summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-03-25 08:20:49 -0400
committerMark H Weaver <mhw@netris.org>2015-03-25 08:24:10 -0400
commit4c153a9125fa0913077b06b5ed537958ae4ca163 (patch)
tree15367cb88523e11c50cbdd65c97b0b254e7c525a
parent614c2188420a266ec512c9c04af3bb2ea46c4dc4 (diff)
downloadguix-4c153a9125fa0913077b06b5ed537958ae4ca163.tar.gz
gnu: icecat: Apply fixes for CVE-2015-{0817,0818} and other selected bugs.
* gnu/packages/patches/icecat-CVE-2015-0817.patch,
  gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch,
  gnu/packages/patches/icecat-bug-1127780.patch,
  gnu/packages/patches/icecat-bug-1144991.patch,
  gnu/packages/patches/icecat-bug-1145870.patch,
  gnu/packages/patches/icecat-bug-1146339.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat): Add patches.
-rw-r--r--gnu-system.am7
-rw-r--r--gnu/packages/gnuzilla.scm9
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0817.patch44
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch67
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch28
-rw-r--r--gnu/packages/patches/icecat-bug-1127780.patch25
-rw-r--r--gnu/packages/patches/icecat-bug-1144991.patch76
-rw-r--r--gnu/packages/patches/icecat-bug-1145870.patch43
-rw-r--r--gnu/packages/patches/icecat-bug-1146339.patch162
9 files changed, 460 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 153d395b57..1f2ebdf29e 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -432,6 +432,13 @@ dist_patch_DATA =						\
   gnu/packages/patches/guix-test-networking.patch		\
   gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
   gnu/packages/patches/hop-bigloo-4.0b.patch			\
+  gnu/packages/patches/icecat-bug-1127780.patch			\
+  gnu/packages/patches/icecat-bug-1144991.patch			\
+  gnu/packages/patches/icecat-bug-1145870.patch			\
+  gnu/packages/patches/icecat-bug-1146339.patch			\
+  gnu/packages/patches/icecat-CVE-2015-0817.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch		\
   gnu/packages/patches/irrlicht-mesa-10.patch			\
   gnu/packages/patches/jbig2dec-ignore-testtest.patch		\
   gnu/packages/patches/kmod-module-directory.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 1d450cda64..1e9deb8bff 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -224,7 +224,14 @@ standards.")
                           version "/" name "-" version ".tar.bz2"))
       (sha256
        (base32
-        "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))))
+        "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))
+      (patches (map search-patch '("icecat-bug-1127780.patch"
+                                   "icecat-CVE-2015-0817.patch"
+                                   "icecat-bug-1144991.patch"
+                                   "icecat-CVE-2015-0818-pt1.patch"
+                                   "icecat-bug-1145870.patch"
+                                   "icecat-CVE-2015-0818-pt2.patch"
+                                   "icecat-bug-1146339.patch")))))
     (build-system gnu-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/patches/icecat-CVE-2015-0817.patch b/gnu/packages/patches/icecat-CVE-2015-0817.patch
new file mode 100644
index 0000000000..bb530a535d
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0817.patch
@@ -0,0 +1,44 @@
+From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001
+From: Steve Fink <sfink@mozilla.com>
+Date: Thu, 19 Mar 2015 15:46:24 -0700
+Subject: [PATCH] Bug 1145255. r=luke, a=lmandel
+
+---
+ js/src/jit/AsmJS.cpp | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp
+index 302b5ab..1b8eed6 100644
+--- a/js/src/jit/AsmJS.cpp
++++ b/js/src/jit/AsmJS.cpp
+@@ -14,6 +14,7 @@
+ 
+ #include "jsmath.h"
+ #include "jsprf.h"
++#include "jsutil.h"
+ #include "jsworkers.h"
+ #include "prmjtime.h"
+ 
+@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
+     if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
+         // Flag the access to skip the bounds check if the mask ensures that an 'out of
+         // bounds' access can not occur based on the current heap length constraint.
