387317 - [FIX]XBL resource stylesheet loads don't do security checks

Status: RESOLVED FIXED

(Core :: XBL, defect)

Description

[Boris Zbarsky [:bzbarsky]]

In particular, nsXBLResourceLoader::LoadResources doesn't call CheckLoadURI and doesn't call content policies.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Er, we do this for images.  Just not for stylesheets.  I would say we should just make the CSSLoader do it in this case.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed fix

Peter, can you take a look?  The XBL part is pretty tame, really... if you can't, let me know and I'll ping sicking.

Comment 3

[Boris Zbarsky [:bzbarsky]]

The trunk patch also fixes XUL prototype stylesheet loads.

On branch the XUL prototype thing seems to happen only for chrome sheets, so it's only XBL that needs to be fixed.  I'll probably do it via copy/paste there...

Comment 4

[Boris Zbarsky [:bzbarsky]]

Ah, and on branch this code uses LoadStyleLink, which does a security check.  So branch is completely safe.

Comment 5

[Peter Van der Beken [:peterv]]

Comment on attachment 271484 [details] [diff] [review]
Proposed fix

>@@ -3547,17 +3547,17 @@ nsHTMLEditor::ReplaceStyleSheet(const ns
>   if (!ps) return NS_ERROR_NOT_INITIALIZED;
>   nsIDocument *document = ps->GetDocument();
>   if (!document)     return NS_ERROR_NULL_POINTER;
> 
>   nsCOMPtr<nsIURI> uaURI;
>   rv = NS_NewURI(getter_AddRefs(uaURI), aURL);
>   NS_ENSURE_SUCCESS(rv, rv);
> 
>-  rv = cssLoader->LoadSheet(uaURI, this);
>+  rv = cssLoader->LoadSheet(uaURI, nsnull, nsnull, this);

I wonder if this could be triggered from desginmode or contenteditable, we might want to do the checks then. Anyway, different bug :-).

Comment 6

[Boris Zbarsky [:bzbarsky]]

Checked in.  We could use tests for this, but not sure how to write them....

Removing security flag, since this is trunk-only.