Grant access to SOAP response document's properties and also allow the document to be serializable. b=193953, r=heikki@netscape.com, sr=jst@netscape.com

caps/idl/nsIAggregatePrincipal.idl

@@ -50,9 +50,9 @@ interface nsIAggregatePrincipal : nsISupports {
 
     attribute nsIPrincipal certificate;
     attribute nsIPrincipal codebase;
+    attribute boolean domainChanged;
     readonly attribute nsIPrincipal originalCodebase;
     readonly attribute nsIPrincipal primaryChild;
 
     void intersect(in nsIPrincipal other);
-    boolean wasCodebaseChanged();
 };

caps/include/nsAggregatePrincipal.h

@@ -109,7 +109,7 @@ protected:
     nsCOMPtr<nsIPrincipal> mCertificate;
     nsCOMPtr<nsIPrincipal> mCodebase;
     nsCOMPtr<nsIPrincipal> mOriginalCodebase;
-    PRBool mCodebaseWasChanged;
+    PRPackedBool mDomainChanged;
 };
 
 #endif // _NS_AGGREGATE_PRINCIPAL_H_

caps/src/nsAggregatePrincipal.cpp

@@ -206,11 +206,8 @@ nsAggregatePrincipal::SetCodebase(nsIPrincipal* aCodebase)
     mCodebase = newCodebase;
 
     //-- If this is the first codebase set, remember it.
-    //   If not, remember that the codebase was explicitly set
     if (!mOriginalCodebase)
         mOriginalCodebase = newCodebase;
-    else
-        mCodebaseWasChanged = PR_TRUE;
 
     return NS_OK;
 }
@@ -262,9 +259,16 @@ nsAggregatePrincipal::Intersect(nsIPrincipal* other)
 }
 
 NS_IMETHODIMP 
-nsAggregatePrincipal::WasCodebaseChanged(PRBool* changed)
+nsAggregatePrincipal::SetDomainChanged(PRBool aDomainChanged)
 {
-    *changed = mCodebaseWasChanged;
+    mDomainChanged = aDomainChanged;
+    return NS_OK;
+}
+
+NS_IMETHODIMP 
+nsAggregatePrincipal::GetDomainChanged(PRBool* aDomainChanged)
+{
+    *aDomainChanged = mDomainChanged;
     return NS_OK;
 }
 
@@ -442,7 +446,7 @@ nsAggregatePrincipal::Write(nsIObjectOutputStream* aStream)
 // Constructor, Destructor, initialization //
 /////////////////////////////////////////////
 
-nsAggregatePrincipal::nsAggregatePrincipal() : mCodebaseWasChanged(PR_FALSE)
+nsAggregatePrincipal::nsAggregatePrincipal() : mDomainChanged(PR_FALSE)
 {
 }
 

caps/src/nsScriptSecurityManager.cpp

@@ -880,17 +880,17 @@ nsScriptSecurityManager::CheckSameOriginDOMProp(nsIPrincipal* aSubject,
 
         nsCOMPtr<nsIAggregatePrincipal> subjectAgg(do_QueryInterface(aSubject, &rv));
         NS_ENSURE_SUCCESS(rv, rv);
-        PRBool subjectSetDomain = PR_FALSE;
-        subjectAgg->WasCodebaseChanged(&subjectSetDomain);
+        PRBool subjectDomainChanged = PR_FALSE;
+        subjectAgg->GetDomainChanged(&subjectDomainChanged);
 
         nsCOMPtr<nsIAggregatePrincipal> objectAgg(do_QueryInterface(aObject, &rv));
         NS_ENSURE_SUCCESS(rv, rv);
-        PRBool objectSetDomain = PR_FALSE;
-        objectAgg->WasCodebaseChanged(&objectSetDomain);
+        PRBool objectDomainChanged = PR_FALSE;
+        objectAgg->GetDomainChanged(&objectDomainChanged);
 
