bug 292789 prevent use of chrome: URIs from <script>, <img> stylesheets, etc except for chrome packages explicitly marked contentaccessible. r=bzbarsky, sr=jst, a=beltzner

browser/base/jar.mn

@@ -1,5 +1,5 @@
 browser.jar:
-%  content browser %content/browser/ xpcnativewrappers=yes
+%  content browser %content/browser/ xpcnativewrappers=yes contentaccessible=yes
 #ifdef XP_MACOSX
 %  overlay chrome://mozapps/content/downloads/downloads.xul chrome://browser/content/downloadManagerOverlay.xul
 %  overlay chrome://mozapps/content/extensions/extensions.xul chrome://browser/content/extensionsManagerOverlay.xul

caps/src/nsScriptSecurityManager.cpp

@@ -92,6 +92,7 @@
 #include "nsIClassInfo.h"
 #include "nsIURIFixup.h"
 #include "nsCDefaultURIFixup.h"
+#include "nsIChromeRegistry.h"
 
 static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
 
@@ -1355,7 +1356,21 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     NS_ENSURE_SUCCESS(rv, rv);
     if (hasFlags) {
         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
-            return NS_OK;
+            if (!targetScheme.EqualsLiteral("chrome")) {
+                // for now don't change behavior for resource: or moz-icon:
+                return NS_OK;
+            }
+
+            // allow load only if chrome package is whitelisted
+            nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
+                                                 NS_CHROMEREGISTRY_CONTRACTID));
+            if (reg) {
+                PRBool accessAllowed = PR_FALSE;
+                reg->AllowContentToAccess(targetBaseURI, &accessAllowed);
+                if (accessAllowed) {
+                    return NS_OK;
+                }
+            }
         }
 
         // resource: and chrome: are equivalent, securitywise

toolkit/content/jar.mn

@@ -1,5 +1,5 @@
 toolkit.jar:
-%  content global %content/global/ xpcnativewrappers=yes
+%  content global %content/global/ xpcnativewrappers=yes contentaccessible=yes
 %  content global-platform %content/global-platform/ platform xpcnativewrappers=yes
 %  content global-region %content/global-region/ xpcnativewrappers=yes
 # provide the nsTransferable in nsDragAndDrop.js to extensions that have to