summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-4495.patch
blob: e7514d9a5e72e63dd529b1e530896d0f2af5cd1b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Backported from upstream commits labelled "Bug 1178058" from the esr38 branch
by Boris Zbarsky <bzbarsky@mit.edu> and Bobby Holley <bobbyholley@gmail.com>.

--- icecat-31.8.0/docshell/base/nsDocShell.cpp
+++ icecat-31.8.0/docshell/base/nsDocShell.cpp
@@ -1546,12 +1546,21 @@
 
     if (owner && mItemType != typeChrome) {
         nsCOMPtr<nsIPrincipal> ownerPrincipal = do_QueryInterface(owner);
-        if (nsContentUtils::IsSystemOrExpandedPrincipal(ownerPrincipal)) {
+        if (nsContentUtils::IsSystemPrincipal(ownerPrincipal)) {
             if (ownerIsExplicit) {
                 return NS_ERROR_DOM_SECURITY_ERR;
             }
             owner = nullptr;
             inheritOwner = true;
+        } else if (nsContentUtils::IsExpandedPrincipal(ownerPrincipal)) {
+            if (ownerIsExplicit) {
+                return NS_ERROR_DOM_SECURITY_ERR;
+            }
+            // Don't inherit from the current page.  Just do the safe thing
+            // and pretend that we were loaded by a nullprincipal.
+            owner = do_CreateInstance("@mozilla.org/nullprincipal;1");
+            NS_ENSURE_TRUE(owner, NS_ERROR_FAILURE);
+            inheritOwner = false;
         }
     }
     if (!owner && !inheritOwner && !ownerIsExplicit) {