Bug 481558: Don't apply XBL that isn't located in the same domain as the bound document. r/sr=bz

--HG--
extra : rebase_source : 6ef8c8ffcf8d9df0f6f9a0cdadd45f12564d7e37

content/xbl/src/nsXBLService.cpp

@@ -1103,6 +1103,25 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement,
                               nsIContentPolicy::TYPE_XBL,
                               aBoundDocument);
     NS_ENSURE_SUCCESS(rv, rv);
+
+    // Also make sure that we're same-origin with the bound document
+    // except if the stylesheet is a UA stylesheet. We fake testing
+    // for UA stylesheets by calling CheckLoadURI.
+    nsCOMPtr<nsIURI> principalURI;
+    rv = aOriginPrincipal->GetURI(getter_AddRefs(principalURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (principalURI) {
+      nsresult uaCheckRes =
+        nsContentUtils::GetSecurityManager()->
+        CheckLoadURIWithPrincipal(aBoundDocument->NodePrincipal(),
+                                  principalURI, 0);
+      if (NS_SUCCEEDED(uaCheckRes)) {
+        rv = aBoundDocument->NodePrincipal()->CheckMayLoad(aBindingURI,
+                                                           PR_TRUE);
+        NS_ENSURE_SUCCESS(rv, rv);
+      }
+    }
   }
 
   *aResult = nsnull;

content/xbl/test/Makefile.in

@@ -67,6 +67,9 @@ _TEST_FILES =	\
 		file_bug379959_cross.html \
 		file_bug379959_xbl.xml \
 		test_bug468210.xhtml \
+		test_bug481558.html \
+		file_bug481558css.sjs \
+		file_bug481558.xbl \
 		$(NULL)
 
 libs:: $(_TEST_FILES)

content/xbl/test/file_bug481558.xbl

@@ -0,0 +1,13 @@
+<bindings xmlns="http://www.mozilla.org/xbl"
+          xmlns:xbl="http://www.mozilla.org/xbl"
+          xmlns:html="http://www.w3.org/1999/xhtml">
+<binding id="test">
+  <content>
+    <children/>
+    Binding Attached
+  </content>
+  <implementation>
+    <property name="xblBoundProperty" onget="return 1;"/>
+  </implementation>
+</binding>
+</bindings>

content/xbl/test/file_bug481558css.sjs

@@ -0,0 +1,17 @@
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  response.setHeader("Content-Type", "text/css", false);
+  css = "#" + query.id + " { -moz-binding: url(\"";
+  if (query.server) {
+    css += "http://" + query.server + "/tests/content/xbl/test/";
+  }
+  css += "file_bug481558.xbl#test\"); }";
+
+  response.write(css);
+}

content/xbl/test/test_bug481558.html

@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=481558
+-->
+<head>
+  <title>Test for Bug 481558</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
+  <link rel="stylesheet" type="text/css"
+        href="file_bug481558css.sjs?id=id1">
+  <link rel="stylesheet" type="text/css"
+        href="file_bug481558css.sjs?id=id2&server=example.com">
+  <link rel="stylesheet" type="text/css" href="http://example.com/tests/content/xbl/test/file_bug481558css.sjs?id=id3">
+  <link rel="stylesheet" type="text/css" href="http://example.com/tests/content/xbl/test/file_bug481558css.sjs?id=id4&server=example.com">
+</head>
+<body onload="runTest();">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=481558">Mozilla Bug 481558</a>
+<p id="id1"></p>
+<p id="id2"></p>
+<p id="id3"></p>
+<p id="id4"></p>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+function runTest() {
+  is ($('id1').xblBoundProperty, 1, "XBL should be attached");
+  is ($('id2').xblBoundProperty, undefined, "XBL shouldn't be attached");
+  is ($('id3').xblBoundProperty, undefined, "XBL shouldn't be attached");
+  is ($('id4').xblBoundProperty, undefined, "XBL shouldn't be attached");
+  SimpleTest.finish();
+}
+
+</script>
+</pre>
+</body>
+</html>