From de71defcdf0081915f70cc22ff244af473b01636 Mon Sep 17 00:00:00 2001
From: "mstoltz%netscape.com" <mstoltz%netscape.com>
Date: Thu, 1 May 2003 02:41:45 +0000
Subject: [PATCH] Bug 200691 - Add CheckLoadURI call to XBL loader to prevent
 remote XUL pages loading XBL bindings from file URLs. r=bryner, sr=heikki,
 a=asa

---
 content/xbl/src/nsXBLService.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/xbl/src/nsXBLService.cpp b/content/xbl/src/nsXBLService.cpp
index bca066c3b764..8c92ae4c9775 100644
--- a/content/xbl/src/nsXBLService.cpp
+++ b/content/xbl/src/nsXBLService.cpp
@@ -86,6 +86,7 @@
 #include "nsIDocumentObserver.h"
 #include "nsIFrameManager.h"
 #include "nsStyleContext.h"
+#include "nsIScriptSecurityManager.h"
 
 #ifdef MOZ_XUL
 #include "nsIXULPrototypeCache.h"
@@ -579,6 +580,27 @@ nsXBLService::LoadBindings(nsIContent* aContent, const nsAString& aURL, PRBool a
     }
   }
 
+  // Security check - remote pages can't load local bindings, except from chrome
+  nsCOMPtr<nsIURI> docURI;
+  rv = document->GetDocumentURL(getter_AddRefs(docURI));
+  NS_ENSURE_SUCCESS(rv, rv); //XXX can a document have no URI here?
+  PRBool isChrome = PR_FALSE;
+  rv = docURI->SchemeIs("chrome", &isChrome);
+
+  if (NS_FAILED(rv) || !isChrome) {
+    nsCOMPtr<nsIURI> bindingURI;
+    rv = NS_NewURI(getter_AddRefs(bindingURI), aURL);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIScriptSecurityManager> secMan(
+      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = secMan->CheckLoadURI(docURI, bindingURI,
+                              nsIScriptSecurityManager::ALLOW_CHROME);
+    if (NS_FAILED(rv))
+      return rv;
+  }
   nsCOMPtr<nsIXBLBinding> newBinding;
   nsCAutoString url; url.AssignWithConversion(aURL);
   if (NS_FAILED(rv = GetBinding(aContent, url, getter_AddRefs(newBinding)))) {