1 files changed, 76 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-bug-1144991.patch
new file mode 100644
index 0000000000..5632e37eb3
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1144991.patch
@@ -0,0 +1,76 @@
+From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
+From: Boris Zbarsky <bzbarsky@mit.edu>
+Date: Thu, 19 Mar 2015 18:58:44 -0400
+Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
+ URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
+ doesn't have the same scheme. r=bholley, a=abillings
+
+---
+ caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
+index 3587358..6577b95 100644
+--- a/caps/src/nsScriptSecurityManager.cpp
++++ b/caps/src/nsScriptSecurityManager.cpp
+@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
+     NS_ENSURE_SUCCESS(rv, rv);
+     if (hasFlags) {
+         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
++
++            // For now, don't change behavior for resource:// or moz-icon:// and
++            // just allow them.
+             if (!targetScheme.EqualsLiteral("chrome")) {
+-                // for now don't change behavior for resource: or moz-icon:
+                 return NS_OK;
+             }
+ 
+-            // allow load only if chrome package is whitelisted
++            // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
++            // target if ALLOW_CHROME is set.
++            //
++            // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
++            // loads (since docshell loads run the loaded content with its origin
++            // principal). So we're effectively allowing resource://, chrome://,
++            // and moz-icon:// source URIs to load resource://, chrome://, and
++            // moz-icon:// files, so long as they're not loading it as a document.
++            bool sourceIsUIResource;
++            rv = NS_URIChainHasFlags(sourceBaseURI,
++                                     nsIProtocolHandler::URI_IS_UI_RESOURCE,
++                                     &sourceIsUIResource);
++            NS_ENSURE_SUCCESS(rv, rv);
++            if (sourceIsUIResource) {
++                return NS_OK;
++            }
++
++            // Allow the load only if the chrome package is whitelisted.
+             nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
+                                                  NS_CHROMEREGISTRY_CONTRACTID));
+             if (reg) {
+@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
+             }
+         }
+ 
+-        // resource: and chrome: are equivalent, securitywise
+-        // That's bogus!!  Fix this.  But watch out for
+-        // the view-source stylesheet?
+-        bool sourceIsChrome;
+-        rv = NS_URIChainHasFlags(sourceBaseURI,
+-                                 nsIProtocolHandler::URI_IS_UI_RESOURCE,
+-                                 &sourceIsChrome);
+-        NS_ENSURE_SUCCESS(rv, rv);
+-        if (sourceIsChrome) {
++        // Special-case the hidden window: it's allowed to load
++        // URI_IS_UI_RESOURCE no matter what.  Bug 1145470 tracks removing this.
++        nsAutoCString sourceSpec;
++        if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
++            sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
+             return NS_OK;
+         }
++
+         if (reportErrors) {
+             ReportError(nullptr, errorTag, sourceURI, aTargetURI);
+         }
+-- 
+2.2.1
+