Fix bug 490790. r=dveditz

content/base/public/nsContentUtils.h

@@ -1256,6 +1256,11 @@ public:
                                           const nsACString& aMimeGuess = EmptyCString(),
                                           nsISupports* aExtra = nsnull);
 
+  /**
+   * Returns true if aPrincipal is the system principal.
+   */
+  static PRBool IsSystemPrincipal(nsIPrincipal* aPrincipal);
+
   /**
    * Trigger a link with uri aLinkURI. If aClick is false, this triggers a
    * mouseover on the link, otherwise it triggers a load after doing a

content/base/public/nsIContentPolicy.idl

@@ -112,7 +112,7 @@ interface nsIContentPolicy : nsISupports
   const unsigned long TYPE_PING        = 10;
 
   /**
-   * Indicates an XMLHttpRequest.
+   * Indicates an XMLHttpRequest. Also used for document.load.
    */
   const unsigned long TYPE_XMLHTTPREQUEST = 11;
 

content/base/src/nsContentUtils.cpp

@@ -4251,6 +4251,14 @@ nsContentUtils::CheckSecurityBeforeLoad(nsIURI* aURIToLoad,
   return aLoadingPrincipal->CheckMayLoad(aURIToLoad, PR_TRUE);
 }
 
+PRBool
+nsContentUtils::IsSystemPrincipal(nsIPrincipal* aPrincipal)
+{
+  PRBool isSystem;
+  nsresult rv = sSecurityManager->IsSystemPrincipal(aPrincipal, &isSystem);
+  return NS_SUCCEEDED(rv) && isSystem;
+}
+
 /* static */
 void
 nsContentUtils::TriggerLink(nsIContent *aContent, nsPresContext *aPresContext,

content/xml/document/src/nsXMLDocument.cpp

@@ -85,6 +85,8 @@
 #include "nsIScriptGlobalObjectOwner.h"
 #include "nsIJSContextStack.h"
 #include "nsContentCreatorFunctions.h"
+#include "nsContentPolicyUtils.h"
+#include "nsContentErrors.h"
 #include "nsIDOMUserDataHandler.h"
 #include "nsEventDispatcher.h"
 #include "nsNodeUtils.h"
@@ -335,10 +337,6 @@ nsXMLDocument::Load(const nsAString& aUrl, PRBool *aReturn)
     return rv;
   }
 
-  nsCOMPtr<nsIPrincipal> principal = NodePrincipal();
-  nsCOMPtr<nsIURI> codebase;
-  principal->GetURI(getter_AddRefs(codebase));
-
   // Check to see whether the current document is allowed to load this URI.
   // It's important to use the current document's principal for this check so
   // that we don't end up in a case where code with elevated privileges is
@@ -347,9 +345,26 @@ nsXMLDocument::Load(const nsAString& aUrl, PRBool *aReturn)
   // Enforce same-origin even for chrome loaders to avoid someone accidentally
   // using a document that content has a reference to and turn that into a
   // chrome document.
-  if (codebase) {
+  nsCOMPtr<nsIPrincipal> principal = NodePrincipal();
+  if (!nsContentUtils::IsSystemPrincipal(principal)) {
     rv = principal->CheckMayLoad(uri, PR_FALSE);
     NS_ENSURE_SUCCESS(rv, rv);
+
+    PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
+    rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_XMLHTTPREQUEST,
+                                   uri,
+                                   principal,
+                                   callingDoc ? callingDoc.get() :
+                                     static_cast<nsIDocument*>(this),
+                                   NS_LITERAL_CSTRING("application/xml"),
+                                   nsnull,
+                                   &shouldLoad,
+                                   nsContentUtils::GetContentPolicy(),
+                                   nsContentUtils::GetSecurityManager());
+    NS_ENSURE_SUCCESS(rv, rv);
+    if (NS_CP_REJECTED(shouldLoad)) {
+      return NS_ERROR_CONTENT_BLOCKED;
+    }
   } else {
     // We're called from chrome, check to make sure the URI we're
     // about to load is also chrome.