Fix

32088 Circumventing Same Origin security policy using javascript: URLs
        32040 about: can't be link
Also remove deprecated method
r=mstoltz

caps/src/nsScriptSecurityManager.cpp

@@ -471,12 +471,12 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI, nsIURI *aURI,
         return NS_OK;
     }
 
-    enum Action { AllowProtocol, DenyProtocol, AboutProtocol};
+    enum Action { AllowProtocol, DenyProtocol };
     struct { 
         const char *name;
         Action action;
     } protocolList[] = {
-        { "about",           AboutProtocol },
+        { "about",           AllowProtocol },
         { "data",            AllowProtocol },
         { "file",            DenyProtocol  },
         { "ftp",             AllowProtocol },
@@ -505,15 +505,6 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI, nsIURI *aURI,
             case DenyProtocol:
                 // Deny access
                 return NS_ERROR_DOM_BAD_URI;
-            case AboutProtocol:
-                // Allow for about:blank, deny for others.
-                nsXPIDLCString spec;
-                if (NS_FAILED(aURI->GetSpec(getter_Copies(spec))))
-                    return NS_ERROR_FAILURE;
-                if (nsCRT::strcasecmp(spec, "about:blank") == 0) {
-                    return NS_OK;
-                }
-                return NS_ERROR_DOM_BAD_URI;
             }
         }
     }

content/html/document/src/nsHTMLDocument.cpp

@@ -2000,6 +2000,45 @@ nsHTMLDocument::ScriptWriteCommon(JSContext *cx,
 {
   nsresult result = NS_OK;
 
+
+  nsXPIDLCString spec;
+  if (!mDocumentURL ||
+      (NS_SUCCEEDED(mDocumentURL->GetSpec(getter_Copies(spec))) &&
+       nsCRT::strcasecmp(spec, "about:blank") == 0)) 
+  {
+    // The current document's URL and principal are empty or "about:blank".
+    // By writing to this document, the script acquires responsibility for the
+    // document for security purposes. Thus a document.write of a script tag
+    // ends up producing a script with the same principals as the script
+    // that performed the write.
+    nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
+    JSObject* obj;
+    if (NS_FAILED(GetScriptObject(context, (void**)&obj))) 
+      return NS_ERROR_FAILURE;
+    nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, nsnull);
+    if (!sm)
+      return NS_ERROR_FAILURE;
+    nsCOMPtr<nsIPrincipal> subject;
+    if (NS_FAILED(sm->GetSubjectPrincipal(getter_AddRefs(subject))))
+      return NS_ERROR_FAILURE;
+    if (subject) {
+      nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(subject);
+      if (codebase) {
+        nsCOMPtr<nsIURI> subjectURI;
+        if (NS_FAILED(codebase->GetURI(getter_AddRefs(subjectURI))))
+          return NS_ERROR_FAILURE;
+
+        NS_IF_RELEASE(mDocumentURL);
+        mDocumentURL = subjectURI;
+        NS_ADDREF(mDocumentURL);
+
+        NS_IF_RELEASE(mPrincipal);
+        mPrincipal = subject;
+        NS_ADDREF(mPrincipal);
+      }
+    }
+  }
+
   if (nsnull == mParser) {
     result = Open(cx, argv, argc);
     if (NS_OK != result) {

content/xml/document/src/nsXMLContentSink.cpp

@@ -1675,7 +1675,8 @@ nsXMLContentSink::EvaluateScript(nsString& aScript, PRUint32 aLineNo, const char
         nsAutoString val;
         PRBool isUndefined;
 
-        (void) context->EvaluateString(aScript, url, aLineNo, aVersion,
+        // XXX need principal
+        (void) context->EvaluateString(aScript, nsnull, nsnull, url, aLineNo, aVersion,
                                        val, &isUndefined);
 
         NS_IF_RELEASE(docURL);

dom/public/nsIScriptContext.h

@@ -51,14 +51,6 @@ class nsIScriptContext : public nsISupports {
 public:
   NS_DEFINE_STATIC_IID_ACCESSOR(NS_ISCRIPTCONTEXT_IID)
 
-  // deprecated: remove later (XXXbe when is later?)
-  NS_IMETHOD EvaluateString(const nsString& aScript,
-                            const char *aURL,
-                            PRUint32 aLineNo,
-                            const char* aVersion,
-                            nsString& aRetValue,
-                            PRBool* aIsUndefined) = 0;
-
   /**
    * Compile and execute a script.
    *

dom/src/base/nsJSEnvironment.cpp

@@ -193,17 +193,6 @@ nsJSContext::~nsJSContext()
 
 NS_IMPL_ISUPPORTS(nsJSContext, NS_GET_IID(nsIScriptContext));
 
-NS_IMETHODIMP
-nsJSContext::EvaluateString(const nsString& aScript,
-                            const char *aURL,
-                            PRUint32 aLineNo,
-                            const char* aVersion,
-                            nsString& aRetValue,
-                            PRBool* aIsUndefined)
-{
-  return EvaluateString(aScript, nsnull, nsnull, aURL, aLineNo, aVersion, aRetValue, aIsUndefined);
-}
-
 NS_IMETHODIMP
 nsJSContext::EvaluateString(const nsString& aScript,
                             void *aScopeObject,
@@ -227,7 +216,6 @@ nsJSContext::EvaluateString(const nsString& aScript,
     aPrincipal->GetJSPrincipals(&jsprin);
   }
   else {
-    // norris TODO: Using GetGlobalObject to get principals is broken?
     nsCOMPtr<nsIScriptGlobalObject> global = dont_AddRef(GetGlobalObject());
     if (!global)
       return NS_ERROR_FAILURE;

dom/src/base/nsJSEnvironment.h

@@ -53,12 +53,6 @@ public:
 
