[XForms] cannot submit with replace=instance more than one time part II. Bug 338451, patch by allan, r=doronr+bz, sr=sicking

extensions/xforms/nsIInstanceElementPrivate.idl

@@ -48,6 +48,10 @@ interface nsIInstanceElementPrivate : nsIXFormsNSInstanceElement
 {
   /**
    * Set instance document.
+   *
+   * WARNING: This must never be exposed to untrusted parties
+   * (ie. script). Because setting the instance document, we assume ownership
+   * over it security-wise!
    */
   void setInstanceDocument(in nsIDOMDocument document);
 

extensions/xforms/nsXFormsInstanceElement.cpp

@@ -262,6 +262,14 @@ nsXFormsInstanceElement::OnStopRequest(nsIRequest *request, nsISupports *ctx,
     }
   }
 
+  // Replace the principal for the loaded document
+  nsCOMPtr<nsIDocument> iDoc(do_QueryInterface(mDocument));
+  nsresult rv = ReplacePrincipal(iDoc);
+  if (NS_FAILED(rv)) {
+    SetInstanceDocument(nsnull);
+    return rv;
+  }
+
   nsCOMPtr<nsIModelElementPrivate> model = GetModel();
   if (model) {
     model->InstanceLoadFinished(succeeded);
@@ -271,6 +279,22 @@ nsXFormsInstanceElement::OnStopRequest(nsIRequest *request, nsISupports *ctx,
   return NS_OK;
 }
 
+nsresult
+nsXFormsInstanceElement::ReplacePrincipal(nsIDocument *aDocument)
+{
+  if (!aDocument || !mElement)
+    return NS_ERROR_FAILURE;
+
+  // Set Principal
+  nsCOMPtr<nsIDOMDocument> domDoc;
+  mElement->GetOwnerDocument(getter_AddRefs(domDoc));
+  nsCOMPtr<nsIDocument> fromDoc(do_QueryInterface(domDoc));
+  NS_ENSURE_STATE(fromDoc);
+  aDocument->SetPrincipal(fromDoc->NodePrincipal());
+
+  return NS_OK;
+}
+
 // nsIXFormsNSInstanceElement
 
 NS_IMETHODIMP
@@ -303,6 +327,15 @@ nsXFormsInstanceElement::SetInstanceDocument(nsIDOMDocument *aDocument)
     NS_ENSURE_STATE(owner);
     rv = doc->SetProperty(nsXFormsAtoms::instanceDocumentOwner, owner);
     NS_ENSURE_SUCCESS(rv, rv);
+
+    // Replace the principal of the instance document so it is the same as for
+    // the owning form. Why is this not a security breach? Because we handle
+    // our own whitelist of domains that we trust (see
+    // nsXFormsUtils::CheckSameOrigin()), and if we have gotten this far
+    // (ie. loaded the document) the user has trusted obviously trusted the
+    // source. See also https://bugzilla.mozilla.org/show_bug.cgi?id=338451
+    rv = ReplacePrincipal(doc);
+    NS_ENSURE_SUCCESS(rv, rv);
   }
 
   return NS_OK;

extensions/xforms/nsXFormsInstanceElement.h

@@ -49,6 +49,7 @@
 #include "nsIChannelEventSink.h"
 #include "nsIInterfaceRequestor.h"
 
+class nsIDocument;
 class nsIDOMElement;
 
 /**
@@ -88,6 +89,18 @@ private:
   NS_HIDDEN_(nsresult) CreateInstanceDocument(const nsAString &aQualifiedName);
   NS_HIDDEN_(already_AddRefed<nsIModelElementPrivate>) GetModel();
 
+  /**
+   * Replace principal for document to be the same as for the owning document.
+   *
+   * WARNING: This could lead to a security breach, and should be used with
+   * extreme care!
+   *
+   * @see https://bugzilla.mozilla.org/show_bug.cgi?id=338451
+   *
+   * @param aDoc              The document to replace principal for
+   */
+  nsresult ReplacePrincipal(nsIDocument *aDoc);
+
   nsCOMPtr<nsIDOMDocument>    mDocument;
   nsCOMPtr<nsIDOMDocument>    mOriginalDocument;
   nsIDOMElement              *mElement;

extensions/xforms/nsXFormsSubmissionElement.cpp

@@ -495,7 +495,8 @@ nsXFormsSubmissionElement::LoadReplaceInstance(nsIChannel *channel)
   mPipeIn->Available(&contentLength);
 
   // set the base uri so that the document can get the correct security
-  // principal
+  // principal (this has to be here to work on 1.8.0)
+  // @see https://bugzilla.mozilla.org/show_bug.cgi?id=338451
   nsCOMPtr<nsIURI> uri;
   nsresult rv = channel->GetURI(getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);