summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am11
-rw-r--r--gnu/packages/gnuzilla.scm15
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0801.patch162
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0807.patch30
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch63
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch89
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch37
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0816.patch76
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0817.patch44
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch67
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch28
-rw-r--r--gnu/packages/patches/icecat-bug-1127780.patch25
-rw-r--r--gnu/packages/patches/icecat-bug-1145870.patch43
13 files changed, 2 insertions, 688 deletions
diff --git a/gnu-system.am b/gnu-system.am
index f7c7af78f3..2b4f69dc73 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -438,17 +438,6 @@ dist_patch_DATA =						\
   gnu/packages/patches/guix-test-networking.patch		\
   gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
   gnu/packages/patches/hop-bigloo-4.0b.patch			\
-  gnu/packages/patches/icecat-bug-1127780.patch			\
-  gnu/packages/patches/icecat-bug-1145870.patch			\
-  gnu/packages/patches/icecat-CVE-2015-0801.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0807.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0816.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0817.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch		\
-  gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch		\
   gnu/packages/patches/irrlicht-mesa-10.patch			\
   gnu/packages/patches/jbig2dec-ignore-testtest.patch		\
   gnu/packages/patches/kmod-module-directory.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 068e1f1ef0..e422d0a9f6 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -219,7 +219,7 @@ standards.")
 (define-public icecat
   (package
     (name "icecat")
-    (version "31.5.0")
+    (version "31.6.0-gnu1")
     (source
      (origin
       (method url-fetch)
@@ -227,18 +227,7 @@ standards.")
                           version "/" name "-" version ".tar.bz2"))
       (sha256
        (base32
-        "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))
-      (patches (map search-patch '("icecat-CVE-2015-0815-pt1.patch"
-                                   "icecat-CVE-2015-0815-pt2.patch"
-                                   "icecat-bug-1127780.patch"
-                                   "icecat-CVE-2015-0807.patch"
-                                   "icecat-CVE-2015-0815-pt3.patch"
-                                   "icecat-CVE-2015-0817.patch"
-                                   "icecat-CVE-2015-0816.patch"
-                                   "icecat-CVE-2015-0818-pt1.patch"
-                                   "icecat-bug-1145870.patch"
-                                   "icecat-CVE-2015-0818-pt2.patch"
-                                   "icecat-CVE-2015-0801.patch")))))
+        "1a4l23msg4cpc4yp59q2z6xv63r6advlbnjy65v4djv6yhgnqf1i"))))
     (build-system gnu-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/patches/icecat-CVE-2015-0801.patch b/gnu/packages/patches/icecat-CVE-2015-0801.patch
deleted file mode 100644
index 9d858523b9..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0801.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001
-From: Olli Pettay <Olli.Pettay@helsinki.fi>
-Date: Mon, 23 Mar 2015 22:23:53 -0400
-Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching
- popstate/hashchange. r=bz, a=lmandel
-
----
- docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++-----------------------
- docshell/base/nsDocShell.h   |  1 -
- 2 files changed, 30 insertions(+), 35 deletions(-)
-
-diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
-index bdf88a5cf..efb6a6e 100644
---- a/docshell/base/nsDocShell.cpp
-+++ b/docshell/base/nsDocShell.cpp
-@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI,
-     
-     // Note: we allow loads to get through here even if mFiredUnloadEvent is
-     // true; that case will get handled in LoadInternal or LoadHistoryEntry.
--    if (IsPrintingOrPP() || mBlockNavigation) {
-+    if (IsPrintingOrPP()) {
-       return NS_OK; // JS may not handle returning of an error code
-     }
- 
-@@ -4206,7 +4206,8 @@ bool
- nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
- {
-   bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
--                   !mFiredUnloadEvent && !mBlockNavigation;  if (!isAllowed) {
-+                   !mFiredUnloadEvent;
-+  if (!isAllowed) {
-     return false;
-   }
-   if (!mContentViewer) {
-@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
- 
-     NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
- 
--    NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
--
-     // wyciwyg urls can only be loaded through history. Any normal load of
-     // wyciwyg through docshell is  illegal. Disallow such loads.