+-        if (mask2 == 0 ||
+-            CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
++        if (mask2 == 0) {
+             *needsBoundsCheck = NO_BOUNDS_CHECK;
++        } else {
++            uint32_t minHeap = f.m().minHeapLength();
++            uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1);
++            uint32_t maskZeroes = CountLeadingZeroes32(mask2);
++            if ((minHeapZeroes < maskZeroes) ||
++                (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes))
++            {
++                *needsBoundsCheck = NO_BOUNDS_CHECK;
++            }
+         }
+         *mask &= mask2;
+         *indexExpr = indexNode;
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch
new file mode 100644
index 0000000000..5d396eed6b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch
@@ -0,0 +1,67 @@
+From 79dddb16aaa58f5b5cef49dac6d234f500af3baf Mon Sep 17 00:00:00 2001
+From: Olli Pettay <Olli.Pettay@helsinki.fi>
+Date: Thu, 19 Mar 2015 21:53:32 -0400
+Subject: [PATCH] Bug 1144988 - Don't let other pages to load while doing
+ scroll-to-anchor. r=bz, a=lmandel
+
+---
+ docshell/base/nsDocShell.cpp | 23 ++++++++++++++---------
+ docshell/base/nsDocShell.h   |  1 +
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
+index 887c910..14ff3f2 100644
+--- a/docshell/base/nsDocShell.cpp
++++ b/docshell/base/nsDocShell.cpp
+@@ -4204,8 +4204,8 @@ nsDocShell::IsPrintingOrPP(bool aDisplayErrorDialog)
+ bool
+ nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
+ {
+-  bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && !mFiredUnloadEvent;
+-  if (!isAllowed) {
++  bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
++                   !mFiredUnloadEvent && !mBlockNavigation;  if (!isAllowed) {
+     return false;
+   }
+   if (!mContentViewer) {
+@@ -9321,13 +9321,18 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+             GetCurScrollPos(ScrollOrientation_X, &cx);
+             GetCurScrollPos(ScrollOrientation_Y, &cy);
+ 
+-            // ScrollToAnchor doesn't necessarily cause us to scroll the window;
+-            // the function decides whether a scroll is appropriate based on the
+-            // arguments it receives.  But even if we don't end up scrolling,
+-            // ScrollToAnchor performs other important tasks, such as informing
+-            // the presShell that we have a new hash.  See bug 680257.
+-            rv = ScrollToAnchor(curHash, newHash, aLoadType);
+-            NS_ENSURE_SUCCESS(rv, rv);
++            {
++                AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
++                mBlockNavigation = true;
++
++                // ScrollToAnchor doesn't necessarily cause us to scroll the window;
++                // the function decides whether a scroll is appropriate based on the
++                // arguments it receives.  But even if we don't end up scrolling,
++                // ScrollToAnchor performs other important tasks, such as informing
++                // the presShell that we have a new hash.  See bug 680257.
++                rv = ScrollToAnchor(curHash, newHash, aLoadType);
++                NS_ENSURE_SUCCESS(rv, rv);
++            }
+ 
+             // Reset mLoadType to its original value once we exit this block,
+             // because this short-circuited load might have started after a
+diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
+index c191777..be353ee 100644
+--- a/docshell/base/nsDocShell.h
++++ b/docshell/base/nsDocShell.h
+@@ -835,6 +835,7 @@ protected:
+     bool                       mInPrivateBrowsing;
+     bool                       mUseRemoteTabs;
+     bool                       mDeviceSizeIsPageSize;
++    bool                       mBlockNavigation;
+ 
+     // Because scriptability depends on the mAllowJavascript values of our
+     // ancestors, we cache the effective scriptability and recompute it when
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch
new file mode 100644
index 0000000000..4eac5df4db
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch
@@ -0,0 +1,28 @@
+From 83364c747c421b191f9d4012896a9e5a1d5223ad Mon Sep 17 00:00:00 2001
+From: Kyle Huey <khuey@kylehuey.com>
+Date: Fri, 20 Mar 2015 19:15:13 -0700
+Subject: [PATCH] Bug 1144988. r=bz a=lmandel
+
+---
+ docshell/base/nsDocShell.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
+index 4cddcef..bdf88a5cf 100644
+--- a/docshell/base/nsDocShell.cpp
++++ b/docshell/base/nsDocShell.cpp
+@@ -1322,9 +1322,10 @@ nsDocShell::LoadURI(nsIURI * aURI,
+     
+     // Note: we allow loads to get through here even if mFiredUnloadEvent is
+     // true; that case will get handled in LoadInternal or LoadHistoryEntry.
