Merge m-c and fx-team.

CLOBBER

@@ -17,5 +17,4 @@
 #
 # Modifying this file will now automatically clobber the buildbot machines \o/
 #
-Bug 879831 needed to clobber for the removal of jsprobes.cpp
-bug 882904:  move LIBS to moz.build (logic).
+Bug 704356 needed to clobber for the removal of jspropertycache.cpp

accessible/src/jsat/TraversalRules.jsm

@@ -14,6 +14,8 @@ this.EXPORTED_SYMBOLS = ['TraversalRules'];
 Cu.import('resource://gre/modules/accessibility/Utils.jsm');
 Cu.import('resource://gre/modules/XPCOMUtils.jsm');
 
+let gSkipEmptyImages = new PrefCache('accessibility.accessfu.skip_empty_images');
+
 function BaseTraversalRule(aRoles, aMatchFunc) {
   this._matchRoles = aRoles;
   this._matchFunc = aMatchFunc;
@@ -103,6 +105,8 @@ this.TraversalRules = {
 
           return Ci.nsIAccessibleTraversalRule.FILTER_MATCH;
         }
+      case Ci.nsIAccessibleRole.ROLE_GRAPHIC:
+        return TraversalRules._shouldSkipImage(aAccessible);
       default:
         // Ignore the subtree, if there is one. So that we don't land on
         // the same content that was already presented by its parent.
@@ -168,7 +172,10 @@ this.TraversalRules = {
      Ci.nsIAccessibleRole.ROLE_CHECK_MENU_ITEM]),
 
   Graphic: new BaseTraversalRule(
-    [Ci.nsIAccessibleRole.ROLE_GRAPHIC]),
+    [Ci.nsIAccessibleRole.ROLE_GRAPHIC],
+    function Graphic_match(aAccessible) {
+      return TraversalRules._shouldSkipImage(aAccessible);
+    }),
 
   Heading: new BaseTraversalRule(
     [Ci.nsIAccessibleRole.ROLE_HEADING]),
@@ -211,5 +218,12 @@ this.TraversalRules = {
 
   Checkbox: new BaseTraversalRule(
     [Ci.nsIAccessibleRole.ROLE_CHECKBUTTON,
-     Ci.nsIAccessibleRole.ROLE_CHECK_MENU_ITEM])
+     Ci.nsIAccessibleRole.ROLE_CHECK_MENU_ITEM]),
+
+  _shouldSkipImage: function _shouldSkipImage(aAccessible) {
+    if (gSkipEmptyImages.value && aAccessible.name === '') {
+      return Ci.nsIAccessibleTraversalRule.FILTER_IGNORE;
+    }
+    return Ci.nsIAccessibleTraversalRule.FILTER_MATCH;
+  }
 };

b2g/app/b2g.js

@@ -398,6 +398,9 @@ pref("dom.mozAlarms.enabled", true);
 
 // SimplePush
 pref("services.push.enabled", true);
+// Is the network connection allowed to be up?
+// This preference should be used in UX to enable/disable push.
+pref("services.push.connection.enabled", true);
 // serverURL to be assigned by services team
 pref("services.push.serverURL", "");
 pref("services.push.userAgentID", "");
@@ -641,6 +644,8 @@ pref("dom.disable_window_open_dialog_feature", true);
 
 // Screen reader support
 pref("accessibility.accessfu.activate", 2);
+// Whether to skip images with empty alt text
+pref("accessibility.accessfu.skip_empty_images", true);
 
 // Enable hit-target fluffing
 pref("ui.touch.radius.enabled", false);

b2g/config/gaia.json

@@ -1,4 +1,4 @@
 {
-    "revision": "36f36185e7c0710689452688aff4d79cfee99f22", 
+    "revision": "123a4b7418cf70cee6862cc407572ab97ae570fd", 
     "repo_path": "/integration/gaia-central"
 }

browser/base/content/test/browser_locationBarCommand.js

@@ -34,7 +34,7 @@ function runAltLeftClickTest() {
 function runShiftLeftClickTest() {
   let listener = new WindowListener(getBrowserURL(), function(aWindow) {
     Services.wm.removeListener(listener);
-    addPageShowListener(aWindow.gBrowser, function() {
+    addPageShowListener(aWindow.gBrowser.selectedBrowser, function() {
       info("URL should be loaded in a new window");
       is(gURLBar.value, "", "Urlbar reverted to original value");       
       is(gFocusManager.focusedElement, null, "There should be no focused element");
@@ -43,7 +43,7 @@ function runShiftLeftClickTest() {
 
       aWindow.close();
       runNextTest();
-    });
+    }, "http://example.com/");
   });
   Services.wm.addListener(listener);
 
@@ -61,7 +61,7 @@ function runNextTest() {
   info("Running test: " + test.desc);
   // Tab will be blank if test.startValue is null
   let tab = gBrowser.selectedTab = gBrowser.addTab(test.startValue);
-  addPageShowListener(gBrowser, function() {
+  addPageShowListener(gBrowser.selectedBrowser, function() {
     triggerCommand(test.click, test.event);
     test.check(tab);
 
@@ -163,10 +163,13 @@ function checkNewTab(aTab) {
   isnot(gBrowser.selectedTab, aTab, "New URL was loaded in a new tab");
 }
 
-function addPageShowListener(aBrowser, aFunc) {
-  aBrowser.selectedBrowser.addEventListener("pageshow", function loadListener() {
-    aBrowser.selectedBrowser.removeEventListener("pageshow", loadListener, false);
-    aFunc();
+function addPageShowListener(browser, cb, expectedURL) {
+  browser.addEventListener("pageshow", function pageShowListener() {
+    info("pageshow: " + browser.currentURI.spec);
+    if (expectedURL && browser.currentURI.spec != expectedURL)
+      return; // ignore pageshows for non-expected URLs
+    browser.removeEventListener("pageshow", pageShowListener, false);
+    cb();
   });
 }
 

browser/components/nsBrowserGlue.js

@@ -317,6 +317,23 @@ BrowserGlue.prototype = {
         });
         break;
 #endif
+      case "browser-search-engine-modified":
+        if (data != "engine-default" && data != "engine-current") {
+          break;
+        }
+        // Enforce that the search service's defaultEngine is always equal to
+        // its currentEngine. The search service will notify us any time either
+        // of them are changed (either by directly setting the relevant prefs,
+        // i.e. if add-ons try to change this directly, or if the
+        // nsIBrowserSearchService setters are called).
+        let ss = Services.search;
+        if (ss.currentEngine.name == ss.defaultEngine.name)
+          return;
+        if (data == "engine-current")
+          ss.defaultEngine = ss.currentEngine;
+        else
+          ss.currentEngine = ss.defaultEngine;
+        break;
     }
   },
 
@@ -351,6 +368,7 @@ BrowserGlue.prototype = {
 #ifdef MOZ_SERVICES_HEALTHREPORT
     os.addObserver(this, "keyword-search", false);
 #endif
+    os.addObserver(this, "browser-search-engine-modified", false);
   },
 
   // cleanup (called on application shutdown)
@@ -384,6 +402,7 @@ BrowserGlue.prototype = {
 #ifdef MOZ_SERVICES_HEALTHREPORT
     os.removeObserver(this, "keyword-search");
 #endif
+    os.removeObserver(this, "browser-search-engine-modified");
   },
 
   _onAppDefaults: function BG__onAppDefaults() {

browser/config/mozconfigs/linux32/debug

@@ -1,7 +1,6 @@
 ac_add_options --enable-debug
 ac_add_options --enable-trace-malloc
 ac_add_options --enable-signmar
-ENABLE_MARIONETTE=1
 
 . $topsrcdir/build/unix/mozconfig.linux32
 

browser/config/mozconfigs/linux64/debug

@@ -1,7 +1,6 @@
 ac_add_options --enable-debug
 ac_add_options --enable-trace-malloc
 ac_add_options --enable-signmar
-ENABLE_MARIONETTE=1
 
 . $topsrcdir/build/unix/mozconfig.linux
 

browser/config/mozconfigs/macosx64/debug

@@ -4,7 +4,6 @@ ac_add_options --enable-debug
 ac_add_options --enable-trace-malloc
 ac_add_options --enable-accessibility
 ac_add_options --enable-signmar
-ENABLE_MARIONETTE=1
 
 # Needed to enable breakpad in application.ini
 export MOZILLA_OFFICIAL=1

browser/config/mozconfigs/win32/debug

@@ -5,8 +5,6 @@ ac_add_options --enable-trace-malloc
 ac_add_options --enable-signmar
 ac_add_options --enable-metro
 
-ENABLE_MARIONETTE=1
-
 # Needed to enable breakpad in application.ini
 export MOZILLA_OFFICIAL=1
 

browser/config/mozconfigs/win64/debug

@@ -7,7 +7,6 @@ ac_add_options --enable-debug
 ac_add_options --enable-trace-malloc
 ac_add_options --enable-signmar
 ac_add_options --enable-metro
-ENABLE_MARIONETTE=1
 
 # Needed to enable breakpad in application.ini
 export MOZILLA_OFFICIAL=1

browser/metro/base/tests/mochitest/Makefile.in

@@ -34,11 +34,6 @@ BROWSER_TESTS = \
   browser_form_auto_complete.html \
   $(NULL)
 
-# disabled due to timeouts and lack of plugin support.
-#  browser_plugin_input.html \
-#  browser_plugin_input_mouse.js \
-#  browser_plugin_input_keyboard.js \
-
 ifndef MOZ_DEBUG
 BROWSER_TESTS += \
   browser_selection_basic.js \

browser/metro/base/tests/mochitest/browser_plugin_input.html

@@ -1,8 +0,0 @@
-<html>
-<head>
-  <title>Test Plugin Input</title>
-</head>
-<body>
-  <embed id="plugin1" type="application/x-test" width="200" height="200"></embed>
-</body>
-</html>

browser/metro/base/tests/mochitest/browser_plugin_input_keyboard.js

@@ -1,55 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-function test() {
-  runTests();
-}
-
-gTests.push({
-  desc: "Plugin keyboard input",
-  run: function() {
-    Services.prefs.setBoolPref("plugin.disable", false);
-    Services.prefs.setBoolPref("plugins.click_to_play", false);
-    registerCleanupFunction(Services.prefs.clearUserPref.bind(null, "plugin.disable"));
-    registerCleanupFunction(Services.prefs.clearUserPref.bind(null, "plugins.click_to_play"));
-
-    let tab = yield addTab(chromeRoot + "browser_plugin_input.html");
-
-    yield hideContextUI();
-
-    let doc = tab.browser.contentDocument;
-    let plugin = doc.getElementById("plugin1");
-    let objLoadingContent = plugin.QueryInterface(Ci.nsIObjectLoadingContent);
-    ok(objLoadingContent.activated, "Plugin activated");
-    plugin.focus();
-
-    try {
-      is(plugin.getLastKeyText(), "", "Plugin should not have received "
-                                    + "any character events yet.");
-    } catch(e) {
-      ok(false, "plugin.getLastKeyText should not throw: " + e);
-    }
-
-    let keys = [{ kbLayout: arSpanish,
-                  keyCode: 65,
-                  modifiers: 0,
-                  expectedChar: 'a' }];
-
-    /* XXX: Re-enable this once bug 837293 is fixed
-                { kbLayout: arSpanish,
-                  keyCode: 65,
-                  modifiers: rightAlt,
-                  expectedChar: "á" }];
-    */
-
-    while (keys.length > 0) {
-      let key = keys.shift();
-      info("Sending keypress: " + key.expectedChar);
-      synthesizeNativeKey(key.kbLayout, key.keyCode, key.modifiers);
-      let success = yield waitForCondition(function() plugin.getLastKeyText() == key.expectedChar);
-      ok(success && !(success instanceof Error),
-         "Plugin received char: " + key.expectedChar);
-    }
-  }
-});

browser/metro/base/tests/mochitest/browser_plugin_input_mouse.js

@@ -1,71 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-function test() {
-  runTests();
-}
-
-gTests.push({
-  desc: "Plugin mouse input",
-  run: function() {
-    // This test needs "Switch primary and secondary buttons" disabled.
-    let origValue = MetroUtils.swapMouseButton(false);
-    registerCleanupFunction(function() MetroUtils.swapMouseButton(origValue));
-
-    Services.prefs.setBoolPref("plugin.disable", false);
-    Services.prefs.setBoolPref("plugins.click_to_play", false);
-    registerCleanupFunction(Services.prefs.clearUserPref.bind(null, "plugin.disable"));
-    registerCleanupFunction(Services.prefs.clearUserPref.bind(null, "plugins.click_to_play"));
-
-    let tab = yield addTab(chromeRoot + "browser_plugin_input.html");
-
-    yield hideContextUI();
-
-    let doc = tab.browser.contentDocument;
-    let plugin = doc.getElementById("plugin1");
-    let objLoadingContent = plugin.QueryInterface(Ci.nsIObjectLoadingContent);
-    ok(objLoadingContent.activated, "Plugin activated");
-
-    // XXX: This shouldn't be necessary, but removing it causes the first click to
-    //      sometimes not register
-    let wait = yield waitForMs(0);
-    ok(wait, "Initial wait");
-
-    try {
-      is(plugin.getMouseUpEventCount(), 0, "Plugin should not have received "
-                                         + "any mouse up events yet.");
-    } catch(e) {
-      ok(false, "plugin.getMouseUpEventCount should not throw: " + e);
-    }
-
-    let bottom = plugin.getBoundingClientRect().height - 1;
-    let right = plugin.getBoundingClientRect().width - 1;
-    let middleX = right / 2;
-    let middleY = bottom / 2;
-    let left = 1;
-    let top = 1;
-
-    let clicks = [{ x: left, y: top},          // left top corner
-                  { x: left, y: middleY},      // left middle
-                  { x: left, y: bottom},       // left bottom corner
-                  { x: middleX, y: bottom},    // bottom middle
-                  { x: right, y: bottom},      // right bottom corner
-                  { x: right, y: middleY},     // right middle
-                  { x: right, y: top},         // right top corner
-                  { x: middleX, y: top},       // top middle
-                  { x: middleX, y: middleY}];  // middle
-
-    let curClicks = 0;
-    while (clicks.length > 0) {
-      let click = clicks.shift();
-      curClicks++;
-      info("Sending click " + curClicks + " { x: " + click.x + ", y: " + click.y + "}");
-      synthesizeNativeMouseLDown(plugin, click.x, click.y);
-      synthesizeNativeMouseLUp(plugin, click.x, click.y);
-      let success = yield waitForCondition(function() plugin.getMouseUpEventCount() == curClicks);
-      ok(success && !(success instanceof Error),
-         "Plugin received click " + curClicks);
-    }
-  }
-});

build/automation.py.in

@@ -30,17 +30,12 @@ import automationutils
 here = os.path.dirname(__file__)
 mozbase = os.path.realpath(os.path.join(os.path.dirname(here), 'mozbase'))
 