-     if (aLoadType & LOAD_CMD_NORMAL) {
-@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
-             GetCurScrollPos(ScrollOrientation_X, &cx);
-             GetCurScrollPos(ScrollOrientation_Y, &cy);
- 
--            {
--                AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
--                mBlockNavigation = true;
--
--                // ScrollToAnchor doesn't necessarily cause us to scroll the window;
--                // the function decides whether a scroll is appropriate based on the
--                // arguments it receives.  But even if we don't end up scrolling,
--                // ScrollToAnchor performs other important tasks, such as informing
--                // the presShell that we have a new hash.  See bug 680257.
--                rv = ScrollToAnchor(curHash, newHash, aLoadType);
--                NS_ENSURE_SUCCESS(rv, rv);
--            }
--
-             // Reset mLoadType to its original value once we exit this block,
-             // because this short-circuited load might have started after a
-             // normal, network load, and we don't want to clobber its load type.
-@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
-                     mOSHE->SetCacheKey(cacheKey);
-             }
- 
--            /* restore previous position of scroller(s), if we're moving
--             * back in history (bug 59774)
--             */
--            if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL))
--            {
--                nscoord bx, by;
--                mOSHE->GetScrollPosition(&bx, &by);
--                SetCurScrollPosEx(bx, by);
--            }
--
-             /* Restore the original LSHE if we were loading something
-              * while short-circuited load was initiated.
-              */
-@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI,
- 
-             SetDocCurrentStateObj(mOSHE);
- 
-+            // Inform the favicon service that the favicon for oldURI also
-+            // applies to aURI.
-+            CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
-+
-+            nsRefPtr<nsGlobalWindow> win = mScriptGlobal ?
-+              mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr;
-+
-+            // ScrollToAnchor doesn't necessarily cause us to scroll the window;
-+            // the function decides whether a scroll is appropriate based on the
-+            // arguments it receives.  But even if we don't end up scrolling,
-+            // ScrollToAnchor performs other important tasks, such as informing
-+            // the presShell that we have a new hash.  See bug 680257.
-+            rv = ScrollToAnchor(curHash, newHash, aLoadType);
-+            NS_ENSURE_SUCCESS(rv, rv);
-+
-+            /* restore previous position of scroller(s), if we're moving
-+             * back in history (bug 59774)
-+             */
-+            if (mOSHE && (aLoadType == LOAD_HISTORY ||
-+                          aLoadType == LOAD_RELOAD_NORMAL)) {
-+              nscoord bx, by;
-+              mOSHE->GetScrollPosition(&bx, &by);
-+              SetCurScrollPosEx(bx, by);
-+            }
-+
-             // Dispatch the popstate and hashchange events, as appropriate.
-             //
-             // The event dispatch below can cause us to re-enter script and
-             // destroy the docshell, nulling out mScriptGlobal. Hold a stack
-             // reference to avoid null derefs. See bug 914521.
--            nsRefPtr<nsGlobalWindow> win = mScriptGlobal;
-             if (win) {
-                 // Fire a hashchange event URIs differ, and only in their hashes.
-                 bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
-@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
-                 }
-             }
- 
--            // Inform the favicon service that the favicon for oldURI also
--            // applies to aURI.