+-    if (IsPrintingOrPP()) {
++    if (IsPrintingOrPP() || mBlockNavigation) {
+       return NS_OK; // JS may not handle returning of an error code
+     }
++
+     nsCOMPtr<nsIURI> referrer;
+     nsCOMPtr<nsIInputStream> postStream;
+     nsCOMPtr<nsIInputStream> headersStream;
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-bug-1127780.patch b/gnu/packages/patches/icecat-bug-1127780.patch
new file mode 100644
index 0000000000..c433616087
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1127780.patch
@@ -0,0 +1,25 @@
+From cf1de3d04302841aaa05aed8364da3399cbca9b4 Mon Sep 17 00:00:00 2001
+From: Bobby Holley <bobbyholley@gmail.com>
+Date: Tue, 17 Feb 2015 17:47:12 -0500
+Subject: [PATCH] Bug 1127780 - Add null check. r=bz, a=bkerensa
+
+---
+ js/xpconnect/wrappers/XrayWrapper.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h
+index ead095f1..cc8c580 100644
+--- a/js/xpconnect/wrappers/XrayWrapper.h
++++ b/js/xpconnect/wrappers/XrayWrapper.h
+@@ -131,7 +131,7 @@ class XrayWrapper : public Base {
+     {
+         if (!Base::getPrototypeOf(cx, wrapper, protop))
+             return false;
+-        if (WrapperFactory::IsXrayWrapper(protop))
++        if (!protop || WrapperFactory::IsXrayWrapper(protop))
+             return true;
+ 
+         protop.set(JS_GetObjectPrototype(cx, wrapper));
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-bug-1144991.patch
new file mode 100644
index 0000000000..5632e37eb3
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1144991.patch
@@ -0,0 +1,76 @@
+From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
+From: Boris Zbarsky <bzbarsky@mit.edu>
+Date: Thu, 19 Mar 2015 18:58:44 -0400
+Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
+ URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
+ doesn't have the same scheme. r=bholley, a=abillings
+
+---
+ caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
+index 3587358..6577b95 100644
+--- a/caps/src/nsScriptSecurityManager.cpp
++++ b/caps/src/nsScriptSecurityManager.cpp
+@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
+     NS_ENSURE_SUCCESS(rv, rv);
+     if (hasFlags) {
+         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
++
++            // For now, don't change behavior for resource:// or moz-icon:// and
++            // just allow them.
+             if (!targetScheme.EqualsLiteral("chrome")) {
+-                // for now don't change behavior for resource: or moz-icon:
+                 return NS_OK;
+             }
+ 
+-            // allow load only if chrome package is whitelisted
++            // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
++            // target if ALLOW_CHROME is set.
++            //
++            // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
++            // loads (since docshell loads run the loaded content with its origin
++            // principal). So we're effectively allowing resource://, chrome://,
++            // and moz-icon:// source URIs to load resource://, chrome://, and
++            // moz-icon:// files, so long as they're not loading it as a document.
++            bool sourceIsUIResource;
++            rv = NS_URIChainHasFlags(sourceBaseURI,
++                                     nsIProtocolHandler::URI_IS_UI_RESOURCE,
++                                     &sourceIsUIResource);
++            NS_ENSURE_SUCCESS(rv, rv);
++            if (sourceIsUIResource) {
++                return NS_OK;
++            }
++
++            // Allow the load only if the chrome package is whitelisted.
+             nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
+                                                  NS_CHROMEREGISTRY_CONTRACTID));
+             if (reg) {
+@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
+             }
+         }
+ 
+-        // resource: and chrome: are equivalent, securitywise
+-        // That's bogus!!  Fix this.  But watch out for
+-        // the view-source stylesheet?