-try:
-    import mozcrash
-except:
-    deps = ['mozcrash',
-            'mozfile',
-            'mozlog']
-    for dep in deps:
-        module = os.path.join(mozbase, dep)
-        if module not in sys.path:
-            sys.path.append(module)
-    import mozcrash
+if os.path.isdir(mozbase):
+    for package in os.listdir(mozbase):
+        sys.path.append(os.path.join(mozbase, package))
+
+import mozcrash
+
 # ---------------------------------------------------------------
 
 _DEFAULT_PREFERENCE_FILE = os.path.join(SCRIPT_DIR, 'prefs_general.js')

content/base/src/nsDOMTokenList.cpp

@@ -231,7 +231,9 @@ nsDOMTokenList::Remove(const nsAString& aToken, ErrorResult& aError)
 }
 
 bool
-nsDOMTokenList::Toggle(const nsAString& aToken, ErrorResult& aError)
+nsDOMTokenList::Toggle(const nsAString& aToken,
+                       const Optional<bool>& aForce,
+                       ErrorResult& aError)
 {
   aError = CheckToken(aToken);
   if (aError.Failed()) {
@@ -239,14 +241,24 @@ nsDOMTokenList::Toggle(const nsAString& aToken, ErrorResult& aError)
   }
 
   const nsAttrValue* attr = GetParsedAttr();
+  const bool forceOn = aForce.WasPassed() && aForce.Value();
+  const bool forceOff = aForce.WasPassed() && !aForce.Value();
 
-  if (attr && attr->Contains(aToken)) {
-    RemoveInternal(attr, aToken);
-    return false;
+  bool isPresent = attr && attr->Contains(aToken);
+
+  if (isPresent) {
+    if (!forceOn) {
+      RemoveInternal(attr, aToken);
+      isPresent = false;
+    }
+  } else {
+    if (!forceOff) {
+      AddInternal(attr, aToken);
+      isPresent = true;
+    }
   }
 
-  AddInternal(attr, aToken);
-  return true;
+  return isPresent;
 }
 
 void

content/base/src/nsDOMTokenList.h

@@ -13,6 +13,7 @@
 #include "nsDOMString.h"
 #include "nsWrapperCache.h"
 #include "mozilla/dom/Element.h"
+#include "mozilla/dom/BindingDeclarations.h"
 
 namespace mozilla {
 class ErrorResult;
@@ -59,7 +60,9 @@ public:
   bool Contains(const nsAString& aToken, mozilla::ErrorResult& aError);
   void Add(const nsAString& aToken, mozilla::ErrorResult& aError);
   void Remove(const nsAString& aToken, mozilla::ErrorResult& aError);
-  bool Toggle(const nsAString& aToken, mozilla::ErrorResult& aError);
+  bool Toggle(const nsAString& aToken,
+              const mozilla::dom::Optional<bool>& force,
+              mozilla::ErrorResult& aError);
   void Stringify(nsAString& aResult);
 
 protected:

content/base/test/test_classList.html

@@ -35,7 +35,7 @@ function onAttrModified(event) {
   });
 }
 
-function checkModification(e, funcName, argument, expectedRes, before, after, expectedException) {
+function checkModification(e, funcName, args, expectedRes, before, after, expectedException) {
   var shouldThrow = typeof(expectedException) === "string";
   if (shouldThrow) {
     // If an exception is thrown, the class attribute shouldn't change.
@@ -46,14 +46,15 @@ function checkModification(e, funcName, argument, expectedRes, before, after, ex
   else
     e.setAttribute("class", before);
 
-  var contextMsg = "(checkModification: funcName=" + funcName + ",argument=" +
-                   argument + ",expectedRes=" + expectedRes + ",before=" +
-                   before + ",after=" + after + ")";
+  var contextMsg = "(checkModification: funcName=" + funcName + ",args=" +
+                   JSON.stringify(args) + ",expectedRes=" + expectedRes +
+                   ",before=" + before + ",after=" + after + ")";
 
   gMutationEvents = [];
   e.addEventListener("DOMAttrModified", onAttrModified, false);
   try {
-    var res = e.classList[funcName](argument);
+    var list = e.classList;
+    var res = list[funcName].apply(list, args);
     if (shouldThrow)
       ok(false, "classList modification didn't throw " + contextMsg);
   } catch (e) {
@@ -258,7 +259,7 @@ function testClassList(e) {
   // add() method
 
   function checkAdd(before, argument, after, expectedException) {
-    checkModification(e, "add", argument, null, before, after, expectedException);
+    checkModification(e, "add", [argument], null, before, after, expectedException);
   }
 
   checkAdd(null, "", null, "SyntaxError");
@@ -284,7 +285,7 @@ function testClassList(e) {
   // remove() method
 
   function checkRemove(before, argument, after, expectedException) {
-    checkModification(e, "remove", argument, null, before, after, expectedException);
+    checkModification(e, "remove", [argument], null, before, after, expectedException);
   }
 
   checkRemove(null, "", null, "SyntaxError");
@@ -323,7 +324,7 @@ function testClassList(e) {
   // toggle() method
 
   function checkToggle(before, argument, expectedRes, after, expectedException) {
-    checkModification(e, "toggle", argument, expectedRes, before, after, expectedException);
+    checkModification(e, "toggle", [argument], expectedRes, before, after, expectedException);
   }
 
   checkToggle(null, "", null, null, "SyntaxError");
@@ -351,7 +352,24 @@ function testClassList(e) {
   checkToggle("", null, true, "null");
   checkToggle("undefined", undefined, false, "");
   checkToggle("", undefined, true, "undefined");
+
+
+  // tests for the force argument handling
+  
+  function checkForceToggle(before, argument, force, expectedRes, after, expectedException) {
+    checkModification(e, "toggle", [argument, force], expectedRes, before, after, expectedException);
+  }
+
+  checkForceToggle("", "a", true, true, "a");
+  checkForceToggle("a", "a", true, true, "a");
+  checkForceToggle("a", "b", true, true, "a b");
+  checkForceToggle("a b", "b", true, true, "a b");
+  checkForceToggle("", "a", false, false, "");
+  checkForceToggle("a", "a", false, false, "");
+  checkForceToggle("a", "b", false, false, "a");
+  checkForceToggle("a b", "b", false, false, "a");
 }
+
 var content = document.getElementById("content");
 
 var htmlNode = document.createElement("div");

content/html/content/src/nsDOMStringMap.cpp

@@ -10,6 +10,7 @@
 #include "nsGenericHTMLElement.h"
 #include "nsContentUtils.h"
 #include "mozilla/dom/DOMStringMapBinding.h"
+#include "nsIDOMMutationEvent.h"
 
 using namespace mozilla;
 using namespace mozilla::dom;
@@ -24,16 +25,23 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsDOMStringMap)
   if (tmp->mElement) {
     // Call back to element to null out weak reference to this object.
     tmp->mElement->ClearDataset();
+    tmp->mElement->RemoveMutationObserver(tmp);
     tmp->mElement = nullptr;
   }
+  ++tmp->mExpandoAndGeneration.generation;
+  tmp->mExpandoAndGeneration.expando = JS::UndefinedValue();
 NS_IMPL_CYCLE_COLLECTION_UNLINK_END
 
 NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(nsDOMStringMap)
   NS_IMPL_CYCLE_COLLECTION_TRACE_PRESERVED_WRAPPER
+  if (tmp->PreservingWrapper()) {
+    NS_IMPL_CYCLE_COLLECTION_TRACE_JSVAL_MEMBER_CALLBACK(mExpandoAndGeneration.expando);
+  }
 NS_IMPL_CYCLE_COLLECTION_TRACE_END
 
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsDOMStringMap)
   NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
+  NS_INTERFACE_MAP_ENTRY(nsIMutationObserver)
   NS_INTERFACE_MAP_ENTRY(nsISupports)
 NS_INTERFACE_MAP_END
 
@@ -45,6 +53,8 @@ nsDOMStringMap::nsDOMStringMap(nsGenericHTMLElement* aElement)
     mRemovingProp(false)
 {
   SetIsDOMBinding();
+
+  mElement->AddMutationObserver(this);
 }
 
 nsDOMStringMap::~nsDOMStringMap()
@@ -53,6 +63,7 @@ nsDOMStringMap::~nsDOMStringMap()
   if (mElement) {
     // Call back to element to null out weak reference to this object.
     mElement->ClearDataset();
+    mElement->RemoveMutationObserver(this);
   }
 }
 
@@ -235,3 +246,17 @@ bool nsDOMStringMap::AttrToDataProp(const nsAString& aAttr,
 
   return true;
 }
+
+void
+nsDOMStringMap::AttributeChanged(nsIDocument *aDocument, Element* aElement,
+                                 int32_t aNameSpaceID, nsIAtom* aAttribute,
+                                 int32_t aModType)
+{
+  if ((aModType == nsIDOMMutationEvent::ADDITION ||
+       aModType == nsIDOMMutationEvent::REMOVAL) &&
+      aNameSpaceID == kNameSpaceID_None &&
+      StringBeginsWith(nsDependentAtomString(aAttribute),
+                       NS_LITERAL_STRING("data-"))) {
+    ++mExpandoAndGeneration.generation;
+  }
+}

content/html/content/src/nsDOMStringMap.h

@@ -13,18 +13,21 @@
 #include "nsString.h"
 #include "nsWrapperCache.h"
 #include "nsGenericHTMLElement.h"
+#include "jsfriendapi.h"
 
 namespace mozilla {
 class ErrorResult;
 }
 
-class nsDOMStringMap : public nsISupports,
+class nsDOMStringMap : public nsStubMutationObserver,
                        public nsWrapperCache
 {
 public:
   NS_DECL_CYCLE_COLLECTING_ISUPPORTS
   NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(nsDOMStringMap)
 
+  NS_DECL_NSIMUTATIONOBSERVER_ATTRIBUTECHANGED
+
   nsINode* GetParentObject()
   {
     return mElement;
@@ -42,6 +45,8 @@ public:
   void NamedDeleter(const nsAString& aProp, bool &found);
   void GetSupportedNames(nsTArray<nsString>& aNames);
 
+  js::ExpandoAndGeneration mExpandoAndGeneration;
+
 private:
   virtual ~nsDOMStringMap();
 

content/html/content/test/Makefile.in

@@ -307,6 +307,7 @@ MOCHITEST_FILES = \
 		file_iframe_sandbox_pass.js \
 		file_iframe_sandbox_fail.js \
 		test_iframe_sandbox_navigation.html \
+		test_iframe_sandbox_navigation2.html \
 		file_iframe_sandbox_d_if1.html \
 		file_iframe_sandbox_d_if2.html \
 		file_iframe_sandbox_d_if3.html \
@@ -320,6 +321,15 @@ MOCHITEST_FILES = \
 		file_iframe_sandbox_d_if11.html \
 		file_iframe_sandbox_d_if12.html \
 		file_iframe_sandbox_d_if13.html \
+		file_iframe_sandbox_d_if14.html \
+		file_iframe_sandbox_d_if15.html \
+		file_iframe_sandbox_d_if16.html \
+		file_iframe_sandbox_d_if17.html \
+		file_iframe_sandbox_d_if18.html \
+		file_iframe_sandbox_d_if19.html \
+		file_iframe_sandbox_d_if20.html \
+		file_iframe_sandbox_d_if21.html \
+		file_iframe_sandbox_d_if22.html \
 		file_iframe_sandbox_navigation_start.html \
 		file_iframe_sandbox_navigation_pass.html \
 		file_iframe_sandbox_navigation_fail.html \
@@ -329,8 +339,19 @@ MOCHITEST_FILES = \
 		file_iframe_sandbox_e_if4.html \
 		file_iframe_sandbox_e_if5.html \
 		file_iframe_sandbox_e_if6.html \
+		file_iframe_sandbox_e_if7.html \
+		file_iframe_sandbox_e_if8.html \
+		file_iframe_sandbox_e_if9.html \
+		file_iframe_sandbox_e_if10.html \
+		file_iframe_sandbox_e_if11.html \
+		file_iframe_sandbox_e_if12.html \
+		file_iframe_sandbox_e_if13.html \
+		file_iframe_sandbox_e_if14.html \
+		file_iframe_sandbox_e_if15.html \
+		file_iframe_sandbox_e_if16.html \
 		file_iframe_sandbox_top_navigation_pass.html \
 		file_iframe_sandbox_top_navigation_fail.html \
+		file_iframe_sandbox_window_navigation_fail.html \
 		test_iframe_sandbox_plugins.html \
 		file_iframe_sandbox_f_if1.html \
 		file_iframe_sandbox_f_if2.html \
@@ -358,6 +379,7 @@ MOCHITEST_FILES = \
 		wakelock.ogv \
 		test_bug869040.html \
 		allowMedia.sjs \
+		test_bug874758.html \
 		$(NULL)
 
 MOCHITEST_CHROME_FILES = \

content/html/content/test/file_iframe_sandbox_d_if1.html

@@ -14,6 +14,6 @@ function doTest() {
 <body onload="doTest()">
   I am sandboxed with 'allow-scripts'
 
