things, we don't use XBL scopes in
+    // that configuration for compatibility reasons). But we should still at
+    // least make an effort to prevent binding code from running if content
+    // script is disabled or if the source domain is blacklisted (since the
+    // source domain for remote XBL must always be the same as the source domain
+    // of the bound content).
+    //
+    // If we just ask the binding document if script is enabled, it will
+    // discover that it has no inner window, and return false. So instead, we
+    // short-circuit the normal compartment-managed script-disabling machinery,
+    // and query the policy for the URI directly.
+    bool allow;
+    nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+    nsresult rv = ssm->PolicyAllowsScript(uri, &allow);
+    mScriptAccess = NS_SUCCEEDED(rv) && allow;
   }
 }
 

content/xbl/src/nsXBLDocumentInfo.h

@@ -27,7 +27,7 @@ public:
   already_AddRefed<nsIDocument> GetDocument()
     { nsCOMPtr<nsIDocument> copy = mDocument; return copy.forget(); }
 
-  bool GetScriptAccess() { return mScriptAccess; }
+  bool GetScriptAccess() const { return mScriptAccess; }
 
   nsIURI* DocumentURI() { return mDocument->GetDocumentURI(); }
 

content/xbl/src/nsXBLPrototypeBinding.cpp

@@ -214,7 +214,7 @@ nsXBLPrototypeBinding::SetBindingElement(nsIContent* aElement)
 }
 
 bool
-nsXBLPrototypeBinding::GetAllowScripts()
+nsXBLPrototypeBinding::GetAllowScripts() const
 {
   return mXBLDocInfoWeak->GetScriptAccess();
 }

content/xbl/src/nsXBLPrototypeBinding.h

@@ -48,7 +48,7 @@ public:
   // binding URIs.
   bool CompareBindingURI(nsIURI* aURI) const;
 
-  bool GetAllowScripts();
+  bool GetAllowScripts() const;
 
   nsresult BindingAttached(nsIContent* aBoundElement);
   nsresult BindingDetached(nsIContent* aBoundElement);