--            CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
--
-             return NS_OK;
-         }
-     }
-@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
- {
-   NS_ASSERTION(NS_IsMainThread(), "wrong thread");
- 
--  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
-+  if (!IsOKToLoadURI(aURI)) {
-     return NS_OK;
-   }
- 
-@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
-     *aRequest = nullptr;
-   }
- 
--  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
-+  if (!IsOKToLoadURI(aURI)) {
-     return NS_OK;
-   }
- 
-diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
-index be353ee..c191777 100644
---- a/docshell/base/nsDocShell.h
-+++ b/docshell/base/nsDocShell.h
-@@ -835,7 +835,6 @@ protected:
-     bool                       mInPrivateBrowsing;
-     bool                       mUseRemoteTabs;
-     bool                       mDeviceSizeIsPageSize;
--    bool                       mBlockNavigation;
- 
-     // Because scriptability depends on the mAllowJavascript values of our
-     // ancestors, we cache the effective scriptability and recompute it when
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0807.patch b/gnu/packages/patches/icecat-CVE-2015-0807.patch
deleted file mode 100644
index 833bc36d6b..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0807.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001
-From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
-Date: Thu, 19 Feb 2015 13:43:40 -0800
-Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow
- 30x redirect. r=sicking, a=lmandel
-
----
- dom/base/Navigator.cpp | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
-index 020e370..727b7cb7 100644
---- a/dom/base/Navigator.cpp
-+++ b/dom/base/Navigator.cpp
-@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl,
-       !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) &&
-       !contentType.Equals(MULTIPART_FORM_DATA) &&
-       !contentType.Equals(TEXT_PLAIN)) {
-+
-+    // we need to set the sameOriginChecker as a notificationCallback
-+    // so we can tell the channel not to follow redirects
-+    nsCOMPtr<nsIInterfaceRequestor> soc = nsContentUtils::GetSameOriginChecker();
-+    channel->SetNotificationCallbacks(soc);
-+
-     nsCOMPtr<nsIChannel> preflightChannel;
-     nsTArray<nsCString> unsafeHeaders;
-     unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type"));
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
deleted file mode 100644
index 1dd5e20c67..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
-From: Steve Fink <sfink@mozilla.com>
-Date: Mon, 12 Jan 2015 14:19:27 -0800
-Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
- JS_iterateCompartments. r=terrence, a=abillings
-
----
- js/src/gc/Zone.h | 11 ++++++-----
- js/src/jsapi.h   |  5 +++--
- 2 files changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
-index cbbde6b..612defe 100644
---- a/js/src/gc/Zone.h
-+++ b/js/src/gc/Zone.h
-@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
-     // This is for the benefit of CompartmentsIterT::comp.
-     friend class mozilla::Maybe<CompartmentsInZoneIter>;
-   private:
--    JSCompartment **it, **end;
-+    JS::Zone *zone;
-+    JSCompartment **it;
- 
-     CompartmentsInZoneIter()
--      : it(nullptr), end(nullptr)
-+      : zone(nullptr), it(nullptr)
-     {}
- 
-   public:
--    explicit CompartmentsInZoneIter(JS::Zone *zone) {
-+    explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
-         it = zone->compartments.begin();
--        end = zone->compartments.end();
-     }
- 
-     bool done() const {
-         JS_ASSERT(it);
--        return it == end;
-+        return it < zone->compartments.begin() ||
-+               it >= zone->compartments.end();
-     }
-     void next() {
-         JS_ASSERT(!done());
-diff --git a/js/src/jsapi.h b/js/src/jsapi.h
-index 5ae1f86..40fdb37 100644
---- a/js/src/jsapi.h
-+++ b/js/src/jsapi.h
-@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
- typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
- 
- /*
-- * This function calls |compartmentCallback| on every compartment.  Beware that
-+ * This function calls |compartmentCallback| on every compartment. Beware that
-  * there is no guarantee that the compartment will survive after the callback
-- * returns.
-+ * returns. Also, if the callback can GC, there is no guarantee that every
-+ * compartment will be visited.