-  <a href="file_iframe_sandbox_navigation_pass.html?if_1" target="_self" id='anchor'>
+  <a href="file_iframe_sandbox_navigation_pass.html?Test 1:%20" target="_self" id='anchor'>
 </body>
 </html>

content/html/content/test/file_iframe_sandbox_d_if14.html

@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 838692</title>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script type="text/javascript">
+  var test20Context = "Test 20: Navigate another window (not opened by us): ";
+
+  function doTest() {
+    // Try to navigate auxiliary browsing context (window) not opened by us.
+    // We should not be able to do this as we are sandboxed.
+    sendMouseEvent({type:'click'}, 'navigate_window');
+    window.parent.postMessage("test attempted", "*");
+
+    // Try to navigate auxiliary browsing context (window) not opened by us, using window.open().
+    // We should not be able to do this as we are sandboxed.
+    try {
+      window.open("file_iframe_sandbox_window_navigation_fail.html?" + escape(test20Context), "window_to_navigate2");
+      window.parent.postMessage("test attempted", "*");
+    } catch(error) {
+      window.parent.postMessage({ok: true, desc: test20Context + "as expected, error thrown during window.open(..., \"window_to_navigate2\")"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed but with "allow-scripts allow-same-origin allow-top-navigation".
+
+  <a href="file_iframe_sandbox_window_navigation_fail.html?Test 14: Navigate another window (not opened by us):%20" target="window_to_navigate" id="navigate_window">navigate window</a>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if15.html

@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<body>
+  I am an unsandboxed iframe.
+
+  <iframe sandbox="allow-same-origin allow-scripts" id="if_16" src="file_iframe_sandbox_d_if16.html" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if16.html

@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+
+<script type="application/javascript">
+function doTest() {
+  window.parent.parent.postMessage("test attempted", "*");
+  sendMouseEvent({type:'click'}, 'anchor');
+}
+</script>
+
+<body onload="doTest()">
+  I am sandboxed with 'allow-same-origin allow-scripts'
+
+  <a href="file_iframe_sandbox_navigation_fail.html?Test 16: Navigate parent/ancestor by name:%20" target='if_parent' id='anchor'>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if17.html

@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script type="application/javascript">
+  var testContext = "Test 17: navigate _self with window.open(): ";
+
+  function doTest() {
+    try {
+      window.open("file_iframe_sandbox_navigation_pass.html?" + escape(testContext), "_self");
+    } catch(error) {
+      window.parent.postMessage({ok: false, desc: testContext + "error thrown during window.open(..., \"_self\")"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if18.html

@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+
+<script type="application/javascript">
+  window.addEventListener("message", receiveMessage, false);
+
+  function receiveMessage(event) {
+    window.parent.postMessage(event.data, "*");
+  }
+
+  var testContext = "Test 18: navigate child with window.open(): ";
+
+  function doTest() {
+    try {
+      window.open("file_iframe_sandbox_navigation_pass.html?" + escape(testContext), "foo");
+    } catch(error) {
+      window.parent.postMessage({ok: false, desc: testContext + " error thrown during window.open(..., \"foo\")"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+
+  <iframe name="foo" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if19.html

@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+  I am sandboxed with 'allow-scripts'
+
+  <iframe sandbox="allow-scripts" id="if_20" src="file_iframe_sandbox_d_if20.html" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if2.html

@@ -10,8 +10,8 @@
 // needed to forward the message to the main test page
 window.addEventListener("message", receiveMessage, false);
 
-function receiveMessage(event) { 
-  window.parent.postMessage({ok: event.data.ok, desc: event.data.desc}, "*");
+function receiveMessage(event) {
+  window.parent.postMessage(event.data, "*");
 }
 
 function doTest() {
@@ -23,6 +23,6 @@ function doTest() {
 
   <iframe name="foo" src="file_iframe_sandbox_navigation_start.html" height="10" width="10"></iframe>
 
-  <a href="file_iframe_sandbox_navigation_pass.html?if2" target='foo' id='anchor'>
+  <a href="file_iframe_sandbox_navigation_pass.html?Test 2:%20" target='foo' id='anchor'>
 </body>
 </html>

content/html/content/test/file_iframe_sandbox_d_if20.html

@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script type="application/javascript">
+  var testContext = "Test 19: navigate _parent with window.open(): ";
+
+  function doTest() {
+    try {
+      window.open("file_iframe_sandbox_navigation_fail.html?" + escape(testContext), "_parent");
+      window.parent.parent.postMessage("test attempted", "*");
+    } catch(error) {
+      window.parent.parent.postMessage({ok: true, desc: testContext + "as expected, error thrown during window.open(..., \"_parent\")"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if21.html

@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<body>
+  I am an unsandboxed iframe.
+
+  <iframe sandbox="allow-same-origin allow-scripts" id="if_22" src="file_iframe_sandbox_d_if22.html" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if22.html

@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script type="application/javascript">
+  var testContext = "Test 21: navigate parent by name with window.open(): ";
+
+  function doTest() {
+    try {
+      window.open("file_iframe_sandbox_navigation_fail.html?" + escape(testContext), "if_parent2");
+      window.parent.parent.postMessage("test attempted", "*");
+    } catch(error) {
+      window.parent.parent.postMessage({ok: true, desc: testContext + "as expected, error thrown during window.open(..., \"if_parent2\")"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed with 'allow-same-origin allow-scripts'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if4.html

@@ -8,6 +8,7 @@
 </head>
 <script type="application/javascript">
 function doTest() {
+  window.parent.parent.postMessage("test attempted", "*");
   sendMouseEvent({type:'click'}, 'anchor');
 }
 </script>

content/html/content/test/file_iframe_sandbox_d_if5.html

@@ -9,11 +9,12 @@
 <script type="application/javascript">
 function doTest() {
   sendMouseEvent({type:'click'}, 'anchor');
+  window.parent.postMessage("test attempted", "*");
 }
 </script>
 <body onload="doTest()">
   I am sandboxed with 'allow-scripts allow-same-origin'
 
-  <a href="file_iframe_sandbox_navigation_fail.html" target='sibling' id='anchor'>
+  <a href="file_iframe_sandbox_navigation_fail.html?Test 4: Navigate sibling iframe by name:%20" target='if_sibling' id='anchor'>
 </body>
 </html>

content/html/content/test/file_iframe_sandbox_d_if7.html

@@ -1,16 +1,20 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script type="application/javascript">
-function doTest() {
-  window.parent.ok_wrapper(false, "a sandboxed document when navigated should still NOT be same-origin with its parent");
-}
-</script>
-<body onload="doTest()">
-  I am sandboxed with 'allow-scripts'
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script type="application/javascript">
+function doTest() {
+  try {
+    window.parent.ok_wrapper(false, "a sandboxed document when navigated should still NOT be same-origin with its parent");
+  } catch(error) {
+    window.parent.postMessage({ok: true, desc: "sandboxed document's attempt to access parent after navigation blocked, as not same-origin."}, "*");
+  }
+}
+</script>
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_d_if8.html

@@ -1,16 +1,24 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script type="application/javascript">
-function doTest() {
-  window.parent.modify_if_8();
-}
-</script>
-<body onload="doTest()">
-  I am sandboxed with 'allow-scripts' and 'allow-same-origin' the first time I am loaded, and with 'allow-scripts' the second time
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script type="application/javascript">
+function doTest() {
+  if (location.search == "?onreload") {
+    try {
+      window.parent.modify_if_8();
+    } catch (error) {
+      window.parent.postMessage({ok: true, desc: "allow-same-origin is no longer in effect after reload - parent access blocked."}, "*");
+    }
+  } else {
+    window.parent.modify_if_8();
+  }
+}
+</script>
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts' and 'allow-same-origin' the first time I am loaded, and with 'allow-scripts' the second time
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if1.html

@@ -1,24 +1,20 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-</head>
-<body>
-  <script>
-    window.addEventListener("message", receiveMessage, false);
-
-    function receiveMessage(event)
-    {
-      window.parent.postMessage("close", "*");
-
-      SimpleTest.executeSoon(function() {
-        window.close();
-      }); 
-    }
-  </script>
-  <iframe sandbox='allow-scripts allow-same-origin' id='if_6' src="file_iframe_sandbox_e_if6.html" height="10" width="10"></iframe>
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+</head>
+
+<script>
+  function doTest() {
+    var testContext = location.search == "" ? "?Test 10: Navigate _top:%20" : location.search;
+    document.getElementById("if_6").src = "file_iframe_sandbox_e_if6.html" + testContext;
+  }
+</script>
+
+<body onload="doTest()">
+  <iframe sandbox='allow-scripts' id='if_6' height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if10.html

@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    var testContext = "?Test 23: Nested navigate _top with window.open():%20";
+    document.getElementById("if_9").src = "file_iframe_sandbox_e_if9.html" + testContext;
+  }
+</script>
+
+<body onload="doTest()">
+  <iframe sandbox='allow-scripts allow-top-navigation' id='if_9' height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if11.html

@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+  function doTest() {
+    var testContext = location.search.substring(1);
+    try {
+      var topsOpener = window.top.opener;
+      window.open("file_iframe_sandbox_top_navigation_pass.html?" + testContext, "_top");
+      topsOpener.postMessage({ok: true, desc: unescape(testContext) + "top navigation should be allowed by a document sandboxed with 'allow-top-navigation.'"}, "*");
+    } catch(error) {
+      window.top.opener.postMessage({ok: false, desc: unescape(testContext) + "error thrown during window.open(..., \"_top\")"}, "*");
+      window.top.close();
+    }
+  }
+</script>
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts and allow-top-navigation'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if12.html

@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    var testContext = location.search == "" ? "?Test 24: Navigate _top with window.open():%20" : location.search;
+    document.getElementById("if_14").src = "file_iframe_sandbox_e_if14.html" + testContext;
+  }
+</script>
+
+<body onload="doTest()">
+  <iframe sandbox='allow-scripts' id='if_14' height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if13.html

@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    var testContext = "?Test 25: Nested navigate _top with window.open():%20";
+    document.getElementById("if_12").src = "file_iframe_sandbox_e_if12.html" + testContext;
+  }
+</script>
+
+<body onload="doTest()">
+  <iframe sandbox='allow-scripts allow-top-navigation' id='if_12' height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if14.html

@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+  function doTest() {
+    var testContext = location.search.substring(1);
+    try {
+      var topsOpener = window.top.opener;
+      window.open("file_iframe_sandbox_top_navigation_fail.html?" + testContext, "_top");
+      topsOpener.postMessage({ok: false, desc: unescape(testContext) + "top navigation should NOT be allowed by a document sandboxed without 'allow-top-navigation.'"}, "*");
+    } catch(error) {
+      window.top.opener.postMessage({ok: true, desc: unescape(testContext) + "as expected error thrown during window.open(..., \"_top\")"}, "*");
+      window.top.close();
+    }
+  }
+</script>
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if15.html

@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  // Set our name, to allow an attempt to navigate us by name.
+  window.name = "e_if15";
+</script>
+
+<body>
+  <iframe sandbox='allow-scripts' id='if_16' src="file_iframe_sandbox_e_if16.html" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if16.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  var testContext = "Test 26: navigate top by name with window.open(): ";
+
+  function doTest() {
+    try {
+      var topsOpener = window.top.opener;
+      window.open("file_iframe_sandbox_top_navigation_fail.html?" + escape(testContext), "e_if15");
+      topsOpener.postMessage({ok: false, desc: unescape(testContext) + "top navigation should NOT be allowed by a document sandboxed without 'allow-top-navigation.'"}, "*");
+    } catch(error) {
+      window.top.opener.postMessage({ok: true, desc: testContext + "as expected, error thrown during window.open(..., \"e_if15\")"}, "*");
+      window.top.close();
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed but with "allow-scripts"
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if2.html

@@ -1,22 +1,12 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-</head>
-<body>
-  <script>
-    window.addEventListener("message", receiveMessage, false);
-
-    function receiveMessage(event)
-    {
-      SimpleTest.executeSoon(function() {
-        window.close();
-      });
-    }
-  </script>
-  <iframe sandbox='allow-scripts allow-top-navigation allow-same-origin' id='if_1' src="file_iframe_sandbox_e_if1.html" height="10" width="10"></iframe>
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+</head>
+<body>
+  <iframe sandbox='allow-scripts allow-top-navigation allow-same-origin' id='if_1' src="file_iframe_sandbox_e_if1.html?Test 11: Nested navigate _top:%20" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if6.html

@@ -1,24 +1,22 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-</head>
-<script type="application/javascript">
-function doTest() {
-  sendMouseEvent({type:'click'}, 'anchor');
-
-   SimpleTest.executeSoon(function() {
-     window.parent.postMessage("close", "*");
-   });
-}
-</script>
-<body onload="doTest()">
-  I am sandboxed with 'allow-scripts'
-
-  <a href="file_iframe_sandbox_top_navigation_fail.html" target='_top' id='anchor'>
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+</head>
+<script type="application/javascript">
+function doTest() {
+  document.getElementById('anchor').href = "file_iframe_sandbox_top_navigation_fail.html" + location.search;
+  window.top.opener.postMessage("test attempted", "*");
+  sendMouseEvent({type:'click'}, 'anchor');
+}
+</script>
+<body onload="doTest()">
+  I am sandboxed with 'allow-scripts'
+
+  <a target='_top' id='anchor'>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if7.html

@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  // Set our name, to allow an attempt to navigate us by name.
+  window.name = "e_if7";
+</script>
+
+<body>
+  <iframe sandbox='allow-scripts' id='if_8' src="file_iframe_sandbox_e_if8.html" height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if8.html

@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+
+<script>
+  function doTest() {
+    // Try to navigate top using its name (e_if7).  We should not be able to do this as allow-top-navigation is not specified.
+    window.top.opener.postMessage("test attempted", "*");
+    sendMouseEvent({type:'click'}, 'navigate_top');
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed but with "allow-scripts"
+
+  <a href="file_iframe_sandbox_top_navigation_fail.html?Test 15: Navigate top by name:%20" target="e_if7" id="navigate_top">navigate top</a>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_e_if9.html

@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    var testContext = location.search == "" ? "?Test 22: Navigate _top with window.open():%20" : location.search;
+    document.getElementById("if_11").src = "file_iframe_sandbox_e_if11.html" + testContext;
+  }
+</script>
+
+<body onload="doTest()">
+  <iframe sandbox='allow-scripts allow-top-navigation' id='if_11' height="10" width="10"></iframe>
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_navigation_fail.html