+-        bool sourceIsChrome;
+-        rv = NS_URIChainHasFlags(sourceBaseURI,
+-                                 nsIProtocolHandler::URI_IS_UI_RESOURCE,
+-                                 &sourceIsChrome);
+-        NS_ENSURE_SUCCESS(rv, rv);
+-        if (sourceIsChrome) {
++        // Special-case the hidden window: it's allowed to load
++        // URI_IS_UI_RESOURCE no matter what.  Bug 1145470 tracks removing this.
++        nsAutoCString sourceSpec;
++        if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
++            sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
+             return NS_OK;
+         }
++
+         if (reportErrors) {
+             ReportError(nullptr, errorTag, sourceURI, aTargetURI);
+         }
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-bug-1145870.patch b/gnu/packages/patches/icecat-bug-1145870.patch
new file mode 100644
index 0000000000..34a018c697
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1145870.patch
@@ -0,0 +1,43 @@
+From a40e2ebc2ab57dacb539d4e49ed4193764ff7112 Mon Sep 17 00:00:00 2001
+From: Kyle Huey <khuey@kylehuey.com>
+Date: Fri, 20 Mar 2015 19:05:56 -0700
+Subject: [PATCH] Bug 1145870. r=bz a=lmandel
+
+---
+ docshell/base/nsDocShell.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
+index 14ff3f2..4cddcef 100644
+--- a/docshell/base/nsDocShell.cpp
++++ b/docshell/base/nsDocShell.cpp
+@@ -8900,6 +8900,8 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+ 
+     NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
+ 
++    NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
++
+     // wyciwyg urls can only be loaded through history. Any normal load of
+     // wyciwyg through docshell is  illegal. Disallow such loads.
+     if (aLoadType & LOAD_CMD_NORMAL) {
+@@ -12570,7 +12572,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
+ {
+   NS_ASSERTION(NS_IsMainThread(), "wrong thread");
+ 
+-  if (!IsOKToLoadURI(aURI)) {
++  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
+     return NS_OK;
+   }
+ 
+@@ -12626,7 +12628,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
+     *aRequest = nullptr;
+   }
+ 
+-  if (!IsOKToLoadURI(aURI)) {
++  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
+     return NS_OK;
+   }
+ 
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-bug-1146339.patch b/gnu/packages/patches/icecat-bug-1146339.patch
new file mode 100644
index 0000000000..9d858523b9
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146339.patch
@@ -0,0 +1,162 @@
+From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001
+From: Olli Pettay <Olli.Pettay@helsinki.fi>
+Date: Mon, 23 Mar 2015 22:23:53 -0400
+Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching
+ popstate/hashchange. r=bz, a=lmandel
+
+---
+ docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++-----------------------
+ docshell/base/nsDocShell.h   |  1 -
+ 2 files changed, 30 insertions(+), 35 deletions(-)
+
+diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
+index bdf88a5cf..efb6a6e 100644
+--- a/docshell/base/nsDocShell.cpp
++++ b/docshell/base/nsDocShell.cpp
+@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI,
+     
+     // Note: we allow loads to get through here even if mFiredUnloadEvent is
+     // true; that case will get handled in LoadInternal or LoadHistoryEntry.
+-    if (IsPrintingOrPP() || mBlockNavigation) {
++    if (IsPrintingOrPP()) {
+       return NS_OK; // JS may not handle returning of an error code
+     }
+ 
+@@ -4206,7 +4206,8 @@ bool
+ nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
+ {
+   bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
+-                   !mFiredUnloadEvent && !mBlockNavigation;  if (!isAllowed) {
++                   !mFiredUnloadEvent;
++  if (!isAllowed) {
+     return false;
+   }
+   if (!mContentViewer) {
+@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+ 
+     NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
+ 
+-    NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
+-
+     // wyciwyg urls can only be loaded through history. Any normal load of
+     // wyciwyg through docshell is  illegal. Disallow such loads.