-  */
- extern JS_PUBLIC_API(void)
- JS_IterateCompartments(JSRuntime *rt, void *data,
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch
deleted file mode 100644
index 0a0cbed177..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001
-From: Nathan Froyd <froydnj@mozilla.com>
-Date: Fri, 6 Feb 2015 16:19:36 -0500
-Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in
- nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings
-
----
- xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++---------------------
- 1 file changed, 28 insertions(+), 27 deletions(-)
-
-diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp
-index bd586c9..b95846f 100644
---- a/xpcom/threads/TimerThread.cpp
-+++ b/xpcom/threads/TimerThread.cpp
-@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run()
-           RemoveTimerInternal(timer);
-           timer = nullptr;
- 
-+#ifdef DEBUG_TIMERS
-+          if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
-+            PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
-+                   ("Timer thread woke up %fms from when it was supposed to\n",
-+                    fabs((now - timerRef->mTimeout).ToMilliseconds())));
-+          }
-+#endif
-+
-           {
-             // We release mMonitor around the Fire call to avoid deadlock.
-             MonitorAutoUnlock unlock(mMonitor);
- 
--#ifdef DEBUG_TIMERS
--            if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
--              PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
--                     ("Timer thread woke up %fms from when it was supposed to\n",
--                      fabs((now - timerRef->mTimeout).ToMilliseconds())));
--            }
--#endif
- 
-             // We are going to let the call to PostTimerEvent here handle the
-             // release of the timer so that we don't end up releasing the timer
-             // on the TimerThread instead of on the thread it targets.
-             timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget());
-+          }
- 
--            if (timerRef) {
--              // We got our reference back due to an error.
--              // Unhook the nsRefPtr, and release manually so we can get the
--              // refcount.
--              nsrefcnt rc = timerRef.forget().take()->Release();
--              (void)rc;
--
--              // The nsITimer interface requires that its users keep a reference
--              // to the timers they use while those timers are initialized but
--              // have not yet fired.  If this ever happens, it is a bug in the
--              // code that created and used the timer.
--              //
--              // Further, note that this should never happen even with a
--              // misbehaving user, because nsTimerImpl::Release checks for a
--              // refcount of 1 with an armed timer (a timer whose only reference
--              // is from the timer thread) and when it hits this will remove the
--              // timer from the timer thread and thus destroy the last reference,
--              // preventing this situation from occurring.
--              MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
--            }
-+          if (timerRef) {
-+            // We got our reference back due to an error.
-+            // Unhook the nsRefPtr, and release manually so we can get the
-+            // refcount.
-+            nsrefcnt rc = timerRef.forget().take()->Release();
-+            (void)rc;
-+
-+            // The nsITimer interface requires that its users keep a reference
-+            // to the timers they use while those timers are initialized but
-+            // have not yet fired.  If this ever happens, it is a bug in the
-+            // code that created and used the timer.
-+            //
-+            // Further, note that this should never happen even with a
-+            // misbehaving user, because nsTimerImpl::Release checks for a
-+            // refcount of 1 with an armed timer (a timer whose only reference
-+            // is from the timer thread) and when it hits this will remove the
-+            // timer from the timer thread and thus destroy the last reference,
-+            // preventing this situation from occurring.
-+            MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
-           }
- 
-           if (mShutdown)
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch
deleted file mode 100644
index 5ac053df78..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001
-From: Brian Hackett <bhackett1024@gmail.com>
-Date: Sun, 8 Mar 2015 22:10:01 -0400
-Subject: [PATCH] Bug 1138199. r=billm, a=lmandel
-
----
- js/src/ds/LifoAlloc.h | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h
-index 7617cf5..b112353 100644
---- a/js/src/ds/LifoAlloc.h
-+++ b/js/src/ds/LifoAlloc.h
-@@ -193,14 +193,14 @@ class LifoAlloc
- 
-     // Append used chunks to the end of this LifoAlloc. We act as if all the
-     // chunks in |this| are used, even if they're not, so memory may be wasted.