@@ -1,16 +1,17 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body onLoad="doStuff()">
-FAIL
-</body>
-<script>
-  function doStuff() {
-    window.parent.postMessage({ok: false, desc: "this navigation should NOT be allowed by a sandboxed document"}, "*");
-  }
-</script>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body onLoad="doStuff()">
+FAIL
+</body>
+<script>
+  function doStuff() {
+    var testContext = unescape(location.search.substring(1));
+    window.parent.postMessage({ok: false, desc: testContext + "this navigation should NOT be allowed by a sandboxed document", addToAttempted: false}, "*");
+  }
+</script>
+</html>

content/html/content/test/file_iframe_sandbox_navigation_pass.html

@@ -1,16 +1,17 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script>
-function doStuff() {
-  window.parent.postMessage({ok: true, desc: "this navigation should be allowed by a sandboxed document"}, "*");
-}
-</script>
-<body onLoad="doStuff()">
-PASS
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+function doStuff() {
+  var testContext = unescape(location.search.substring(1));
+  window.parent.postMessage({ok: true, desc: testContext + "this navigation should be allowed by a sandboxed document"}, "*");
+}
+</script>
+<body onLoad="doStuff()">
+PASS
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_top_navigation_fail.html

@@ -1,17 +1,18 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script>
-function doStuff() {
-	window.opener.postMessage({ok: false, desc:  "top navigation should NOT be allowed by a document sandboxed without 'allow-top-navigation'"}, "*");
-	window.close();
-}
-</script>
-<body onLoad="doStuff()">
-FAIL\
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+function doStuff() {
+  var testContext = unescape(location.search.substring(1));
+  window.opener.postMessage({ok: false, desc: testContext + "top navigation should NOT be allowed by a document sandboxed without 'allow-top-navigation'", addToAttempted: false}, "*");
+  window.close();
+}
+</script>
+<body onLoad="doStuff()">
+FAIL\
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_top_navigation_pass.html

@@ -1,17 +1,18 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script>
-function doStuff() {
-	window.opener.postMessage({ok: true, desc:  "top navigation should be allowed by a document sandboxed with 'allow-top-navigation'"}, "*");
-	window.close();
-}
-</script>
-<body onLoad="doStuff()">
-PASS
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+function doStuff() {
+  var testContext = unescape(location.search.substring(1));
+  window.opener.postMessage({ok: true, desc: testContext + "top navigation should be allowed by a document sandboxed with 'allow-top-navigation'"}, "*");
+  window.close();
+}
+</script>
+<body onLoad="doStuff()">
+PASS
+</body>
+</html>

content/html/content/test/file_iframe_sandbox_window_navigation_fail.html

@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 838692</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+function doStuff() {
+  var testContext = unescape(location.search.substring(1));
+  window.opener.postMessage({ok: false, desc: testContext + "a sandboxed document should not be able to navigate a window it hasn't opened.", addToAttempted: false}, "*");
+  window.close();
+}
+</script>
+
+<body onLoad="doStuff()">
+FAIL
+</body>
+</html>

content/html/content/test/test_bug874758.html

@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html data-expando-prop="xyz">
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=874758
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 874758</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 874758 **/
+  Object.prototype.expandoProp = 5;
+  is({}.expandoProp, 5, "Should see this on random objects");
+
+  is(document.head.dataset.expandoProp, 5, "Should see this on dataset too");
+  is(document.documentElement.dataset.expandoProp, "xyz",
+     "But if the dataset has it, we should get it from there");
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=874758">Mozilla Bug 874758</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>

content/html/content/test/test_iframe_sandbox_navigation.html

@@ -1,234 +1,271 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=341604
-Implement HTML5 sandbox attribute for IFRAMEs
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 341604 - navigation</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-	<script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script type="application/javascript">
-
-SimpleTest.expectAssertions(1, 2);
-
-/** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
-/** Navigation tests **/
-
-SimpleTest.waitForExplicitFinish();
-// a postMessage handler that is used by sandboxed iframes without
-// 'allow-same-origin'/other windows to communicate pass/fail back to this main page.
-// it expects to be called with an object like {ok: true/false, desc:
-// <description of the test> which it then forwards to ok()
-window.addEventListener("message", receiveMessage, false);
-
-var testPassesReceived = 0;
-
-function receiveMessage(event) {
-  // this message is part of if_10's test
-  if (event.data.test == 'if_10') {
-    doIf10TestPart2();
-    return;
-  }
-
-  ok_wrapper(event.data.ok, event.data.desc);
-}
-
-var completedTests = 0;
-var passedTests = 0;
-
-function ok_wrapper(result, desc) {
-  ok(result, desc);
-
-  completedTests++;
-
-  if (result) {
-    passedTests++;
-  }
-
-  if (completedTests == 6) {
-    is(passedTests, 6, "There are 6 navigation tests that should pass");
-
-    SimpleTest.finish();
-  }
-}
-
-function doTest() {
-  // passes if good
-  // 1) A sandboxed iframe is allowed to navigate itself
-  // (done by file_iframe_sandbox_d_if1.html which has 'allow-scripts' and navigates to
-  // file_iframe_sandbox_navigation_pass.html).
-
-  // passes if good
-  // 2) A sandboxed iframe is allowed to navigate its children, even if they are sandboxed
-  // (done by file_iframe_sandbox_d_if2.html which has 'allow-scripts', it navigates a child
-  // iframe containing file_iframe_sandbox_navigation_start.html to file_iframe_sandbox_navigation_pass.html).
-
-  // fails if bad
-  // 3) A sandboxed iframe is not allowed to navigate its ancestor
-  // (done by file_iframe_sandbox_d_if4.html contained within file_iframe_sandbox_d_if3.html,
-  // it attempts to navigate file_iframe_sandbox_d_if3.html to file_iframe_sandbox_navigation_fail.html).
-
-  // fails if bad
-  // 4) A sandboxed iframe is not allowed to navigate its sibling
-  // (done by file_iframe_sandbox_d_if5.html which has 'allow scripts allow-same-origin'
-  // and attempts to navigate file_iframe_navigation_start.html contained in if_sibling on this
-  // page to file_iframe_sandbox_navigation_fail.html).
-
-  // fails if bad
-  // 5) When a link is clicked in a sandboxed iframe, the document navigated to is sandboxed
-  // the same as the original document and is not same origin with parent document
-  // (done by file_iframe_sandbox_d_if6.html which simulates a link click and navigates
-  // to file_iframe_sandbox_d_if7.html which attempts to call back into its parent).
-
-  // fails if bad
-  // 6) An iframe (if_8) has sandbox="allow-same-origin allow-scripts", the sandboxed document
-  // (file_iframe_sandbox_d_if_8.html) that it contains accesses its parent (this file) and removes
-  // 'allow-same-origin' and then triggers a reload.
-  // The document should not be able to access its parent (this file).
-
-  // fails if bad
-  // 7) An iframe (if_9) has sandbox="allow-same-origin allow-scripts", the sandboxed document
-  // (file_iframe_sandbox_d_if_9.html) that it contains accesses its parent (this file) and removes
-  // 'allow-scripts' and then triggers a reload.
-  // The document should not be able to run a script and access its parent (this file).
-
-  // passes if good
-  // 8) a document in an iframe with sandbox='allow-scripts' should have a different null
-  // principal in its original document than a document to which it navigates itself
-  // file_iframe_sandbox_d_if_10.html does this, co-ordinating with this page via postMessage
-  
-  // passes if good
-  // 9) a document (file_iframe_sandbox_d_if11.html in an iframe (if_11) with sandbox='allow-scripts'
-  // is navigated to file_iframe_sandbox_d_if12.html - when that document loads
-  // a message is sent back to this document, which adds 'allow-same-origin' to if_11 and then
-  // calls .back on it - file_iframe_sandbox_if12.html should be able to call back into this
-  // document - this is all contained in file_iframe_sandbox_d_if13.html which is opened in another
-  // tab so it has its own isolated session history
-  window.open("file_iframe_sandbox_d_if13.html");
-  
-  // open up the top navigation tests
-
-  // fails if bad
-  // 10) iframe with sandbox='allow-scripts' can NOT navigate top
-  // file_iframe_sandbox_e_if1.html contains file_iframe_sandbox_e_if6.html which
-  // attempts to navigate top
-  window.open("file_iframe_sandbox_e_if1.html");
-
-  // fails if bad
-  // 11) iframe with sandbox='allow-scripts' nested inside iframe with
-  // 'allow-top-navigation allow-scripts' can NOT navigate top
-  // file_iframe_sandbox_e_if2.html contains file_iframe_sandbox_e_if1.html which
-  // contains file_iframe_sandbox_e_if6.html which attempts to navigate top
-  window.open("file_iframe_sandbox_e_if2.html");
-
-  // passes if good
-  // 12) iframe with sandbox='allow-top-navigation allow-scripts' can navigate top
-  // file_iframe_sandbox_e_if3.html contains file_iframe_sandbox_e_if5.html which navigates top
-  window.open("file_iframe_sandbox_e_if3.html");
-
-  // passes if good
-  // 131) iframe with sandbox='allow-top-navigation allow-scripts' nested inside an iframe with
-  // 'allow-top-navigation allow-scripts' can navigate top
-  // file_iframe_sandbox_e_if4.html contains file_iframe_sandbox_e_if3.html which contains
-  // file_iframe_sandbox_e_if5.html which navigates top
-  window.open("file_iframe_sandbox_e_if4.html");
-}
-
-addLoadEvent(doTest);
-
-window.modified_if_8 = false;
-
-function reload_if_8() {
-  var if_8 = document.getElementById('if_8');
-  if_8.src = 'file_iframe_sandbox_d_if8.html';
-}
-
-function modify_if_8() {
-  // If this is the second time this has been called
-  // that's a failed test (allow-same-origin was removed
-  // the first time).
-  if (window.modified_if_8) {
-    ok_wrapper(false, "an sandboxed iframe from which 'allow-same-origin' was removed should not be able to access its parent");
-
-    // need to return here since we end up in an infinite loop otherwise
-    return;
-  }
-
-  var if_8 = document.getElementById('if_8');
-  window.modified_if_8 = true;
-
-  if_8.sandbox = 'allow-scripts';
-  sendMouseEvent({type:'click'}, 'a_button');
-}
-
-window.modified_if_9 = false;
-
-function reload_if_9() {
-  var if_9 = document.getElementById('if_9');
-  if_9.src = 'file_iframe_sandbox_d_if9.html';
-}
-
-function modify_if_9() {
-  // If this is the second time this has been called
-  // that's a failed test (allow-scripts was removed
-  // the first time).
-  if (window.modified_if_9) {
-    ok_wrapper(false, "an sandboxed iframe from which 'allow-scripts' should be removed should not be able to access its parent via a script");
-
-    // need to return here since we end up in an infinite loop otherwise
-    return;
-  }
-
-  var if_9 = document.getElementById('if_9');
-  window.modified_if_9 = true;
-
-  if_9.sandbox = 'allow-same-origin';
-
-  sendMouseEvent({type:'click'}, 'a_button2');
-}
-
-var firstPrincipal = "";
-var secondPrincipal;
-
-function doIf10TestPart1() {
-  if (firstPrincipal != "")
-    return;
-
-  // use SpecialPowers to get the principal of if_10.
-  // NB: We stringify here and below because special-powers wrapping doesn't
-  // preserve identity.
-  var if_10 = document.getElementById('if_10');
-  firstPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin;
-  if_10.src = 'file_iframe_sandbox_d_if10.html';
-
-}
-function doIf10TestPart2() {
-  var if_10 = document.getElementById('if_10');
-  // use SpecialPowers to get the principal of if_10
-  secondPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin;
-  ok_wrapper(firstPrincipal != secondPrincipal, "documents should NOT have the same principal if they are sandboxed without" +
-    " allow-same-origin and the first document is navigated to the second");
-}
-</script>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
-<p id="display"></p>
-<div id="content">
-<iframe sandbox="allow-scripts" id="if_1" src="file_iframe_sandbox_d_if1.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-scripts" id="if_2" src="file_iframe_sandbox_d_if2.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_d_if3.html" height="10" width="10"></iframe>
-<iframe sandbox="allow_scripts allow-same-origin" id="if_5" src="file_iframe_sandbox_d_if5.html" height="10" width="10"></iframe>
-<iframe id="if_sibling" src="file_iframe_sandbox_navigation_start.html" height="10" width="10"></iframe>
-<iframe sandbox="allow_scripts" id="if_6" src="file_iframe_sandbox_d_if6.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-same-origin allow-scripts" id="if_8" src="file_iframe_sandbox_d_if8.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-same-origin allow-scripts" id="if_9" src="file_iframe_sandbox_d_if9.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-scripts" id="if_10" src="file_iframe_sandbox_navigation_start.html" onload='doIf10TestPart1()' height="10" width="10"></iframe>
-</div>
-<input type='button' id="a_button" onclick='reload_if_8()'>
-<input type='button' id="a_button2" onclick='reload_if_9()'>
-</body>
-</html>
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=341604
+Implement HTML5 sandbox attribute for IFRAMEs
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604 - navigation</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script type="application/javascript">
+/** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
+/** Navigation tests Part 1**/
+
+SimpleTest.expectAssertions(1, 3);
+SimpleTest.waitForExplicitFinish();
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin'/other windows to communicate pass/fail back to this main page.
+// it expects to be called with an object like {ok: true/false, desc:
+// <description of the test> which it then forwards to ok()
+window.addEventListener("message", receiveMessage, false);
+
+var testPassesReceived = 0;
+
+function receiveMessage(event) {
+  // this message is part of if_10's test
+  if (event.data.test == 'if_10') {
+    doIf10TestPart2();
+  } else if (event.data == "test attempted") {
+    testAttempted();
+  } else {
+    ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted);
+  }
+}
+
+// Open windows for tests to attempt to navigate later.
+var windowsToClose = new Array();
+windowsToClose.push(window.open("about:blank", "window_to_navigate"));
+windowsToClose.push(window.open("about:blank", "window_to_navigate2"));
+
+var attemptedTests = 0;
+var passedTests = 0;
+var totalTestsToPass = 8;
+var totalTestsToAttempt = 13;
+
+function ok_wrapper(result, desc, addToAttempted = true) {
+  ok(result, desc);
+
+  if (result) {
+    passedTests++;
+  }
+
+  if (addToAttempted) {
+    testAttempted();
+  }
+}
+
+// Added so that tests that don't register unless they fail,
+// can at least notify that they've attempted to run.
+function testAttempted() {
+  attemptedTests++;
+  if (attemptedTests == totalTestsToAttempt) {
+    // Make sure all tests have had a chance to complete.
+    setTimeout(function() {finish();}, 1000);
+  }
+}
+
+var finishCalled = false;
+
+function finish() {
+  if (!finishCalled) {
+    finishCalled = true;
+    is(passedTests, totalTestsToPass, "There are " + totalTestsToPass + " navigation tests that should pass");
+
+    for (var i = 0; i < windowsToClose.length; i++) {
+      windowsToClose[i].close();
+    }
+
+    SimpleTest.finish();
+  }
+}
+
+function checkTestsFinished() {
+  // If our own finish() has not been called, probably failed due to a timeout, so close remaining windows.
+  if (!finishCalled) {
+    for (var i = 0; i < windowsToClose.length; i++) {
+      windowsToClose[i].close();
+    }
+  }
+}
+
+function doTest() {
+  // passes if good
+  // 1) A sandboxed iframe is allowed to navigate itself
+  // (done by file_iframe_sandbox_d_if1.html which has 'allow-scripts' and navigates to
+  // file_iframe_sandbox_navigation_pass.html).
+
+  // passes if good
+  // 2) A sandboxed iframe is allowed to navigate its children, even if they are sandboxed
+  // (done by file_iframe_sandbox_d_if2.html which has 'allow-scripts', it navigates a child
+  // iframe containing file_iframe_sandbox_navigation_start.html to file_iframe_sandbox_navigation_pass.html).
+
+  // fails if bad
+  // 3) A sandboxed iframe is not allowed to navigate its ancestor
+  // (done by file_iframe_sandbox_d_if4.html contained within file_iframe_sandbox_d_if3.html,
+  // it attempts to navigate file_iframe_sandbox_d_if3.html to file_iframe_sandbox_navigation_fail.html).
+
+  // fails if bad
+  // 4) A sandboxed iframe is not allowed to navigate its sibling
+  // (done by file_iframe_sandbox_d_if5.html which has 'allow scripts allow-same-origin'
+  // and attempts to navigate file_iframe_navigation_start.html contained in if_sibling on this
+  // page to file_iframe_sandbox_navigation_fail.html).
+
+  // passes if good, fails if bad
+  // 5) When a link is clicked in a sandboxed iframe, the document navigated to is sandboxed
+  // the same as the original document and is not same origin with parent document
+  // (done by file_iframe_sandbox_d_if6.html which simulates a link click and navigates
+  // to file_iframe_sandbox_d_if7.html which attempts to call back into its parent).
+
+  // passes if good, fails if bad
+  // 6) An iframe (if_8) has sandbox="allow-same-origin allow-scripts", the sandboxed document
+  // (file_iframe_sandbox_d_if_8.html) that it contains accesses its parent (this file) and removes
+  // 'allow-same-origin' and then triggers a reload.
+  // The document should not be able to access its parent (this file).
+
+  // fails if bad
+  // 7) An iframe (if_9) has sandbox="allow-same-origin allow-scripts", the sandboxed document
+  // (file_iframe_sandbox_d_if_9.html) that it contains accesses its parent (this file) and removes
+  // 'allow-scripts' and then triggers a reload.
+  // The document should not be able to run a script and access its parent (this file).
+
+  // passes if good
+  // 8) a document in an iframe with sandbox='allow-scripts' should have a different null
+  // principal in its original document than a document to which it navigates itself
+  // file_iframe_sandbox_d_if_10.html does this, co-ordinating with this page via postMessage
+
+  // passes if good
+  // 9) a document (file_iframe_sandbox_d_if11.html in an iframe (if_11) with sandbox='allow-scripts'
+  // is navigated to file_iframe_sandbox_d_if12.html - when that document loads
+  // a message is sent back to this document, which adds 'allow-same-origin' to if_11 and then
+  // calls .back on it - file_iframe_sandbox_if12.html should be able to call back into this
+  // document - this is all contained in file_iframe_sandbox_d_if13.html which is opened in another
+  // tab so it has its own isolated session history
+  window.open("file_iframe_sandbox_d_if13.html");
+
+  // open up the top navigation tests
+
+  // fails if bad
+  // 10) iframe with sandbox='allow-scripts' can NOT navigate top
+  // file_iframe_sandbox_e_if1.html contains file_iframe_sandbox_e_if6.html which
+  // attempts to navigate top
+  windowsToClose.push(window.open("file_iframe_sandbox_e_if1.html"));
+
+  // fails if bad
+  // 11) iframe with sandbox='allow-scripts' nested inside iframe with
+  // 'allow-top-navigation allow-scripts' can NOT navigate top
+  // file_iframe_sandbox_e_if2.html contains file_iframe_sandbox_e_if1.html which
+  // contains file_iframe_sandbox_e_if6.html which attempts to navigate top
+  windowsToClose.push(window.open("file_iframe_sandbox_e_if2.html"));
+
+  // passes if good
+  // 12) iframe with sandbox='allow-top-navigation allow-scripts' can navigate top
+  // file_iframe_sandbox_e_if3.html contains file_iframe_sandbox_e_if5.html which navigates top
+  window.open("file_iframe_sandbox_e_if3.html");
+
+  // passes if good
+  // 13) iframe with sandbox='allow-top-navigation allow-scripts' nested inside an iframe with
+  // 'allow-top-navigation allow-scripts' can navigate top
+  // file_iframe_sandbox_e_if4.html contains file_iframe_sandbox_e_if3.html which contains
+  // file_iframe_sandbox_e_if5.html which navigates top
+  window.open("file_iframe_sandbox_e_if4.html");
+}
+
+addLoadEvent(doTest);
+
+window.modified_if_8 = false;
+
+function reload_if_8() {
+  var if_8 = document.getElementById('if_8');
+  if_8.src = 'file_iframe_sandbox_d_if8.html?onreload';
+}
+
+function modify_if_8() {
+  // If this is the second time this has been called
+  // that's a failed test (allow-same-origin was removed
+  // the first time).
+  if (window.modified_if_8) {
+    ok_wrapper(false, "an sandboxed iframe from which 'allow-same-origin' was removed should not be able to access its parent");
+
+    // need to return here since we end up in an infinite loop otherwise
+    return;
+  }
+
+  var if_8 = document.getElementById('if_8');
+  window.modified_if_8 = true;
+
+  if_8.sandbox = 'allow-scripts';
+  sendMouseEvent({type:'click'}, 'a_button');
+}
+
+window.modified_if_9 = false;
+
+function reload_if_9() {
+  var if_9 = document.getElementById('if_9');
+  if_9.src = 'file_iframe_sandbox_d_if9.html';
+}
+
+function modify_if_9() {
+  // If this is the second time this has been called
+  // that's a failed test (allow-scripts was removed
+  // the first time).
+  if (window.modified_if_9) {
+    ok_wrapper(false, "an sandboxed iframe from which 'allow-scripts' should be removed should not be able to access its parent via a script", false);
+
+    // need to return here since we end up in an infinite loop otherwise
+    return;
+  }
+
+  var if_9 = document.getElementById('if_9');
+  window.modified_if_9 = true;
+
+  if_9.sandbox = 'allow-same-origin';
+
+  sendMouseEvent({type:'click'}, 'a_button2');
+  testAttempted();
+}
+
+var firstPrincipal = "";
+var secondPrincipal;
+
+function doIf10TestPart1() {
+  if (firstPrincipal != "")
+    return;
+
+  // use SpecialPowers to get the principal of if_10.
+  // NB: We stringify here and below because special-powers wrapping doesn't
+  // preserve identity.
+  var if_10 = document.getElementById('if_10');
+  firstPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin;
+  if_10.src = 'file_iframe_sandbox_d_if10.html';
+}
+
+function doIf10TestPart2() {
+  var if_10 = document.getElementById('if_10');
+  // use SpecialPowers to get the principal of if_10
+  secondPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin;
+  ok_wrapper(firstPrincipal != secondPrincipal, "documents should NOT have the same principal if they are sandboxed without" +
+    " allow-same-origin and the first document is navigated to the second");
+}
+</script>
+<body onunload="checkTestsFinished()">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
+<p id="display"></p>
+<div id="content">
+<iframe sandbox="allow-scripts" id="if_1" src="file_iframe_sandbox_d_if1.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_2" src="file_iframe_sandbox_d_if2.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_d_if3.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts allow-same-origin" id="if_5" src="file_iframe_sandbox_d_if5.html" height="10" width="10"></iframe>
+<iframe id="if_sibling" name="if_sibling" src="file_iframe_sandbox_navigation_start.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_6" src="file_iframe_sandbox_d_if6.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-same-origin allow-scripts" id="if_8" src="file_iframe_sandbox_d_if8.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-same-origin allow-scripts" id="if_9" src="file_iframe_sandbox_d_if9.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_10" src="file_iframe_sandbox_navigation_start.html" onload='doIf10TestPart1()' height="10" width="10"></iframe>
+</div>
+<input type='button' id="a_button" onclick='reload_if_8()'>
+<input type='button' id="a_button2" onclick='reload_if_9()'>
+</body>
+</html>