+     if (aLoadType & LOAD_CMD_NORMAL) {
+@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+             GetCurScrollPos(ScrollOrientation_X, &cx);
+             GetCurScrollPos(ScrollOrientation_Y, &cy);
+ 
+-            {
+-                AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
+-                mBlockNavigation = true;
+-
+-                // ScrollToAnchor doesn't necessarily cause us to scroll the window;
+-                // the function decides whether a scroll is appropriate based on the
+-                // arguments it receives.  But even if we don't end up scrolling,
+-                // ScrollToAnchor performs other important tasks, such as informing
+-                // the presShell that we have a new hash.  See bug 680257.
+-                rv = ScrollToAnchor(curHash, newHash, aLoadType);
+-                NS_ENSURE_SUCCESS(rv, rv);
+-            }
+-
+             // Reset mLoadType to its original value once we exit this block,
+             // because this short-circuited load might have started after a
+             // normal, network load, and we don't want to clobber its load type.
+@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+                     mOSHE->SetCacheKey(cacheKey);
+             }
+ 
+-            /* restore previous position of scroller(s), if we're moving
+-             * back in history (bug 59774)
+-             */
+-            if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL))
+-            {
+-                nscoord bx, by;
+-                mOSHE->GetScrollPosition(&bx, &by);
+-                SetCurScrollPosEx(bx, by);
+-            }
+-
+             /* Restore the original LSHE if we were loading something
+              * while short-circuited load was initiated.
+              */
+@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+ 
+             SetDocCurrentStateObj(mOSHE);
+ 
++            // Inform the favicon service that the favicon for oldURI also
++            // applies to aURI.
++            CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
++
++            nsRefPtr<nsGlobalWindow> win = mScriptGlobal ?
++              mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr;
++
++            // ScrollToAnchor doesn't necessarily cause us to scroll the window;
++            // the function decides whether a scroll is appropriate based on the
++            // arguments it receives.  But even if we don't end up scrolling,
++            // ScrollToAnchor performs other important tasks, such as informing
++            // the presShell that we have a new hash.  See bug 680257.
++            rv = ScrollToAnchor(curHash, newHash, aLoadType);
++            NS_ENSURE_SUCCESS(rv, rv);
++
++            /* restore previous position of scroller(s), if we're moving
++             * back in history (bug 59774)
++             */
++            if (mOSHE && (aLoadType == LOAD_HISTORY ||
++                          aLoadType == LOAD_RELOAD_NORMAL)) {
++              nscoord bx, by;
++              mOSHE->GetScrollPosition(&bx, &by);
++              SetCurScrollPosEx(bx, by);
++            }
++
+             // Dispatch the popstate and hashchange events, as appropriate.
+             //
+             // The event dispatch below can cause us to re-enter script and
+             // destroy the docshell, nulling out mScriptGlobal. Hold a stack
+             // reference to avoid null derefs. See bug 914521.
+-            nsRefPtr<nsGlobalWindow> win = mScriptGlobal;
+             if (win) {
+                 // Fire a hashchange event URIs differ, and only in their hashes.
+                 bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
+@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
+                 }
+             }
+ 
+-            // Inform the favicon service that the favicon for oldURI also
+-            // applies to aURI.
+-            CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
+-
+             return NS_OK;
+         }
+     }
+@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
+ {
+   NS_ASSERTION(NS_IsMainThread(), "wrong thread");
+ 
+-  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
++  if (!IsOKToLoadURI(aURI)) {
+     return NS_OK;
+   }
+ 
+@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
+     *aRequest = nullptr;
+   }
+ 
+-  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
++  if (!IsOKToLoadURI(aURI)) {
+     return NS_OK;
+   }
+ 
+diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
+index be353ee..c191777 100644
+--- a/docshell/base/nsDocShell.h
++++ b/docshell/base/nsDocShell.h
+@@ -835,7 +835,6 @@ protected:
+     bool                       mInPrivateBrowsing;
+     bool                       mUseRemoteTabs;
+     bool                       mDeviceSizeIsPageSize;
+-    bool                       mBlockNavigation;
+ 
+     // Because scriptability depends on the mAllowJavascript values of our
+     // ancestors, we cache the effective scriptability and recompute it when
+-- 
+2.2.1
+