--    void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) {
--        JS_ASSERT(start && latest &&  end);
-+    void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) {
-+        JS_ASSERT(otherFirst && otherLatest && otherLast);
-         if (last)
--            last->setNext(start);
-+            last->setNext(otherFirst);
-         else
--            first = latest = start;
--        last = end;
--        this->latest = latest;
-+            first = otherFirst;
-+        latest = otherLatest;
-+        last = otherLast;
-     }
- 
-     void incrementCurSize(size_t size) {
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0816.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch
deleted file mode 100644
index 5632e37eb3..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0816.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
-From: Boris Zbarsky <bzbarsky@mit.edu>
-Date: Thu, 19 Mar 2015 18:58:44 -0400
-Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
- URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
- doesn't have the same scheme. r=bholley, a=abillings
-
----
- caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
- 1 file changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
-index 3587358..6577b95 100644
---- a/caps/src/nsScriptSecurityManager.cpp
-+++ b/caps/src/nsScriptSecurityManager.cpp
-@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
-     NS_ENSURE_SUCCESS(rv, rv);
-     if (hasFlags) {
-         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
-+
-+            // For now, don't change behavior for resource:// or moz-icon:// and
-+            // just allow them.
-             if (!targetScheme.EqualsLiteral("chrome")) {
--                // for now don't change behavior for resource: or moz-icon:
-                 return NS_OK;
-             }
- 
--            // allow load only if chrome package is whitelisted
-+            // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
-+            // target if ALLOW_CHROME is set.
-+            //
-+            // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
-+            // loads (since docshell loads run the loaded content with its origin
-+            // principal). So we're effectively allowing resource://, chrome://,
-+            // and moz-icon:// source URIs to load resource://, chrome://, and
-+            // moz-icon:// files, so long as they're not loading it as a document.
-+            bool sourceIsUIResource;
-+            rv = NS_URIChainHasFlags(sourceBaseURI,
-+                                     nsIProtocolHandler::URI_IS_UI_RESOURCE,
-+                                     &sourceIsUIResource);
-+            NS_ENSURE_SUCCESS(rv, rv);
-+            if (sourceIsUIResource) {
-+                return NS_OK;
-+            }
-+
-+            // Allow the load only if the chrome package is whitelisted.
-             nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
-                                                  NS_CHROMEREGISTRY_CONTRACTID));
-             if (reg) {
-@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
-             }
-         }
- 
--        // resource: and chrome: are equivalent, securitywise
--        // That's bogus!!  Fix this.  But watch out for
--        // the view-source stylesheet?
--        bool sourceIsChrome;
--        rv = NS_URIChainHasFlags(sourceBaseURI,
--                                 nsIProtocolHandler::URI_IS_UI_RESOURCE,
--                                 &sourceIsChrome);
--        NS_ENSURE_SUCCESS(rv, rv);
--        if (sourceIsChrome) {
-+        // Special-case the hidden window: it's allowed to load
-+        // URI_IS_UI_RESOURCE no matter what.  Bug 1145470 tracks removing this.
-+        nsAutoCString sourceSpec;
-+        if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
-+            sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
-             return NS_OK;
-         }
-+
-         if (reportErrors) {
-             ReportError(nullptr, errorTag, sourceURI, aTargetURI);
-         }
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0817.patch b/gnu/packages/patches/icecat-CVE-2015-0817.patch
deleted file mode 100644
index bb530a535d..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0817.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001
-From: Steve Fink <sfink@mozilla.com>
-Date: Thu, 19 Mar 2015 15:46:24 -0700
-Subject: [PATCH] Bug 1145255. r=luke, a=lmandel
-
----
- js/src/jit/AsmJS.cpp | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp
-index 302b5ab..1b8eed6 100644
---- a/js/src/jit/AsmJS.cpp
-+++ b/js/src/jit/AsmJS.cpp
-@@ -14,6 +14,7 @@
- 
- #include "jsmath.h"
- #include "jsprf.h"
-+#include "jsutil.h"
- #include "jsworkers.h"
- #include "prmjtime.h"
- 
-@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
-     if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
-         // Flag the access to skip the bounds check if the mask ensures that an 'out of
-         // bounds' access can not occur based on the current heap length constraint.