content/html/content/test/test_iframe_sandbox_navigation2.html

@@ -0,0 +1,187 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=341604
+Implement HTML5 sandbox attribute for IFRAMEs
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604 - navigation</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script type="application/javascript">
+/** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
+/** Navigation tests Part 2**/
+
+SimpleTest.expectAssertions(0);
+SimpleTest.waitForExplicitFinish();
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin'/other windows to communicate pass/fail back to this main page.
+// it expects to be called with an object like {ok: true/false, desc:
+// <description of the test> which it then forwards to ok()
+window.addEventListener("message", receiveMessage, false);
+
+var testPassesReceived = 0;
+
+function receiveMessage(event) {
+  if (event.data == "test attempted") {
+    testAttempted();
+  } else {
+    ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted);
+  }
+}
+
+// Open windows for tests to attempt to navigate later.
+var windowsToClose = new Array();
+windowsToClose.push(window.open("about:blank", "window_to_navigate"));
+windowsToClose.push(window.open("about:blank", "window_to_navigate2"));
+
+var attemptedTests = 0;
+var passedTests = 0;
+var totalTestsToPass = 10;
+var totalTestsToAttempt = 13;
+
+function ok_wrapper(result, desc, addToAttempted = true) {
+  ok(result, desc);
+
+  if (result) {
+    passedTests++;
+  }
+
+  if (addToAttempted) {
+    testAttempted();
+  }
+}
+
+// Added so that tests that don't register unless they fail,
+// can at least notify that they've attempted to run.
+function testAttempted() {
+  attemptedTests++;
+  if (attemptedTests == totalTestsToAttempt) {
+    // Make sure all tests have had a chance to complete.
+    setTimeout(function() {finish();}, 1000);
+  }
+}
+
+var finishCalled = false;
+
+function finish() {
+  if (!finishCalled) {
+    finishCalled = true;
+    is(passedTests, totalTestsToPass, "There are " + totalTestsToPass + " navigation tests that should pass");
+
+    for (var i = 0; i < windowsToClose.length; i++) {
+      windowsToClose[i].close();
+    }
+
+    SimpleTest.finish();
+  }
+}
+
+function checkTestsFinished() {
+  // If our own finish() has not been called, probably failed due to a timeout, so close remaining windows.
+  if (!finishCalled) {
+    for (var i = 0; i < windowsToClose.length; i++) {
+      windowsToClose[i].close();
+    }
+  }
+}
+
+function doTest() {
+  // fails if bad
+  // 14) iframe with sandbox='allow-same-origin allow-scripts allow-top-navigation' should not
+  // be able to navigate another window (opened by another browsing context) using its name.
+  // file_iframe_sandbox_d_if14.html in if_14 attempts to navigate "window_to_navigate",
+  // which has been opened in preparation.
+
+  // fails if bad
+  // 15) iframe with sandbox='allow-scripts' should not be able to navigate top using its
+  // real name (instead of _top) as allow-top-navigation is not specified.
+  // file_iframe_sandbox_e_if7.html contains file_iframe_sandbox_e_if8.html, which
+  // attempts to navigate top by name.
+  windowsToClose.push(window.open("file_iframe_sandbox_e_if7.html"));
+
+  // fails if bad
+  // 16) iframe with sandbox='allow-same-origin allow-scripts allow-top-navigation' should not
+  // be able to use its parent's name (instead of _parent) to navigate it, when it is not top.
+  // (Note: this would apply to other ancestors that are not top as well.)
+  // file_iframe_sandbox_d_if15.html in if_15 contains file_iframe_sandbox_d_if16.html, which
+  // tries to navigate if_15 by its name (if_parent).
+
+  // passes if good, fails if bad
+  // 17) A sandboxed iframe is allowed to navigate itself using window.open().
+  // (Done by file_iframe_sandbox_d_if17.html which has 'allow-scripts' and navigates to
+  // file_iframe_sandbox_navigation_pass.html).
+
+  // passes if good, fails if bad
+  // 18) A sandboxed iframe is allowed to navigate its children with window.open(), even if
+  // they are sandboxed.  (Done by file_iframe_sandbox_d_if18.html which has 'allow-scripts',
+  // it navigates a child iframe to file_iframe_sandbox_navigation_pass.html).
+
+  // passes if good, fails if bad
+  // 19) A sandboxed iframe is not allowed to navigate its ancestor with window.open().
+  // (Done by file_iframe_sandbox_d_if20.html contained within file_iframe_sandbox_d_if19.html,
+  // it attempts to navigate file_iframe_sandbox_d_if19.html to file_iframe_sandbox_navigation_fail.html).
+
+  // passes if good, fails if bad
+  // 20) iframe with sandbox='allow-same-origin allow-scripts allow-top-navigation' should not
+  // be able to navigate another window (opened by another browsing context) using window.open(..., "<name>").
+  // file_iframe_sandbox_d_if14.html in if_14 attempts to navigate "window_to_navigate2",
+  // which has been opened in preparation, using window.open(..., "window_to_navigate2").
+
+  // passes if good, fails if bad
+  // 21) iframe with sandbox='allow-same-origin allow-scripts allow-top-navigation' should not
+  // be able to use its parent's name (not _parent) to navigate it using window.open(), when it is not top.
+  // (Note: this would apply to other ancestors that are not top as well.)
+  // file_iframe_sandbox_d_if21.html in if_21 contains file_iframe_sandbox_d_if22.html, which
+  // tries to navigate if_21 by its name (if_parent2).
+
+  // passes if good, fails if bad
+  // 22) iframe with sandbox='allow-top-navigation allow-scripts' can navigate top with window.open().
+  // file_iframe_sandbox_e_if9.html contains file_iframe_sandbox_e_if11.html which navigates top.
+  window.open("file_iframe_sandbox_e_if9.html");
+
+  // passes if good, fails if bad
+  // 23) iframe with sandbox='allow-top-navigation allow-scripts' nested inside an iframe with
+  // 'allow-top-navigation allow-scripts' can navigate top, with window.open().
+  // file_iframe_sandbox_e_if10.html contains file_iframe_sandbox_e_if9.html which contains
+  // file_iframe_sandbox_e_if11.html which navigates top.
+  window.open("file_iframe_sandbox_e_if10.html");
+
+  // passes if good, fails if bad
+  // 24) iframe with sandbox='allow-scripts' can NOT navigate top with window.open().
+  // file_iframe_sandbox_e_if12.html contains file_iframe_sandbox_e_if14.html which navigates top.
+  window.open("file_iframe_sandbox_e_if12.html");
+
+  // passes if good, fails if bad
+  // 25) iframe with sandbox='allow-scripts' nested inside an iframe with
+  // 'allow-top-navigation allow-scripts' can NOT navigate top, with window.open(..., "_top").
+  // file_iframe_sandbox_e_if13.html contains file_iframe_sandbox_e_if12.html which contains
+  // file_iframe_sandbox_e_if14.html which navigates top.
+  window.open("file_iframe_sandbox_e_if13.html");
+
+  // passes if good, fails if bad
+  // 26) iframe with sandbox='allow-scripts' should not be able to navigate top using its real name
+  // (not with _top e.g. window.open(..., "topname")) as allow-top-navigation is not specified.
+  // file_iframe_sandbox_e_if15.html contains file_iframe_sandbox_e_if16.html, which
+  // attempts to navigate top by name using window.open().
+  window.open("file_iframe_sandbox_e_if15.html");
+}
+
+addLoadEvent(doTest);
+</script>
+<body onunload="checkTestsFinished()">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
+<p id="display"></p>
+<div id="content">
+<iframe sandbox="allow-same-origin allow-scripts allow-top-navigation" id="if_14" src="file_iframe_sandbox_d_if14.html" height="10" width="10"></iframe>
+<iframe id="if_15" name="if_parent" src="file_iframe_sandbox_d_if15.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_17" src="file_iframe_sandbox_d_if17.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_18" src="file_iframe_sandbox_d_if18.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_19" src="file_iframe_sandbox_d_if19.html" height="10" width="10"></iframe>
+<iframe id="if_21" name="if_parent2" src="file_iframe_sandbox_d_if21.html" height="10" width="10"></iframe>
+</div>
+</body>
+</html>

