Bug 330037 - First check if script/data url's are allowed, r=dveditz, sr=bzbarsky

caps/src/nsScriptSecurityManager.cpp

@@ -1276,12 +1276,6 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     rv = GetBaseURIScheme(aTargetURI, targetScheme);
     if (NS_FAILED(rv)) return rv;
 
-    if (nsCRT::strcasecmp(targetScheme.get(), sourceScheme.get()) == 0)
-    {
-        // every scheme can access another URI from the same scheme
-        return NS_OK;
-    }
-
     //-- Some callers do not allow loading javascript: or data: URLs
     if (((aFlags & (nsIScriptSecurityManager::DISALLOW_SCRIPT |
                     nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA)) &&
@@ -1292,6 +1286,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
        return NS_ERROR_DOM_BAD_URI;
     }
 
+    if (nsCRT::strcasecmp(targetScheme.get(), sourceScheme.get()) == 0)
+    {
+        // every scheme can access another URI from the same scheme
+        return NS_OK;
+    }
+
     //-- If the schemes don't match, the policy is specified in this table.
     enum Action { AllowProtocol, DenyProtocol, PrefControlled, ChromeProtocol};
     static const struct