--        if (mask2 == 0 ||
--            CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
-+        if (mask2 == 0) {
-             *needsBoundsCheck = NO_BOUNDS_CHECK;
-+        } else {
-+            uint32_t minHeap = f.m().minHeapLength();
-+            uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1);
-+            uint32_t maskZeroes = CountLeadingZeroes32(mask2);
-+            if ((minHeapZeroes < maskZeroes) ||
-+                (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes))
-+            {
-+                *needsBoundsCheck = NO_BOUNDS_CHECK;
-+            }
-         }
-         *mask &= mask2;
-         *indexExpr = indexNode;
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch
deleted file mode 100644
index 5d396eed6b..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 79dddb16aaa58f5b5cef49dac6d234f500af3baf Mon Sep 17 00:00:00 2001
-From: Olli Pettay <Olli.Pettay@helsinki.fi>
-Date: Thu, 19 Mar 2015 21:53:32 -0400
-Subject: [PATCH] Bug 1144988 - Don't let other pages to load while doing
- scroll-to-anchor. r=bz, a=lmandel
-
----
- docshell/base/nsDocShell.cpp | 23 ++++++++++++++---------
- docshell/base/nsDocShell.h   |  1 +
- 2 files changed, 15 insertions(+), 9 deletions(-)
-
-diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
-index 887c910..14ff3f2 100644
---- a/docshell/base/nsDocShell.cpp
-+++ b/docshell/base/nsDocShell.cpp
-@@ -4204,8 +4204,8 @@ nsDocShell::IsPrintingOrPP(bool aDisplayErrorDialog)
- bool
- nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
- {
--  bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && !mFiredUnloadEvent;
--  if (!isAllowed) {
-+  bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
-+                   !mFiredUnloadEvent && !mBlockNavigation;  if (!isAllowed) {
-     return false;
-   }
-   if (!mContentViewer) {
-@@ -9321,13 +9321,18 @@ nsDocShell::InternalLoad(nsIURI * aURI,
-             GetCurScrollPos(ScrollOrientation_X, &cx);
-             GetCurScrollPos(ScrollOrientation_Y, &cy);
- 
--            // ScrollToAnchor doesn't necessarily cause us to scroll the window;
--            // the function decides whether a scroll is appropriate based on the
--            // arguments it receives.  But even if we don't end up scrolling,
--            // ScrollToAnchor performs other important tasks, such as informing
--            // the presShell that we have a new hash.  See bug 680257.
--            rv = ScrollToAnchor(curHash, newHash, aLoadType);
--            NS_ENSURE_SUCCESS(rv, rv);
-+            {
-+                AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
-+                mBlockNavigation = true;
-+
-+                // ScrollToAnchor doesn't necessarily cause us to scroll the window;
-+                // the function decides whether a scroll is appropriate based on the
-+                // arguments it receives.  But even if we don't end up scrolling,
-+                // ScrollToAnchor performs other important tasks, such as informing
-+                // the presShell that we have a new hash.  See bug 680257.
-+                rv = ScrollToAnchor(curHash, newHash, aLoadType);
-+                NS_ENSURE_SUCCESS(rv, rv);
-+            }
- 
-             // Reset mLoadType to its original value once we exit this block,
-             // because this short-circuited load might have started after a
-diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
-index c191777..be353ee 100644
---- a/docshell/base/nsDocShell.h
-+++ b/docshell/base/nsDocShell.h
-@@ -835,6 +835,7 @@ protected:
-     bool                       mInPrivateBrowsing;
-     bool                       mUseRemoteTabs;
-     bool                       mDeviceSizeIsPageSize;
-+    bool                       mBlockNavigation;
- 
-     // Because scriptability depends on the mAllowJavascript values of our
-     // ancestors, we cache the effective scriptability and recompute it when
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch
deleted file mode 100644
index 4eac5df4db..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 83364c747c421b191f9d4012896a9e5a1d5223ad Mon Sep 17 00:00:00 2001
-From: Kyle Huey <khuey@kylehuey.com>
-Date: Fri, 20 Mar 2015 19:15:13 -0700
-Subject: [PATCH] Bug 1144988. r=bz a=lmandel
-
----
- docshell/base/nsDocShell.cpp | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
-index 4cddcef..bdf88a5cf 100644
---- a/docshell/base/nsDocShell.cpp
-+++ b/docshell/base/nsDocShell.cpp
-@@ -1322,9 +1322,10 @@ nsDocShell::LoadURI(nsIURI * aURI,
-     
-     // Note: we allow loads to get through here even if mFiredUnloadEvent is
-     // true; that case will get handled in LoadInternal or LoadHistoryEntry.