content/svg/content/src/SVGFETurbulenceElement.cpp

@@ -264,7 +264,7 @@ SVGFETurbulenceElement::Noise2(int aColorChannel, double aVec[2],
 {
   int bx0, bx1, by0, by1, b00, b10, b01, b11;
   double rx0, rx1, ry0, ry1, *q, sx, sy, a, b, t, u, v;
-  register long i, j;
+  long i, j;
   t = aVec[0] + sPerlinN;
   bx0 = (int) t;
   bx1 = bx0 + 1;

docshell/base/nsDocShell.cpp

@@ -3087,14 +3087,18 @@ nsDocShell::FindItemWithName(const PRUnichar * aName,
     if (!*aName)
         return NS_OK;
 
-    if (!aRequestor)
-    {
-        nsCOMPtr<nsIDocShellTreeItem> foundItem;
+    if (aRequestor) {
+        // If aRequestor is not null we don't need to check special names, so
+        // just hand straight off to the search by actual name function.
+        return DoFindItemWithName(aName, aRequestor, aOriginalRequestor,
+                                  _retval);
+    } else {
 
         // This is the entry point into the target-finding algorithm.  Check
         // for special names.  This should only be done once, hence the check
         // for a null aRequestor.
 
+        nsCOMPtr<nsIDocShellTreeItem> foundItem;
         nsDependentString name(aName);
         if (name.LowerCaseEqualsLiteral("_self")) {
             foundItem = this;
@@ -3143,16 +3147,19 @@ nsDocShell::FindItemWithName(const PRUnichar * aName,
                 // a new window?
             }
 #endif
+        } else {
+            // Do the search for item by an actual name.
+            DoFindItemWithName(aName, aRequestor, aOriginalRequestor,
+                               getter_AddRefs(foundItem));
         }
 
         if (foundItem && !CanAccessItem(foundItem, aOriginalRequestor)) {
             foundItem = nullptr;
         }
 
+        // DoFindItemWithName only returns active items and we don't check if
+        // the item is active for the special cases.
         if (foundItem) {
-            // We return foundItem here even if it's not an active
-            // item since all the names we've dealt with so far are
-            // special cases that we won't bother looking for further.
 
             // If our document is sandboxed, we need to do some extra checks.
             uint32_t sandboxFlags = 0;
@@ -3174,17 +3181,14 @@ nsDocShell::FindItemWithName(const PRUnichar * aName,
                     bool isAncestor = false;
 
                     nsCOMPtr<nsIDocShellTreeItem> parentAsItem;
-                    GetSameTypeParent(getter_AddRefs(parentAsItem));
-
+                    foundItem->GetSameTypeParent(getter_AddRefs(parentAsItem));
                     while (parentAsItem) {
-                        nsCOMPtr<nsIDocShellTreeItem> tmp;
-                        parentAsItem->GetParent(getter_AddRefs(tmp));
-
-                        if (tmp && tmp == selfAsItem) {
+                        if (parentAsItem == selfAsItem) {
                             isAncestor = true;
                             break;
                         }
-                        parentAsItem = tmp;
+                        nsCOMPtr<nsIDocShellTreeItem> tmp = parentAsItem;
+                        tmp->GetSameTypeParent(getter_AddRefs(parentAsItem));
                     }
 
                     if (!isAncestor) {
@@ -3212,12 +3216,17 @@ nsDocShell::FindItemWithName(const PRUnichar * aName,
             }
 
             foundItem.swap(*_retval);
-            return NS_OK;
         }
+        return NS_OK;
     }
+}
 
-    // Keep looking
-        
+nsresult
+nsDocShell::DoFindItemWithName(const PRUnichar* aName,
+                               nsISupports* aRequestor,
+                               nsIDocShellTreeItem* aOriginalRequestor,
+                               nsIDocShellTreeItem** _retval)
+{
     // First we check our name.
     if (mName.Equals(aName) && ItemIsActive(this) &&
         CanAccessItem(this, aOriginalRequestor)) {

docshell/base/nsDocShell.h

@@ -874,6 +874,13 @@ private:
     int32_t           mParentCharsetSource;
     nsCString         mOriginalUriString;
 
+    // Separate function to do the actual name (i.e. not _top, _self etc.)
+    // searching for FindItemWithName.
+    nsresult DoFindItemWithName(const PRUnichar* aName,
+                                nsISupports* aRequestor,
+                                nsIDocShellTreeItem* aOriginalRequestor,
+                                nsIDocShellTreeItem** _retval);
+
 #ifdef DEBUG
     // We're counting the number of |nsDocShells| to help find leaks
     static unsigned long gNumberOfDocShells;

dom/bindings/BindingUtils.cpp

@@ -60,47 +60,26 @@ ThrowErrorMessage(JSContext* aCx, const ErrNum aErrorNumber, ...)
 }
 
 bool
-ThrowInvalidMethodThis(JSContext* aCx, const JS::CallArgs& aArgs,
-                       const char* aInterfaceName)
+ThrowInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs,
+                 const ErrNum aErrorNumber,
+                 const char* aInterfaceName)
 {
   NS_ConvertASCIItoUTF16 ifaceName(aInterfaceName);
-  // This should only be called for DOM methods, which are JSNative-backed
-  // functions, so we can assume that JS_ValueToFunction and
-  // JS_GetFunctionDisplayId will both return non-null and that
-  // JS_GetStringCharsZ returns non-null.
+  // This should only be called for DOM methods/getters/setters, which
+  // are JSNative-backed functions, so we can assume that
+  // JS_ValueToFunction and JS_GetFunctionDisplayId will both return
+  // non-null and that JS_GetStringCharsZ returns non-null.
   JS::Rooted<JSFunction*> func(aCx, JS_ValueToFunction(aCx, aArgs.calleev()));
   MOZ_ASSERT(func);
   JS::Rooted<JSString*> funcName(aCx, JS_GetFunctionDisplayId(func));
   MOZ_ASSERT(funcName);
   JS_ReportErrorNumberUC(aCx, GetErrorMessage, nullptr,
-                         static_cast<const unsigned>(MSG_METHOD_THIS_DOES_NOT_IMPLEMENT_INTERFACE),
+                         static_cast<const unsigned>(aErrorNumber),
                          JS_GetStringCharsZ(aCx, funcName),
                          ifaceName.get());
   return false;
 }
 
-bool
-ThrowInvalidGetterThis(JSContext* aCx, const char* aInterfaceName)
-{
-  // Sadly for getters we have no way to get the name of the property.
-  NS_ConvertASCIItoUTF16 ifaceName(aInterfaceName);
-  JS_ReportErrorNumberUC(aCx, GetErrorMessage, nullptr,
-                         static_cast<const unsigned>(MSG_GETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE),
-                         ifaceName.get());
-  return false;
-}
-
-bool
-ThrowInvalidSetterThis(JSContext* aCx, const char* aInterfaceName)
-{
-  // Sadly for setters we have no way to get the name of the property.
-  NS_ConvertASCIItoUTF16 ifaceName(aInterfaceName);
-  JS_ReportErrorNumberUC(aCx, GetErrorMessage, nullptr,
-                         static_cast<const unsigned>(MSG_SETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE),
-                         ifaceName.get());
-  return false;
-}
-
 } // namespace dom
 
 struct ErrorResult::Message {
@@ -850,8 +829,8 @@ XrayResolveAttribute(JSContext* cx, JS::Handle<JSObject*> wrapper,
           // They all have getters, so we can just make it.
           JS::Rooted<JSObject*> global(cx, JS_GetGlobalForObject(cx, wrapper));
           JS::Rooted<JSFunction*> fun(cx,
-                                      JS_NewFunction(cx, (JSNative)attrSpec.getter.op,
-                                                     0, 0, global, nullptr));
+                                      JS_NewFunctionById(cx, (JSNative)attrSpec.getter.op,
+                                                         0, 0, global, id));
           if (!fun)
             return false;
           SET_JITINFO(fun, attrSpec.getter.info);
@@ -860,8 +839,8 @@ XrayResolveAttribute(JSContext* cx, JS::Handle<JSObject*> wrapper,
           desc->attrs |= JSPROP_GETTER;
           if (attrSpec.setter.op) {
             // We have a setter! Make it.
-            fun = JS_NewFunction(cx, (JSNative)attrSpec.setter.op, 1, 0,
-                                 global, nullptr);
+            fun = JS_NewFunctionById(cx, (JSNative)attrSpec.setter.op, 1, 0,
+                                     global, id);
             if (!fun)
               return false;
             SET_JITINFO(fun, attrSpec.setter.info);

dom/bindings/BindingUtils.h

@@ -60,12 +60,9 @@ UnwrapArg(JSContext* cx, jsval v, Interface** ppArg,
 bool
 ThrowErrorMessage(JSContext* aCx, const ErrNum aErrorNumber, ...);
 bool
-ThrowInvalidMethodThis(JSContext* aCx, const JS::CallArgs& aArgs,
-                       const char* aInterfaceName);
-bool
-ThrowInvalidGetterThis(JSContext* aCx, const char* aInterfaceName);
-bool
-ThrowInvalidSetterThis(JSContext* aCx, const char* aInterfaceName);
+ThrowInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs,
+                 const ErrNum aErrorNumber,
+                 const char* aInterfaceName);
 
 template<bool mainThread>
 inline bool

dom/bindings/Codegen.py

@@ -5185,7 +5185,7 @@ class CGGenericMethod(CGAbstractBindingMethod):
         args = [Argument('JSContext*', 'cx'), Argument('unsigned', 'argc'),
                 Argument('JS::Value*', 'vp')]
         unwrapFailureCode = (
-            'return ThrowInvalidMethodThis(cx, args, \"%s\");' %
+            'return ThrowInvalidThis(cx, args, MSG_METHOD_THIS_DOES_NOT_IMPLEMENT_INTERFACE, \"%s\");' %
             descriptor.interface.identifier.name)
         CGAbstractBindingMethod.__init__(self, descriptor, 'genericMethod',
                                          args,
@@ -5322,7 +5322,7 @@ class CGGenericGetter(CGAbstractBindingMethod):
         else:
             name = "genericGetter"
             unwrapFailureCode = (
-                'return ThrowInvalidGetterThis(cx, "%s");' %
+                'return ThrowInvalidThis(cx, args, MSG_GETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, "%s");' %
                 descriptor.interface.identifier.name)
         CGAbstractBindingMethod.__init__(self, descriptor, name, args,
                                          unwrapFailureCode)
@@ -5402,7 +5402,7 @@ class CGGenericSetter(CGAbstractBindingMethod):
         else:
             name = "genericSetter"
             unwrapFailureCode = (
-                'return ThrowInvalidSetterThis(cx, "%s");' %
+                'return ThrowInvalidThis(cx, args, MSG_SETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, "%s");' %
                 descriptor.interface.identifier.name)
 
