icecat: update upstream v128.13.0-1gnu1

icecat/dom/base/crashtests/344882-1.html

@@ -1,33 +0,0 @@
-<html class="reftest-wait">
-<head>
-<script>
-var obj;
-
-function boo()
-{
-  obj = document.getElementById("obj");
-  setScriptSrc();
-}
-
-function setScriptSrc()
-{
-  obj.data = "javascript:setScriptSrc2();";
-}
-
-function setScriptSrc2() 
-{
-  obj.data = "javascript:void 0";
-
-  document.documentElement.removeAttribute("class");
-}
-
-</script>
-</head>
-
-<body onload="setTimeout(boo, 30);">
-
-<object data="../../../testing/crashtest/images/tree.gif" id="obj">
-
-</body>
-
-</html>

icecat/dom/base/crashtests/crashtests.list

@@ -24,7 +24,6 @@ load 343730-1.xhtml
 load 343850-1.xhtml
 load 343889-1.html
 load 344434-1.xhtml
-load 344882-1.html
 load 345837-1.xhtml
 load 346381-1.html
 load 349355-1.html

icecat/dom/base/nsFocusManager.cpp

@@ -4345,16 +4345,17 @@ nsresult nsFocusManager::GetNextTabbableContent(
             rootElement = doc->GetRootElement();
           }
           if (aForward) {
-            nsIFrame* frame = invokerContent->GetPrimaryFrame();
-            int32_t tabIndex = frame->IsFocusable().mTabIndex;
-            if (tabIndex >= 0 &&
-                (aIgnoreTabIndex || aCurrentTabIndex == tabIndex)) {
-              nsresult rv = GetNextTabbableContent(
-                  aPresShell, rootElement, nullptr, invokerContent, true,
-                  tabIndex, false, false, aNavigateByKey, true,
-                  aReachedToEndForDocumentNavigation, aResultContent);
-              if (NS_SUCCEEDED(rv) && *aResultContent) {
-                return rv;
+            if (nsIFrame* frame = invokerContent->GetPrimaryFrame()) {
+              int32_t tabIndex = frame->IsFocusable().mTabIndex;
+              if (tabIndex >= 0 &&
+                  (aIgnoreTabIndex || aCurrentTabIndex == tabIndex)) {
+                nsresult rv = GetNextTabbableContent(
+                    aPresShell, rootElement, nullptr, invokerContent, true,
+                    tabIndex, false, false, aNavigateByKey, true,
+                    aReachedToEndForDocumentNavigation, aResultContent);
+                if (NS_SUCCEEDED(rv) && *aResultContent) {
+                  return rv;
+                }
               }
             }
           } else if (invokerContent) {

icecat/dom/base/nsGlobalWindowOuter.cpp

@@ -5005,9 +5005,8 @@ void nsGlobalWindowOuter::PrintOuter(ErrorResult& aError) {
     }
   });
 
-  const bool forPreview =
-      !StaticPrefs::print_always_print_silent() &&
-      !Preferences::GetBool("print.prefer_system_dialog", false);
+  const bool forPreview = !StaticPrefs::print_always_print_silent() &&
+                          !StaticPrefs::print_prefer_system_dialog();
   Print(nullptr, nullptr, nullptr, nullptr, IsPreview(forPreview),
         IsForWindowDotPrint::Yes, nullptr, nullptr, aError);
 #endif
@@ -5205,8 +5204,11 @@ Nullable<WindowProxyHolder> nsGlobalWindowOuter::Print(
     // The exception is if we're using the passed-in aCachedBrowsingContext, in
     // which case this is the second print with this static document clone that
     // we created the first time through, and we are responsible for cleaning it
-    // up.
-    closeWindowAfterPrint = usingCachedBrowsingContext;
+    // up. There's also an exception if we're directly using the system print
+    // dialog rather than our preview panel, because in this case the preview
+    // will not take care of cleaning up the cloned doc.
+    closeWindowAfterPrint =
+        usingCachedBrowsingContext || StaticPrefs::print_prefer_system_dialog();
   } else {
     // In this case the document was not a static clone, so we made a static
     // clone for printing purposes and must clean it up after the print is done.
@@ -5248,6 +5250,9 @@ Nullable<WindowProxyHolder> nsGlobalWindowOuter::Print(
     if (aIsPreview == IsPreview::Yes) {
       return !hasPrintCallbacks;
     }
+    if (StaticPrefs::print_prefer_system_dialog()) {
+      return true;
+    }
     return StaticPrefs::dom_window_print_fuzzing_block_while_printing();
   }();
 

icecat/dom/base/nsObjectLoadingContent.cpp

@@ -1162,27 +1162,28 @@ nsresult nsObjectLoadingContent::LoadObject(bool aNotify, bool aForceLoad,
     }
   }
 