--    if (IsPrintingOrPP()) {
-+    if (IsPrintingOrPP() || mBlockNavigation) {
-       return NS_OK; // JS may not handle returning of an error code
-     }
-+
-     nsCOMPtr<nsIURI> referrer;
-     nsCOMPtr<nsIInputStream> postStream;
-     nsCOMPtr<nsIInputStream> headersStream;
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-bug-1127780.patch b/gnu/packages/patches/icecat-bug-1127780.patch
deleted file mode 100644
index c433616087..0000000000
--- a/gnu/packages/patches/icecat-bug-1127780.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From cf1de3d04302841aaa05aed8364da3399cbca9b4 Mon Sep 17 00:00:00 2001
-From: Bobby Holley <bobbyholley@gmail.com>
-Date: Tue, 17 Feb 2015 17:47:12 -0500
-Subject: [PATCH] Bug 1127780 - Add null check. r=bz, a=bkerensa
-
----
- js/xpconnect/wrappers/XrayWrapper.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h
-index ead095f1..cc8c580 100644
---- a/js/xpconnect/wrappers/XrayWrapper.h
-+++ b/js/xpconnect/wrappers/XrayWrapper.h
-@@ -131,7 +131,7 @@ class XrayWrapper : public Base {
-     {
-         if (!Base::getPrototypeOf(cx, wrapper, protop))
-             return false;
--        if (WrapperFactory::IsXrayWrapper(protop))
-+        if (!protop || WrapperFactory::IsXrayWrapper(protop))
-             return true;
- 
-         protop.set(JS_GetObjectPrototype(cx, wrapper));
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/icecat-bug-1145870.patch b/gnu/packages/patches/icecat-bug-1145870.patch
deleted file mode 100644
index 34a018c697..0000000000
--- a/gnu/packages/patches/icecat-bug-1145870.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From a40e2ebc2ab57dacb539d4e49ed4193764ff7112 Mon Sep 17 00:00:00 2001
-From: Kyle Huey <khuey@kylehuey.com>
-Date: Fri, 20 Mar 2015 19:05:56 -0700
-Subject: [PATCH] Bug 1145870. r=bz a=lmandel
-
----
- docshell/base/nsDocShell.cpp | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
-index 14ff3f2..4cddcef 100644
---- a/docshell/base/nsDocShell.cpp
-+++ b/docshell/base/nsDocShell.cpp
-@@ -8900,6 +8900,8 @@ nsDocShell::InternalLoad(nsIURI * aURI,
- 
-     NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
- 
-+    NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
-+
-     // wyciwyg urls can only be loaded through history. Any normal load of
-     // wyciwyg through docshell is  illegal. Disallow such loads.
-     if (aLoadType & LOAD_CMD_NORMAL) {
-@@ -12570,7 +12572,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
- {
-   NS_ASSERTION(NS_IsMainThread(), "wrong thread");
- 
--  if (!IsOKToLoadURI(aURI)) {
-+  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
-     return NS_OK;
-   }
- 
-@@ -12626,7 +12628,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
-     *aRequest = nullptr;
-   }
- 
--  if (!IsOKToLoadURI(aURI)) {
-+  if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
-     return NS_OK;
-   }
- 
--- 
-2.2.1
-