         CGAbstractBindingMethod.__init__(self, descriptor, name, args,

dom/bindings/Errors.msg

@@ -24,9 +24,9 @@ MSG_DEF(MSG_MISSING_ARGUMENTS, 1, "Not enough arguments to {0}.")
 MSG_DEF(MSG_NOT_OBJECT, 1, "{0} is not an object.")
 MSG_DEF(MSG_NOT_CALLABLE, 1, "{0} is not callable.")
 MSG_DEF(MSG_DOES_NOT_IMPLEMENT_INTERFACE, 2, "{0} does not implement interface {1}.")
-MSG_DEF(MSG_METHOD_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 2, "{0} called on an object that does not implement interface {1}.")
-MSG_DEF(MSG_GETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 1, "getter called on an object that does not implement interface {0}.")
-MSG_DEF(MSG_SETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 1, "setter called on an object that does not implement interface {0}.")
+MSG_DEF(MSG_METHOD_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 2, "'{0}' called on an object that does not implement interface {1}.")
+MSG_DEF(MSG_GETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 2, "'{0}' getter called on an object that does not implement interface {1}.")
+MSG_DEF(MSG_SETTER_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 2, "'{0}' setter called on an object that does not implement interface {1}.")
 MSG_DEF(MSG_THIS_DOES_NOT_IMPLEMENT_INTERFACE, 1, "\"this\" object does not implement interface {0}.")
 MSG_DEF(MSG_NOT_IN_UNION, 2, "{0} could not be converted to any of: {1}.")
 MSG_DEF(MSG_ILLEGAL_CONSTRUCTOR, 0, "Illegal constructor.")

dom/bindings/test/Makefile.in

@@ -75,6 +75,7 @@ MOCHITEST_FILES := \
   test_bug560072.html \
   test_lenientThis.html \
   test_ByteString.html \
+  test_exception_messages.html \
   $(NULL)
 
 MOCHITEST_CHROME_FILES = \

dom/bindings/test/test_exception_messages.html

@@ -0,0 +1,82 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=882653
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 882653</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 882653 **/
+  // Each test is a string to eval, the expected exception message, and the
+  // test description.
+  var tests = [
+      [ 'document.documentElement.appendChild.call({}, new Image())',
+        "'appendChild' called on an object that does not implement interface Node.",
+        "bogus method this object" ],
+      [ 'Object.getOwnPropertyDescriptor(Document.prototype, "documentElement").get.call({})',
+        "'documentElement' getter called on an object that does not implement interface Document.",
+        "bogus getter this object" ],
+      [ 'Object.getOwnPropertyDescriptor(Element.prototype, "innerHTML").set.call({})',
+        "'innerHTML' setter called on an object that does not implement interface Element.",
+        "bogus setter this object" ],
+      [ 'document.documentElement.appendChild(5)',
+        "Argument 1 of Node.appendChild is not an object.",
+        "bogus interface argument" ],
+      [ 'document.documentElement.appendChild(null)',
+        "Argument 1 of Node.appendChild is not an object.",
+        "null interface argument" ],
+      [ 'document.createTreeWalker(document).currentNode = 5',
+        "Value being assigned to TreeWalker.currentNode is not an object.",
+        "interface setter call" ],
+      [ 'document.documentElement.appendChild({})',
+        "Argument 1 of Node.appendChild does not implement interface Node.",
+        "wrong interface argument" ],
+      [ 'document.createTreeWalker(document).currentNode = {}',
+        "Value being assigned to TreeWalker.currentNode does not implement interface Node.",
+        "wrong interface setter call" ],
+      [ 'document.createElement("canvas").getContext("2d").fill("bogus")',
+        "Argument 1 of CanvasRenderingContext2D.fill 'bogus' is not a valid value for enumeration CanvasWindingRule.",
+        "bogus enum value" ],
+      [ 'document.createTreeWalker(document, 0xFFFFFFFF, { acceptNode: 5 }).nextNode()',
+        "Property 'acceptNode' is not callable.",
+        "non-callable callback interface operation property" ],
+      [ '(new TextEncoder).encode("", new RegExp())',
+        "Argument 2 of TextEncoder.encode can't be converted to a dictionary.",
+        "regexp passed for a dictionary" ],
+      [ 'URL.createObjectURL(null, null)',
+        "Argument 1 is not valid for any of the 2-argument overloads of URL.createObjectURL.",
+        "overload resolution failure" ],
+      [ 'document.createElement("select").add({})',
+        "Argument 1 of HTMLSelectElement.add could not be converted to any of: HTMLOptionElement, HTMLOptGroupElement.",
+        "invalid value passed for union" ],
+      [ 'document.createElement("canvas").getContext("2d").createLinearGradient(0, 1, 0, 1).addColorStop(NaN, "")',
+        "Argument 1 of CanvasGradient.addColorStop is not a finite floating-point value.",
+        "invalid float" ]
+  ];
+
+  for (var i = 0; i < tests.length; ++i) {
+      msg = "Correct exception should be thrown for " + tests[i][2];
+      try {
+          eval(tests[i][0]);
+          ok(false, msg);
+      } catch (e) {
+          is(e.message, tests[i][1], msg);
+      }
+  }
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=882653">Mozilla Bug 882653</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>

dom/camera/DOMCameraControl.cpp

@@ -400,7 +400,11 @@ nsDOMCameraControl::ReleaseHardware(nsICameraReleaseCallback* onSuccess, nsICame
 class GetCameraResult : public nsRunnable
 {
 public:
-  GetCameraResult(nsDOMCameraControl* aDOMCameraControl, nsresult aResult, nsICameraGetCameraCallback* onSuccess, nsICameraErrorCallback* onError, uint64_t aWindowId)
+  GetCameraResult(nsDOMCameraControl* aDOMCameraControl,
+    nsresult aResult,
+    const nsMainThreadPtrHandle<nsICameraGetCameraCallback>& onSuccess,
+    const nsMainThreadPtrHandle<nsICameraErrorCallback>& onError,
+    uint64_t aWindowId)
     : mDOMCameraControl(aDOMCameraControl)
     , mResult(aResult)
     , mOnSuccessCb(onSuccess)
@@ -415,11 +419,11 @@ public:
     if (nsDOMCameraManager::IsWindowStillActive(mWindowId)) {
       DOM_CAMERA_LOGT("%s : this=%p -- BEFORE CALLBACK\n", __func__, this);
       if (NS_FAILED(mResult)) {
-        if (mOnErrorCb) {
+        if (mOnErrorCb.get()) {
           mOnErrorCb->HandleEvent(NS_LITERAL_STRING("FAILURE"));
         }
       } else {
-        if (mOnSuccessCb) {
+        if (mOnSuccessCb.get()) {
           mOnSuccessCb->HandleEvent(mDOMCameraControl);
         }
       }
@@ -442,13 +446,16 @@ protected:
    */
   nsDOMCameraControl* mDOMCameraControl;
   nsresult mResult;
-  nsCOMPtr<nsICameraGetCameraCallback> mOnSuccessCb;
-  nsCOMPtr<nsICameraErrorCallback> mOnErrorCb;
+  nsMainThreadPtrHandle<nsICameraGetCameraCallback> mOnSuccessCb;
+  nsMainThreadPtrHandle<nsICameraErrorCallback> mOnErrorCb;
   uint64_t mWindowId;
 };
 
 nsresult
-nsDOMCameraControl::Result(nsresult aResult, nsICameraGetCameraCallback* onSuccess, nsICameraErrorCallback* onError, uint64_t aWindowId)
+nsDOMCameraControl::Result(nsresult aResult,
+                           const nsMainThreadPtrHandle<nsICameraGetCameraCallback>& onSuccess,
+                           const nsMainThreadPtrHandle<nsICameraErrorCallback>& onError,
+                           uint64_t aWindowId)
 {
   nsCOMPtr<GetCameraResult> getCameraResult = new GetCameraResult(this, aResult, onSuccess, onError, aWindowId);
   return NS_DispatchToMainThread(getCameraResult);

dom/camera/DOMCameraControl.h

@@ -14,6 +14,7 @@
 #include "nsIDOMCameraManager.h"
 #include "CameraCommon.h"
 #include "AudioChannelAgent.h"
+#include "nsProxyRelease.h"
 
 namespace mozilla {
 
@@ -28,7 +29,10 @@ public:
   nsDOMCameraControl(uint32_t aCameraId, nsIThread* aCameraThread,
                      nsICameraGetCameraCallback* onSuccess,
                      nsICameraErrorCallback* onError, uint64_t aWindowId);
-  nsresult Result(nsresult aResult, nsICameraGetCameraCallback* onSuccess, nsICameraErrorCallback* onError, uint64_t aWindowId);
+  nsresult Result(nsresult aResult,
+                  const nsMainThreadPtrHandle<nsICameraGetCameraCallback>& onSuccess,
+                  const nsMainThreadPtrHandle<nsICameraErrorCallback>& onError,
+                  uint64_t aWindowId);
   nsRefPtr<ICameraControl> GetNativeCameraControl();
 
   void Shutdown();

dom/camera/GonkCameraControl.cpp

@@ -174,8 +174,8 @@ public:
   InitGonkCameraControl(nsGonkCameraControl* aCameraControl, nsDOMCameraControl* aDOMCameraControl, nsICameraGetCameraCallback* onSuccess, nsICameraErrorCallback* onError, uint64_t aWindowId)
     : mCameraControl(aCameraControl)
     , mDOMCameraControl(aDOMCameraControl)
-    , mOnSuccessCb(onSuccess)
-    , mOnErrorCb(onError)
+    , mOnSuccessCb(new nsMainThreadPtrHolder<nsICameraGetCameraCallback>(onSuccess))
+    , mOnErrorCb(new nsMainThreadPtrHolder<nsICameraErrorCallback>(onError))
     , mWindowId(aWindowId)
   {
     DOM_CAMERA_LOGT("%s:%d : this=%p\n", __func__, __LINE__, this);
@@ -195,8 +195,8 @@ public:
   nsRefPtr<nsGonkCameraControl> mCameraControl;
   // Raw pointer to DOM-facing camera control--it must NS_ADDREF itself for us
   nsDOMCameraControl* mDOMCameraControl;
-  nsCOMPtr<nsICameraGetCameraCallback> mOnSuccessCb;
-  nsCOMPtr<nsICameraErrorCallback> mOnErrorCb;
+  nsMainThreadPtrHandle<nsICameraGetCameraCallback> mOnSuccessCb;
+  nsMainThreadPtrHandle<nsICameraErrorCallback> mOnErrorCb;
   uint64_t mWindowId;
 };
 

dom/locales/en-US/chrome/layout/css.properties

@@ -20,6 +20,7 @@ PECharsetRuleNotString=Expected charset string but found '%1$S'.
 PEGatherMediaEOF=end of media list in @import or @media rule
 PEGatherMediaNotComma=Expected ',' in media list but found '%1$S'.
 PEGatherMediaNotIdent=Expected identifier in media list but found '%1$S'.
+PEGatherMediaReservedMediaType=Found reserved keyword '%1$S' when looking for media type.
 PEImportNotURI=Expected URI in @import rule but found '%1$S'.
 PEImportBadURI=Invalid URI in @import rule: '%1$S'.
 PEImportUnexpected=Found unexpected '%1$S' within @import.

dom/plugins/base/nsPluginInstanceOwner.cpp

@@ -3298,8 +3298,6 @@ nsPluginInstanceOwner::UpdateDocumentActiveState(bool aIsActive)
   if (mInstance) {
     if (!mPluginDocumentActiveState)
       RemovePluginView();
-    else if (mPluginDocumentActiveState && mFullScreen)
-      AddPluginView();
 
     mInstance->NotifyOnScreen(mPluginDocumentActiveState);
 

dom/push/src/Push.js

@@ -121,6 +121,13 @@ Push.prototype = {
   register: function() {
     debug("register()");
     var req = this.createRequest();
+    if (!Services.prefs.getBoolPref("services.push.connection.enabled")) {
+      // If push socket is disabled by the user, immediately error rather than
+      // timing out.
+      Services.DOMRequest.fireErrorAsync(req, "NetworkError");
+      return req;
+    }
+
     this._cpmm.sendAsyncMessage("Push:Register", {
                                   pageURL: this._pageURL.spec,
                                   manifestURL: this._manifestURL,

dom/push/src/PushService.jsm

@@ -307,12 +307,7 @@ this.PushService = {
         // Try to connect if network-active-changed or the offline-status
         // changed to online.
         if (aTopic === "network-active-changed" || aData === "online") {
-          // Check to see if we need to do anything.
-          this._db.getAllChannelIDs(function(channelIDs) {
-            if (channelIDs.length > 0) {
-              this._beginWSSetup();
-            }
-          }.bind(this));
+          this._startListeningIfChannelsPresent();
         }
         break;
       case "nsPref:changed":
@@ -320,6 +315,12 @@ this.PushService = {
           debug("services.push.serverURL changed! websocket. new value " +
                 prefs.get("serverURL"));
           this._shutdownWS();
+        } else if (aData == "services.push.connection.enabled") {
+          if (prefs.get("connection.enabled")) {
+            this._startListeningIfChannelsPresent();
+          } else {
+            this._shutdownWS();
+          }
         }
         break;
       case "timer-callback":
@@ -429,18 +430,7 @@ this.PushService = {
 
     this._udpPort = prefs.get("udp.port");
 
-    this._db.getAllChannelIDs(
-      function(channelIDs) {
-        if (channelIDs.length > 0) {
-          debug("Found registered channelIDs. Starting WebSocket");
-          this._beginWSSetup();
-        }
-      }.bind(this),
-
-      function(error) {
-        debug("db error " + error);
-      }
-    );
+    this._startListeningIfChannelsPresent();
 
     Services.obs.addObserver(this, "xpcom-shutdown", false);
     Services.obs.addObserver(this, "webapps-uninstall", false);
@@ -468,6 +458,8 @@ this.PushService = {
     // This is only used for testing. Different tests require connecting to
     // slightly different URLs.
     prefs.observe("serverURL", this);
+    // Used to monitor if the user wishes to disable Push.
+    prefs.observe("connection.enabled", this);
   },
 
   _shutdownWS: function() {
@@ -492,6 +484,7 @@ this.PushService = {
 
     debug("uninit()");
 
+    prefs.ignore("connection.enabled", this);
     prefs.ignore("serverURL", this);
     Services.obs.removeObserver(this, this._getNetworkStateChangeEventName());
     Services.obs.removeObserver(this, "webapps-uninstall", false);
@@ -562,6 +555,11 @@ this.PushService = {
       return;
     }
 