   NS_DECL_ISUPPORTS
 
-  NS_IMETHOD       EvaluateString(const nsString& aScript,
-                                  const char *aURL,
-                                  PRUint32 aLineNo,
-                                  const char* aVersion,
-                                  nsString& aRetValue,
-                                  PRBool* aIsUndefined);
   NS_IMETHOD       EvaluateString(const nsString& aScript,
                                   void *aScopeObject,
                                   nsIPrincipal *principal,

editor/base/nsEditorShell.cpp

@@ -3961,7 +3961,7 @@ nsEditorShell::ExecuteScript(nsIScriptContext * aContext, const nsString& aScrip
     nsCRT::free(script_str);
 #endif
 
-    aContext->EvaluateString(aScript, url, 0, nsnull, rVal, &isUndefined);
+    aContext->EvaluateString(aScript, nsnull, nsnull, url, 0, nsnull, rVal, &isUndefined);
   } 
   return NS_OK;
 }

editor/composer/src/nsEditorShell.cpp

@@ -3961,7 +3961,7 @@ nsEditorShell::ExecuteScript(nsIScriptContext * aContext, const nsString& aScrip
     nsCRT::free(script_str);
 #endif
 
-    aContext->EvaluateString(aScript, url, 0, nsnull, rVal, &isUndefined);
+    aContext->EvaluateString(aScript, nsnull, nsnull, url, 0, nsnull, rVal, &isUndefined);
   } 
   return NS_OK;
 }

layout/html/document/src/nsHTMLDocument.cpp

@@ -2000,6 +2000,45 @@ nsHTMLDocument::ScriptWriteCommon(JSContext *cx,
 {
   nsresult result = NS_OK;
 
+
+  nsXPIDLCString spec;
+  if (!mDocumentURL ||
+      (NS_SUCCEEDED(mDocumentURL->GetSpec(getter_Copies(spec))) &&
+       nsCRT::strcasecmp(spec, "about:blank") == 0)) 
+  {
+    // The current document's URL and principal are empty or "about:blank".
+    // By writing to this document, the script acquires responsibility for the
+    // document for security purposes. Thus a document.write of a script tag
+    // ends up producing a script with the same principals as the script
+    // that performed the write.
+    nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
+    JSObject* obj;
+    if (NS_FAILED(GetScriptObject(context, (void**)&obj))) 
+      return NS_ERROR_FAILURE;
+    nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, nsnull);
+    if (!sm)
+      return NS_ERROR_FAILURE;
+    nsCOMPtr<nsIPrincipal> subject;
+    if (NS_FAILED(sm->GetSubjectPrincipal(getter_AddRefs(subject))))
+      return NS_ERROR_FAILURE;
+    if (subject) {
+      nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(subject);
+      if (codebase) {
+        nsCOMPtr<nsIURI> subjectURI;
+        if (NS_FAILED(codebase->GetURI(getter_AddRefs(subjectURI))))
+          return NS_ERROR_FAILURE;
+
+        NS_IF_RELEASE(mDocumentURL);
+        mDocumentURL = subjectURI;
+        NS_ADDREF(mDocumentURL);
+
+        NS_IF_RELEASE(mPrincipal);
+        mPrincipal = subject;
+        NS_ADDREF(mPrincipal);
+      }
+    }
+  }
+
   if (nsnull == mParser) {
     result = Open(cx, argv, argc);
     if (NS_OK != result) {

layout/xml/document/src/nsXMLContentSink.cpp

@@ -1675,7 +1675,8 @@ nsXMLContentSink::EvaluateScript(nsString& aScript, PRUint32 aLineNo, const char
         nsAutoString val;
         PRBool isUndefined;
 
-        (void) context->EvaluateString(aScript, url, aLineNo, aVersion,
+        // XXX need principal
+        (void) context->EvaluateString(aScript, nsnull, nsnull, url, aLineNo, aVersion,
                                        val, &isUndefined);
 
         NS_IF_RELEASE(docURL);

webshell/tests/viewer/JSConsole.cpp

@@ -889,6 +889,8 @@ void JSConsole::EvaluateText(UINT aStartSel, UINT aEndSel)
             PRBool isUndefined;
 
             if (NS_SUCCEEDED(mContext->EvaluateString(nsString(cleanBuffer), 
+                                                      nsnull,
+                                                      nsnull,
                                                       nsnull,
                                                       0,
                                                       nsnull,

xpfe/browser/src/nsBrowserInstance.cpp

@@ -1986,7 +1986,7 @@ nsBrowserAppCore::ExecuteScript(nsIScriptContext * aContext, const nsString& aSc
     if (APP_DEBUG) {
       printf("Executing [%s]\n", (const char *)nsCAutoString(aScript));
     }
-    aContext->EvaluateString(aScript, url, 0, nsnull, rVal, &isUndefined);
+    aContext->EvaluateString(aScript, nsnull, nsnull, url, 0, nsnull, rVal, &isUndefined);
   } 
   return NS_OK;
 }