         // If both or neither explicitly set their domain, allow the access
-        if (!(subjectSetDomain || objectSetDomain) ||
-            (subjectSetDomain && objectSetDomain))
+        if (!(subjectDomainChanged || objectDomainChanged) ||
+            (subjectDomainChanged && objectDomainChanged))
             return NS_OK;
     }
 

content/html/document/src/nsHTMLDocument.cpp

@@ -2029,8 +2029,10 @@ nsHTMLDocument::SetDomain(const nsAString& aDomain)
   rv = agg->SetCodebase(newCodebase);
 
   // Bug 13871: Frameset spoofing - note that document.domain was set
-  if (NS_SUCCEEDED(rv))
+  if (NS_SUCCEEDED(rv)) {
+    agg->SetDomainChanged(PR_TRUE);
     mDomainWasSet = PR_TRUE;
+  }
 
   return rv;
 }

extensions/webservices/soap/src/Makefile.in

@@ -52,6 +52,8 @@ REQUIRES	= xpcom \
 		  xpconnect \
 		  necko \
 		  xmlextras \
+		  content \
+ 		  widget \
 		  $(NULL)
 
 CPPSRCS        =                                 \

extensions/webservices/soap/src/nsHTTPSOAPTransport.cpp

@@ -56,6 +56,8 @@
 #include "nsIDOMSerializer.h"
 #include "nsIWebScriptsAccessService.h"
 #include "nsMemory.h"
+#include "nsIDocument.h"
+#include "nsIAggregatePrincipal.h"
 
 nsHTTPSOAPTransport::nsHTTPSOAPTransport()
 {
@@ -89,6 +91,59 @@ nsresult DebugPrintDOM(nsIDOMNode * node)
 
 static NS_NAMED_LITERAL_STRING(kAnyURISchemaType, "anyURI");
 
+/**
+  * This method will replace the target document's 
+  * codebase pricipal with the subject codebase to
+  * override cross domain checks. So use caution 
+  * because this might lead to serious security breech
+  * if misused.
+  * @param aDocument - The target/response document.
+  */
+static 
+nsresult ChangePrincipal(nsIDOMDocument* aDocument)
+{
+  if (!aDocument)
+    return NS_OK;
+
+  nsresult rv;
+  nsCOMPtr<nsIScriptSecurityManager> secMgr = 
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+  
+  nsCOMPtr<nsIDocument> targetDoc(do_QueryInterface(aDocument, &rv));
+  NS_ENSURE_SUCCESS(rv, rv);
+  
+  nsCOMPtr<nsIURI> targetURI;
+  targetDoc->GetDocumentURL(getter_AddRefs(targetURI));
+  rv = secMgr->CheckSameOrigin(nsnull, targetURI);
+  // change the principal only if the script security 
+  // manager has denied access.
+  if (NS_FAILED(rv)) {
+    nsCOMPtr<nsIPrincipal> subjectPrincipal;
+    rv = secMgr->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIAggregatePrincipal> subjectAgg = 
+      do_QueryInterface(subjectPrincipal, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+       
+    nsCOMPtr<nsIPrincipal> subjectCodebase;
+    rv = subjectAgg->GetOriginalCodebase(getter_AddRefs(subjectCodebase));
+    NS_ENSURE_SUCCESS(rv, rv);
+       
+    nsCOMPtr<nsIPrincipal> targetPrincipal;
+    rv = targetDoc->GetPrincipal(getter_AddRefs(targetPrincipal));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIAggregatePrincipal> targetAgg = 
+      do_QueryInterface(targetPrincipal, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = targetAgg->SetCodebase(subjectCodebase);
+  }
+  return rv;
+}
+
 /**
  * Get and check the transport URI for accessibility.  In the future,
  * this might also attempt to automatically add a mustUnderstand
@@ -456,6 +511,7 @@ NS_IMETHODIMP
       rv = mRequest->GetResponseXML(getter_AddRefs(document));
       if (NS_SUCCEEDED(rv) && document) {
         rv = mResponse->SetMessage(document);
+        ChangePrincipal(document);
         DEBUG_DUMP_DOCUMENT("Asynchronous Response", document)
       } 
       else {