-  // Don't allow view-source scheme.
-  // view-source is the only scheme to which this applies at the moment due to
-  // potential timing attacks to read data from cross-origin documents. If this
-  // widens we should add a protocol flag for whether the scheme is only allowed
-  // in top and use something like nsNetUtil::NS_URIChainHasFlags.
-  if (mType != ObjectType::Fallback) {
-    nsCOMPtr<nsIURI> tempURI = mURI;
-    nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(tempURI);
-    while (nestedURI) {
-      // view-source should always be an nsINestedURI, loop and check the
-      // scheme on this and all inner URIs that are also nested URIs.
-      if (tempURI->SchemeIs("view-source")) {
-        LOG(("OBJLC [%p]: Blocking as effective URI has view-source scheme",
-             this));
-        mType = ObjectType::Fallback;
+  // https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element
+  // requires that `embed` and `object` go through `Fetch` with mode=navigate,
+  // see 1.3.5. This will in https://fetch.spec.whatwg.org/#fetching plumb us
+  // through to https://fetch.spec.whatwg.org/#concept-main-fetch where in step
+  // 12 a switch is performed. Since `object` and `embed` have mode=navigate the
+  // result of https://fetch.spec.whatwg.org/#concept-scheme-fetch will decide
+  // if main fetch proceeds. We short-circuit that scheme-fetch here, inspecting
+  // if the scheme of `mURI` is one that would return a network error. The
+  // following schemes are allowed through in scheme fetch:
+  // "about", "blob", "data", "file", "http", "https".
+  //
+  // Some accessibility tests use our internal "chrome" scheme.
+  if (mType != ObjectType::Fallback && mURI) {
+    ObjectType type = ObjectType::Fallback;
+    for (const auto& candidate :
+         {"about", "blob", "chrome", "data", "file", "http", "https"}) {
+      if (mURI->SchemeIs(candidate)) {
+        type = mType;
         break;
       }
-
-      nestedURI->GetInnerURI(getter_AddRefs(tempURI));
-      nestedURI = do_QueryInterface(tempURI);
     }
+    mType = type;
   }
 
   // Items resolved as Image/Document are not candidates for content blocking,

icecat/dom/base/nsSyncLoadService.cpp

@@ -280,16 +280,27 @@ nsSyncLoader::GetInterface(const nsIID& aIID, void** aResult) {
 
 /* static */
 nsresult nsSyncLoadService::LoadDocument(
-    nsIURI* aURI, nsContentPolicyType aContentPolicyType,
+    nsIURI* aURI, nsContentPolicyType aContentPolicyType, Document* aLoaderDoc,
     nsIPrincipal* aLoaderPrincipal, nsSecurityFlags aSecurityFlags,
     nsILoadGroup* aLoadGroup, nsICookieJarSettings* aCookieJarSettings,
     bool aForceToXML, ReferrerPolicy aReferrerPolicy, Document** aResult) {
+  MOZ_ASSERT(!!aLoaderPrincipal != !!aLoaderDoc);
+
   nsCOMPtr<nsIChannel> channel;
-  nsresult rv =
-      NS_NewChannel(getter_AddRefs(channel), aURI, aLoaderPrincipal,
-                    aSecurityFlags, aContentPolicyType, aCookieJarSettings,
-                    nullptr,  // PerformanceStorage
-                    aLoadGroup);
+  nsresult rv;
+  if (aLoaderDoc) {
+    MOZ_ASSERT(!aCookieJarSettings);
+    rv = NS_NewChannel(getter_AddRefs(channel), aURI, aLoaderDoc,
+                       aSecurityFlags, aContentPolicyType,
+                       nullptr,  // PerformanceStorage
+                       aLoadGroup);
+  } else {
+    rv = NS_NewChannel(getter_AddRefs(channel), aURI, aLoaderPrincipal,
+                       aSecurityFlags, aContentPolicyType, aCookieJarSettings,
+                       nullptr,  // PerformanceStorage
+                       aLoadGroup);
+  }
+
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (!aForceToXML) {