+    if (!prefs.get("connection.enabled")) {
+      debug("_beginWSSetup: connection.enabled is not set to true. Aborting.");
+      return;
+    }
+
     // Stop any pending reconnects scheduled for the near future.
     this._stopAlarm();
 
@@ -606,6 +604,15 @@ this.PushService = {
     this._currentState = STATE_WAITING_FOR_WS_START;
   },
 
+  _startListeningIfChannelsPresent: function() {
+    // Check to see if we need to do anything.
+    this._db.getAllChannelIDs(function(channelIDs) {
+      if (channelIDs.length > 0) {
+        this._beginWSSetup();
+      }
+    }.bind(this));
+  },
+
   /** |delay| should be in milliseconds. */
   _setAlarm: function(delay) {
     // Stop any existing alarm.

dom/webidl/DOMStringMap.webidl

@@ -11,6 +11,7 @@
  * and create derivative works of this document.
  */
 
+[OverrideBuiltins]
 interface DOMStringMap {
   getter DOMString (DOMString name);
   [Throws]

dom/webidl/DOMTokenList.webidl

@@ -20,6 +20,6 @@ interface DOMTokenList {
   [Throws]
   void remove(DOMString token);
   [Throws]
-  boolean toggle(DOMString token);
+  boolean toggle(DOMString token, optional boolean force);
   stringifier DOMString ();
 };

editor/reftests/reftest.list

@@ -108,3 +108,20 @@ needs-focus != 824080-4.html 824080-5.html
 needs-focus == 824080-6.html 824080-6-ref.html
 needs-focus == 824080-7.html 824080-7-ref.html
 needs-focus != 824080-6.html 824080-7.html
+# Bug 674927: copy spellcheck-textarea tests to contenteditable
+== spellcheck-contenteditable-attr.html spellcheck-contenteditable-nofocus-ref.html
+fails-if(Android) != spellcheck-contenteditable-attr.html spellcheck-contenteditable-ref.html
+needs-focus == spellcheck-contenteditable-focused.html spellcheck-contenteditable-ref.html
+needs-focus == spellcheck-contenteditable-focused-reframe.html spellcheck-contenteditable-ref.html
+== spellcheck-contenteditable-nofocus.html spellcheck-contenteditable-disabled-ref.html
+fails-if(!Android) == spellcheck-contenteditable-disabled.html spellcheck-contenteditable-disabled-ref.html
+fails-if(!Android) == spellcheck-contenteditable-disabled-partial.html spellcheck-contenteditable-disabled-partial-ref.html
+== spellcheck-contenteditable-attr-inherit.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-attr-dynamic.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-attr-dynamic-inherit.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-property-dynamic.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-property-dynamic-inherit.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-attr-dynamic-override.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-attr-dynamic-override-inherit.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-property-dynamic-override.html spellcheck-contenteditable-disabled-ref.html
+== spellcheck-contenteditable-property-dynamic-override-inherit.html spellcheck-contenteditable-disabled-ref.html

editor/reftests/spellcheck-contenteditable-attr-dynamic-inherit.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.body.setAttribute("spellcheck", "false");
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-attr-dynamic-override-inherit.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()" spellcheck="true">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.body.setAttribute("spellcheck", "false");
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-attr-dynamic-override.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable spellcheck="true">blahblahblah</div>
+    <script>
+      function init() {
+        document.querySelector("div").setAttribute("spellcheck", "false");
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-attr-dynamic.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.querySelector("div").setAttribute("spellcheck", "false");
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-attr-inherit.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <span spellcheck="false"><div contenteditable>blahblahblah</div></span>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-attr.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable>blahblahblah</div>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-disabled-partial-ref.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <span contenteditable>sakde</span> kreid <span contenteditable>slodv</span>
+  <script>
+    // Adding focus to the textbox should trigger a spellcheck
+    document.querySelector("span").focus();
+    document.querySelector("span + span").focus();
+    document.querySelector("span + span").blur();
+  </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-disabled-partial.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable>sakde <span spellcheck=false>kreid</span> slodv</div>
+  <script>
+    // Adding focus to the textbox should trigger a spellcheck
+    document.querySelector("div").focus();
+    document.querySelector("div").blur();
+  </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-disabled-ref.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div>blahblahblah</div>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-disabled.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable spellcheck="false">blahblahblah</div>
+  <script>
+    // Adding focus to the textbox should trigger a spellcheck
+    document.querySelector("div").focus();
+    document.querySelector("div").blur();
+  </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-focused-reframe.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+  <div contenteditable id="testBox" onfocus="reframe(this);">blahblahblah</div>
+  <script type="text/javascript">
+    function reframe(textbox) {
+      textbox.style.display = "none";
+      textbox.style.display = "";
+      textbox.clientWidth;
+    }
+    //Adding focus to the textbox should trigger a spellcheck
+    document.getElementById("testBox").focus();
+    document.getElementById("testBox").blur();
+  </script>
+  
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-focused.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+  <div contenteditable id="testBox">blahblahblah</div>
+  <script type="text/javascript">
+    //Adding focus to the textbox should trigger a spellcheck
+    document.getElementById("testBox").focus();
+    document.getElementById("testBox").blur();
+  </script>
+  
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-nofocus-ref.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable spellcheck="true">blahblahblah</div>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-nofocus.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable>blahblahblah</div>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-property-dynamic-inherit.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.body.spellcheck = false;
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-property-dynamic-override-inherit.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()" spellcheck="true">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.body.spellcheck = false;
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-property-dynamic-override.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable spellcheck="true">blahblahblah</div>
+    <script>
+      function init() {
+        document.querySelector("div").spellcheck = false;
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-property-dynamic.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body onload="init()">
+    <div contenteditable>blahblahblah</div>
+    <script>
+      function init() {
+        document.querySelector("div").spellcheck = false;
+      }
+    </script>
+</body>
+</html>

editor/reftests/spellcheck-contenteditable-ref.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <div contenteditable spellcheck="true">blahblahblah</div>
+  <script type="text/javascript">
+    var box = document.getElementsByTagName("div")[0];
+    box.focus(); //Bring the textbox into focus, triggering a spellcheck
+    box.blur(); //Blur in order to make things similar to other tests otherwise
+  </script>
+</body>
+</html>

gfx/gl/GLContext.cpp

@@ -86,6 +86,8 @@ static const char *sExtensionNames[] = {
     "GL_OES_EGL_image_external",
     "GL_EXT_packed_depth_stencil",
     "GL_OES_element_index_uint",
+    "GL_OES_vertex_array_object",
+    "GL_ARB_vertex_array_object",
     nullptr
 };
 
@@ -548,6 +550,26 @@ GLContext::InitWithPrefix(const char *prefix, bool trygl)
             }
         }
 
+        if (IsExtensionSupported(OES_vertex_array_object)) {
+            SymLoadStruct vaoSymbols[] = {
+                { (PRFuncPtr*) &mSymbols.fIsVertexArray, { "IsVertexArray", "IsVertexArrayOES", nullptr } },
+                { (PRFuncPtr*) &mSymbols.fGenVertexArrays, { "GenVertexArrays", "GenVertexArraysOES", nullptr } },
+                { (PRFuncPtr*) &mSymbols.fBindVertexArray, { "BindVertexArrays", "BindVertexArrayOES", nullptr } },
+                { (PRFuncPtr*) &mSymbols.fDeleteVertexArrays, { "DeleteVertexArrays", "DeleteVertexArraysOES", nullptr } },
+                { nullptr, { nullptr } },
+            };
+
+            if (!LoadSymbols(&vaoSymbols[0], trygl, prefix)) {
+                NS_ERROR("GL supports Vertex Array Object without supplying its functions.");
+
+                MarkExtensionUnsupported(OES_vertex_array_object);
+                mSymbols.fIsVertexArray = nullptr;
+                mSymbols.fGenVertexArrays = nullptr;
+                mSymbols.fBindVertexArray = nullptr;
+                mSymbols.fDeleteVertexArrays = nullptr;
+            }
+        }
+
         // Load developer symbols, don't fail if we can't find them.
         SymLoadStruct auxSymbols[] = {
                 { (PRFuncPtr*) &mSymbols.fGetTexImage, { "GetTexImage", nullptr } },

gfx/gl/GLContext.h

@@ -1024,6 +1024,8 @@ public:
         OES_EGL_image_external,
         EXT_packed_depth_stencil,
         OES_element_index_uint,
+        OES_vertex_array_object,
+        ARB_vertex_array_object,
         Extensions_Max
     };
 
@@ -2870,6 +2872,39 @@ public:
         AFTER_GL_CALL;
     }
 
+    void GLAPIENTRY fBindVertexArray(GLuint array)
+    {
+        BEFORE_GL_CALL;
+        ASSERT_SYMBOL_PRESENT(fBindVertexArray);
+        mSymbols.fBindVertexArray(array);
+        AFTER_GL_CALL;
+    }
+
+    void GLAPIENTRY fDeleteVertexArrays(GLsizei n, const GLuint *arrays)
+    {
+        BEFORE_GL_CALL;
+        ASSERT_SYMBOL_PRESENT(fDeleteVertexArrays);
+        mSymbols.fDeleteVertexArrays(n, arrays);
+        AFTER_GL_CALL;
+    }
+
+    void GLAPIENTRY fGenVertexArrays(GLsizei n, GLuint *arrays)
+    {
+        BEFORE_GL_CALL;
+        ASSERT_SYMBOL_PRESENT(fGenVertexArrays);
+        mSymbols.fGenVertexArrays(n, arrays);
+        AFTER_GL_CALL;
+    }
+
+    realGLboolean GLAPIENTRY fIsVertexArray(GLuint array)
+    {
+        BEFORE_GL_CALL;
+        ASSERT_SYMBOL_PRESENT(fIsVertexArray);
+        realGLboolean ret = mSymbols.fIsVertexArray(array);
+        AFTER_GL_CALL;
+        return ret;
+    }
+
 #undef ASSERT_SYMBOL_PRESENT
 
 #ifdef DEBUG

gfx/gl/GLContextSymbols.h

@@ -47,6 +47,8 @@ struct GLContextSymbols
     PFNGLBINDBUFFERPROC fBindBuffer;
     typedef void (GLAPIENTRY * PFNGLBINDTEXTUREPROC) (GLenum target, GLuint texture);
     PFNGLBINDTEXTUREPROC fBindTexture;
+    typedef void (GLAPIENTRY * PFNGLBINDVERTEXARRAYPROC) (GLuint array);
+    PFNGLBINDVERTEXARRAYPROC fBindVertexArray;
     typedef void (GLAPIENTRY * PFNGLBLENDCOLORPROC) (GLclampf red, GLclampf green, GLclampf blue, GLclampf alpha);
     PFNGLBLENDCOLORPROC fBlendColor;
     typedef void (GLAPIENTRY * PFNGLBLENDEQUATIONPROC) (GLenum mode);
@@ -302,6 +304,8 @@ struct GLContextSymbols
     PFNGLISFRAMEBUFFER fIsFramebuffer;
     typedef realGLboolean (GLAPIENTRY * PFNGLISRENDERBUFFER) (GLuint renderbuffer);
     PFNGLISRENDERBUFFER fIsRenderbuffer;
+    typedef realGLboolean (GLAPIENTRY * PFNGLISVERTEXARRAY) (GLuint array);
+    PFNGLISVERTEXARRAY fIsVertexArray;
     typedef void (GLAPIENTRY * PFNGLRENDERBUFFERSTORAGE) (GLenum target, GLenum internalFormat, GLsizei width, GLsizei height);
     PFNGLRENDERBUFFERSTORAGE fRenderbufferStorage;
 
@@ -354,6 +358,8 @@ struct GLContextSymbols
     PFNGLGENFRAMEBUFFERS fGenFramebuffers;
     typedef void (GLAPIENTRY * PFNGLGENRENDERBUFFERS) (GLsizei n, GLuint* ids);
     PFNGLGENRENDERBUFFERS fGenRenderbuffers;
+    typedef void (GLAPIENTRY * PFNGLGENVERTEXARRAYS) (GLsizei n, GLuint* arrays);
+    PFNGLGENVERTEXARRAYS fGenVertexArrays;
 
     typedef void (GLAPIENTRY * PFNGLDELETEPROGRAMPROC) (GLuint program);
     PFNGLDELETEPROGRAMPROC fDeleteProgram;
@@ -369,6 +375,8 @@ struct GLContextSymbols
     PFNGLDELETEFRAMEBUFFERS fDeleteFramebuffers;
     typedef void (GLAPIENTRY * PFNGLDELETERENDERBUFFERS) (GLsizei n, const GLuint* ids);
     PFNGLDELETERENDERBUFFERS fDeleteRenderbuffers;
+    typedef void (GLAPIENTRY * PFNGLDELETEVERTEXARRAYS) (GLsizei n, const GLuint* arrays);
+    PFNGLDELETEVERTEXARRAYS fDeleteVertexArrays;
 
     typedef void* (GLAPIENTRY * PFNGLMAPBUFFER) (GLenum target, GLenum access);
     PFNGLMAPBUFFER fMapBuffer;

gfx/thebes/gfxFT2Utils.cpp

@@ -117,10 +117,12 @@ gfxFT2LockedFace::GetMetrics(gfxFont::Metrics* aMetrics,
 
         // maxAscent/maxDescent get used for frame heights, and some fonts
         // don't have the HHEA table ascent/descent set (bug 279032).
-        if (aMetrics->emAscent > aMetrics->maxAscent)
-            aMetrics->maxAscent = aMetrics->emAscent;
-        if (aMetrics->emDescent > aMetrics->maxDescent)
-            aMetrics->maxDescent = aMetrics->emDescent;
+        // We use NS_round here to parallel the pixel-rounded values that
+        // freetype gives us for ftMetrics.ascender/descender.
+        aMetrics->maxAscent =
+            std::max(aMetrics->maxAscent, NS_round(aMetrics->emAscent));
+        aMetrics->maxDescent =
+            std::max(aMetrics->maxDescent, NS_round(aMetrics->emDescent));
     } else {
         aMetrics->emAscent = aMetrics->maxAscent;
         aMetrics->emDescent = aMetrics->maxDescent;