Bug #48403 --> don't allow JS running in a mailnews sand box to change the name of it's containing iframe.

this code was contributed by mstoltz.
r=beard, sr=mscott

caps/src/nsScriptSecurityManager.cpp

@@ -1678,6 +1678,11 @@ struct nsDomainEntry {
         int thisLen = mOrigin.Length();
         if (len < thisLen)
             return PR_FALSE;
+        if (mOrigin.RFindChar(':', PR_FALSE, thisLen-1, 1) != -1)
+        //-- Policy applies to all URLs of this scheme, compare scheme only
+            return mOrigin.EqualsWithConversion(anOrigin, PR_TRUE, thisLen);
+
+        //-- Policy applies to a particular host; compare scheme://host.domain
         if (!mOrigin.Equals(anOrigin + (len - thisLen)))
             return PR_FALSE;
         if (len == thisLen)
@@ -1717,16 +1722,25 @@ nsScriptSecurityManager::GetPrefName(nsIPrincipal *principal,
                 const char *s = origin;
                 const char *nextToLastDot = nsnull;
                 const char *lastDot = nsnull;
+                const char *colon = nsnull;
                 const char *p = s;
                 while (*p) {
                     if (*p == '.') {
                         nextToLastDot = lastDot;
                         lastDot = p;
                     }
+                    if (!colon && *p == ':')
+                        colon = p;
                     p++;
                 }
                 nsCStringKey key(nextToLastDot ? nextToLastDot+1 : s);
                 nsDomainEntry *de = (nsDomainEntry *) mOriginToPolicyMap->Get(&key);
+                if (!de)
+                {
+                    nsCAutoString scheme(s, colon-s+1);
+                    nsCStringKey schemeKey(scheme);
+                    de = (nsDomainEntry *) mOriginToPolicyMap->Get(&schemeKey);
+                }
                 while (de) {
                     if (de->Matches(s)) {
                         policy = &de->mPolicy;

modules/libpref/src/init/all.js

@@ -182,6 +182,8 @@ localDefPref("browser.navcenter.docked.selector.visible", true);
 localDefPref("browser.navcenter.docked.tree.width", 250); // Percent of parent window consumed by docked nav center
 localDefPref("browser.navcenter.floating.rect", "20, 20, 400, 600"); // Window dimensions when floating
 
+// Default Capability Preferences: Security-Critical! 
+// Editing these may create a security risk - be sure you know what you're doing
 pref("capability.policy.default.barprop.visible.write", "UniversalBrowserWrite");
 
 pref("capability.policy.default.history.current.read", "UniversalBrowserRead");
@@ -201,8 +203,12 @@ pref("capability.policy.default.location.search.write", "allAccess");
 pref("capability.policy.default.navigator.preference.read", "UniversalPreferencesRead");
 pref("capability.policy.default.navigator.preference.write", "UniversalPreferencesWrite");
 pref("capability.policy.default.windowinternal.location.write", "allAccess");
+
+// window.openDialog is insecure and must be made inaccessible from web scripts - see bug 56009
 pref("capability.policy.default.windowinternal.opendialog", "noAccess");
 
+pref("capability.policy.mailnews.sites", "mailbox: imap: news: pop: pop3:");
+pref("capability.policy.mailnews.window.name", "noAccess");
 
 localDefPref("ghist.expires.pos",          4);
 localDefPref("ghist.expires.width",        1400);