icecat/dom/base/nsSyncLoadService.h

@@ -48,9 +48,10 @@ class nsSyncLoadService {
    */
   static nsresult LoadDocument(
       nsIURI* aURI, nsContentPolicyType aContentPolicyType,
-      nsIPrincipal* aLoaderPrincipal, nsSecurityFlags aSecurityFlags,
-      nsILoadGroup* aLoadGroup, nsICookieJarSettings* aCookieJarSettings,
-      bool aForceToXML, mozilla::dom::ReferrerPolicy aReferrerPolicy,
+      mozilla::dom::Document* aLoaderDoc, nsIPrincipal* aLoaderPrincipal,
+      nsSecurityFlags aSecurityFlags, nsILoadGroup* aLoadGroup,
+      nsICookieJarSettings* aCookieJarSettings, bool aForceToXML,
+      mozilla::dom::ReferrerPolicy aReferrerPolicy,
       mozilla::dom::Document** aResult);
 
   /**

icecat/dom/base/test/test_bug353334.html

@@ -7,7 +7,6 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=353334
   <title>Test for Bug 353334</title>
   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-  <script>var x = "PASS"</script>
 </head>
 <body>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=353334">Mozilla Bug 353334</a>
@@ -16,8 +15,6 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=353334
 <object id="two" data="about:blank"></object>
 <iframe id="three" srcdoc="<body>test</body>"></iframe>
 <object id="four" data="object_bug353334.html"></object>
-<iframe id="five" src="javascript:parent.x"></iframe>
-<object id="six" data="javascript:x"></object>
 </p>
 <div id="content" style="display: none">
   
@@ -37,11 +34,6 @@ function doPrincipalTest(id) {
      "Wrong principal for document in node with id='" + id + "'");
 }
 
-function doContentTest(id) {
-  is($(id).contentDocument.documentElement.textContent, "PASS",
-     "Script executed in wrong context in node with id='" + id + "'");
-}
-
 function checkPrincipal() {
   ok(SpecialPowers.call_Instanceof(SpecialPowers.wrap(document).nodePrincipal, SpecialPowers.Ci.nsIPrincipal),
      "Should be a principal");
@@ -54,10 +46,6 @@ addLoadEvent(function() {
     doPrincipalTest(i);
   }
 
-  for (i of [ "five", "six" ]) {
-    doContentTest(i);
-  }
-
   SimpleTest.finish();
 });
 </script>

icecat/dom/security/nsCSPContext.cpp

@@ -921,7 +921,7 @@ void nsCSPContext::logToConsole(const char* aName,
 
 /**
  * Strip URI for reporting according to:
- * https://w3c.github.io/webappsec-csp/#security-violation-reports
+ * https://w3c.github.io/webappsec-csp/#strip-url-for-use-in-reports
  *
  * @param aSelfURI
  *        The URI of the CSP policy. Used for cross-origin checks.
@@ -936,34 +936,41 @@ void nsCSPContext::logToConsole(const char* aName,
 void StripURIForReporting(nsIURI* aSelfURI, nsIURI* aURI,
                           const nsAString& aEffectiveDirective,
                           nsACString& outStrippedURI) {
-  // If the origin of aURI is a globally unique identifier (for example,
-  // aURI has a scheme of data, blob, or filesystem), then
-  // return the ASCII serialization of uri’s scheme.
   bool isHttpOrWs = (aURI->SchemeIs("http") || aURI->SchemeIs("https") ||
                      aURI->SchemeIs("ws") || aURI->SchemeIs("wss"));
 
+  // Step 1. If url’s scheme is not an HTTP(S) scheme, then return url’s scheme.
+  // https://github.com/w3c/webappsec-csp/issues/735: We also allow WS(S) schemes.
   if (!isHttpOrWs) {
-    // not strictly spec compliant, but what we really care about is
-    // http/https. If it's not http/https, then treat aURI
-    // as if it's a globally unique identifier and just return the scheme.
     aURI->GetScheme(outStrippedURI);
     return;
   }
 
+  // Step 2. Set url’s fragment to the empty string.
+  // Step 3. Set url’s username to the empty string.
+  // Step 3. Set url’s password to the empty string.
+  nsCOMPtr<nsIURI> stripped;
+  if (NS_FAILED(NS_MutateURI(aURI).SetRef(""_ns).SetUserPass(""_ns).Finalize(stripped))) {
+    // Mutating the URI failed for some reason, just return the scheme.
+    aURI->GetScheme(outStrippedURI);
+    return;
+  }
+
+  // Non-standard: https://github.com/w3c/webappsec-csp/issues/735
   // For cross-origin URIs in frame-src also strip the path.
   // This prevents detailed tracking of pages loaded into an iframe
   // by the embedding page using a report-only policy.
   if (aEffectiveDirective.EqualsLiteral("frame-src") ||
       aEffectiveDirective.EqualsLiteral("object-src")) {
     nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-    if (NS_FAILED(ssm->CheckSameOriginURI(aSelfURI, aURI, false, false))) {
-      aURI->GetPrePath(outStrippedURI);
+    if (NS_FAILED(ssm->CheckSameOriginURI(aSelfURI, stripped, false, false))) {
+      stripped->GetPrePath(outStrippedURI);
       return;
     }
   }
 
