301119 allow error pages to load favicons

xpfe:
dveditz: second-review+
benjamin: first-review+
asa: approval1.8b4+
toolkit:
benjamin: first-review+
benjamin: approval1.8b4+

patch by me, ported to toolkit by Henrik Skupin <hskupin@gmail.com>

toolkit/content/widgets/tabbrowser.xml

@@ -783,8 +783,13 @@
               Components.interfaces.nsIScriptSecurityManager;
 
             try {
-              secMan.checkLoadURI(origURI, uri,
+              // error pages can load their favicon
-                                  nsIScriptSecMan.DISALLOW_SCRIPT);
+              // to be on the safe side, only allow chrome:// favicons
+              const aboutNeterr = "about:neterror?";
+              if (origURI.spec.substr(0, aboutNeterr.length) != aboutNeterr ||
+                  !uri.schemeIs("chrome"))
+                secMan.checkLoadURI(origURI, uri,
+                                    nsIScriptSecMan.DISALLOW_SCRIPT);
             } catch(e) {
               return;
             }

xpfe/global/resources/content/bindings/tabbrowser.xml

@@ -705,8 +705,13 @@
               Components.interfaces.nsIScriptSecurityManager;
 
             try {
-              secMan.checkLoadURI(origURI, uri,
+              // error pages can load their favicon
-                                  nsIScriptSecMan.DISALLOW_SCRIPT);
+              // to be on the safe side, only allow chrome:// favicons
+              const aboutNeterr = "about:neterror?";
+              if (origURI.spec.substr(0, aboutNeterr.length) != aboutNeterr ||
+                  !uri.schemeIs("chrome"))
+                secMan.checkLoadURI(origURI, uri,
+                                    nsIScriptSecMan.DISALLOW_SCRIPT);
             } catch(e) {
               return;
             }