-  // Return aURI, with any fragment component removed.
-  aURI->GetSpecIgnoringRef(outStrippedURI);
+  // Step 4. Return the result of executing the URL serializer on url.
+  stripped->GetSpec(outStrippedURI);
 }
 
 nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(

icecat/dom/xml/nsXMLPrettyPrinter.cpp

@@ -65,7 +65,8 @@ nsresult nsXMLPrettyPrinter::PrettyPrint(Document* aDocument,
 
   nsCOMPtr<Document> xslDocument;
   rv = nsSyncLoadService::LoadDocument(
-      xslUri, nsIContentPolicy::TYPE_XSLT, nsContentUtils::GetSystemPrincipal(),
+      xslUri, nsIContentPolicy::TYPE_XSLT, nullptr,
+      nsContentUtils::GetSystemPrincipal(),
       nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, nullptr,
       aDocument->CookieJarSettings(), true, ReferrerPolicy::_empty,
       getter_AddRefs(xslDocument));

icecat/dom/xslt/xml/txXMLParser.cpp

@@ -36,10 +36,9 @@ Result<txXPathNode, nsresult> txParseDocumentFromURI(const nsAString& aHref,
                            SyncOperationBehavior::eSuspendInput);
   rv = nsSyncLoadService::LoadDocument(
       documentURI, nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST_SYNC,
-      loaderDocument->NodePrincipal(),
-      nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT, loadGroup,
-      loaderDocument->CookieJarSettings(), true,
-      loaderDocument->GetReferrerPolicy(), getter_AddRefs(theDocument));
+      loaderDocument, nullptr,
+      nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT, loadGroup, nullptr,
+      true, loaderDocument->GetReferrerPolicy(), getter_AddRefs(theDocument));
 
   if (NS_FAILED(rv)) {
     aErrMsg.AppendLiteral("Document load of ");

icecat/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp

@@ -532,29 +532,24 @@ nsresult txSyncCompileObserver::loadURI(const nsAString& aUri,
   nsresult rv = NS_NewURI(getter_AddRefs(uri), aUri);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  nsCOMPtr<nsIURI> referrerUri;
-  rv = NS_NewURI(getter_AddRefs(referrerUri), aReferrerUri);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIPrincipal> referrerPrincipal =
-      BasePrincipal::CreateContentPrincipal(referrerUri, OriginAttributes());
-  NS_ENSURE_TRUE(referrerPrincipal, NS_ERROR_FAILURE);
+  nsCOMPtr<nsPIDOMWindowInner> window =
+      do_QueryInterface(mProcessor->GetParentObject());
+  NS_ENSURE_TRUE(window, NS_ERROR_FAILURE);
+  nsCOMPtr<Document> loaderDoc = window->GetExtantDoc();
+  NS_ENSURE_TRUE(loaderDoc, NS_ERROR_FAILURE);
 
   // This is probably called by js, a loadGroup for the channel doesn't
   // make sense.
-  nsCOMPtr<nsINode> source;
-  if (mProcessor) {
-    source = mProcessor->GetSourceContentModel();
-  }
+  nsCOMPtr<nsINode> source = mProcessor->GetSourceContentModel();
   dom::nsAutoSyncOperation sync(source ? source->OwnerDoc() : nullptr,
                                 dom::SyncOperationBehavior::eSuspendInput);
   nsCOMPtr<Document> document;
 
   rv = nsSyncLoadService::LoadDocument(
-      uri, nsIContentPolicy::TYPE_XSLT, referrerPrincipal,
-      nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT, nullptr,
-      source ? source->OwnerDoc()->CookieJarSettings() : nullptr, false,
-      aReferrerPolicy, getter_AddRefs(document));
+      uri, nsIContentPolicy::TYPE_XSLT, loaderDoc,
+      /* aLoaderPrincipal */ nullptr,
+      nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT, nullptr, nullptr,
+      false, aReferrerPolicy, getter_AddRefs(document));
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = handleNode(document, aCompiler);