Backed out changeset dc7a04be6904 on suspicion of causing bug 543034.
authorDaniel Holbert <dholbert@cs.stanford.edu>
Fri, 29 Jan 2010 18:50:46 -0800
changeset 37640 6d50455cabaa3c695ad6e23200782d0790d6d59d
parent 37612 dc7a04be6904be41a95c33d70ba5908c3b8a2fc0
child 37641 b0b9d8dca9d6f1010fc52c4c9a8df32a9bc0b118
push idunknown
push userunknown
push dateunknown
bugs543034
milestone1.9.3a1pre
backs outdc7a04be6904be41a95c33d70ba5908c3b8a2fc0
Backed out changeset dc7a04be6904 on suspicion of causing bug 543034.
browser/components/sessionstore/src/nsSessionStore.js
browser/components/sessionstore/test/browser/Makefile.in
browser/components/sessionstore/test/browser/browser_500328.js
content/base/public/nsIDocument.h
content/base/src/nsContentUtils.cpp
content/base/src/nsGkAtomList.h
content/events/src/Makefile.in
content/events/src/nsDOMEvent.cpp
content/events/src/nsDOMEvent.h
content/events/src/nsDOMPopStateEvent.cpp
content/events/src/nsDOMPopStateEvent.h
content/events/src/nsEventDispatcher.cpp
docshell/base/crashtests/500328-1.html
docshell/base/crashtests/crashtests.list
docshell/base/nsDocShell.cpp
docshell/base/nsDocShell.h
docshell/base/nsDocShellLoadTypes.h
docshell/base/nsIDocShell.idl
docshell/base/nsIDocShellHistory.idl
docshell/shistory/public/nsISHEntry.idl
docshell/shistory/src/nsSHEntry.cpp
docshell/shistory/src/nsSHEntry.h
docshell/shistory/src/nsSHistory.cpp
docshell/shistory/src/nsSHistory.h
dom/base/nsDOMClassInfo.cpp
dom/base/nsDOMClassInfo.h
dom/base/nsDOMClassInfoID.h
dom/base/nsGlobalWindow.cpp
dom/base/nsGlobalWindow.h
dom/base/nsHistory.cpp
dom/base/nsLocation.cpp
dom/base/nsPIDOMWindow.h
dom/interfaces/base/nsIDOMHistory.idl
dom/interfaces/events/Makefile.in
dom/interfaces/events/nsIDOMPopStateEvent.idl
dom/interfaces/json/nsIJSON.idl
dom/src/json/Makefile.in
dom/src/json/nsJSON.cpp
dom/tests/mochitest/whatwg/Makefile.in
dom/tests/mochitest/whatwg/file_bug500328_1.html
dom/tests/mochitest/whatwg/file_bug500328_2.html
dom/tests/mochitest/whatwg/test_bug500328.html
js/src/xpconnect/idl/nsIDispatchSupport.idl
js/src/xpconnect/idl/nsIXPConnect.idl
js/src/xpconnect/src/nsXPConnect.cpp
js/src/xpconnect/src/xpcprivate.h
js/src/xpconnect/src/xpcvariant.cpp
layout/base/nsDocumentViewer.cpp
modules/libpref/src/init/all.js
storage/src/Variant_inl.h
widget/public/nsGUIEvent.h
widget/src/xpwidgets/nsBaseWidget.cpp
xpcom/ds/nsIVariant.idl
xpcom/ds/nsVariant.cpp
--- a/browser/components/sessionstore/src/nsSessionStore.js
+++ b/browser/components/sessionstore/src/nsSessionStore.js
@@ -1329,25 +1329,17 @@ SessionStoreService.prototype = {
           scriptableStream.readByteArray(scriptableStream.available());
         // We can stop doing base64 encoding once our serialization into JSON
         // is guaranteed to handle all chars in strings, including embedded
         // nulls.
         entry.owner_b64 = btoa(String.fromCharCode.apply(null, ownerBytes));
       }
       catch (ex) { debug(ex); }
     }
-
-    if (aEntry.docIdentifier) {
-      entry.docIdentifier = aEntry.docIdentifier;
-    }
-
-    if (aEntry.stateData) {
-      entry.stateData = aEntry.stateData;
-    }
-
+    
     if (!(aEntry instanceof Ci.nsISHContainer)) {
       return entry;
     }
     
     if (aEntry.childCount > 0) {
       entry.children = [];
       for (var i = 0; i < aEntry.childCount; i++) {
         var child = aEntry.GetChildAt(i);
@@ -2041,36 +2033,33 @@ SessionStoreService.prototype = {
 
     if (!this._isWindowLoaded(aWindow)) {
       // from now on, the data will come from the actual window
       delete this._statesToRestore[aWindow.__SS_restoreID];
       delete aWindow.__SS_restoreID;
       delete this._windows[aWindow.__SSi]._restoring;
     }
     
-    // helper hashes for ensuring unique frame IDs and unique document
-    // identifiers.
+    // helper hash for ensuring unique frame IDs
     var idMap = { used: {} };
-    var docIdentMap = {};
-    this.restoreHistory(aWindow, aTabs, aTabData, idMap, docIdentMap);
+    this.restoreHistory(aWindow, aTabs, aTabData, idMap);
   },
 
   /**
    * Restory history for a window
    * @param aWindow
    *        Window reference
    * @param aTabs
    *        Array of tab references
    * @param aTabData
    *        Array of tab data
    * @param aIdMap
    *        Hash for ensuring unique frame IDs
    */
-  restoreHistory:
-    function sss_restoreHistory(aWindow, aTabs, aTabData, aIdMap, aDocIdentMap) {
+  restoreHistory: function sss_restoreHistory(aWindow, aTabs, aTabData, aIdMap) {
     var _this = this;
     while (aTabs.length > 0 && (!aTabData[0]._tabStillLoading || !aTabs[0].parentNode)) {
       aTabs.shift(); // this tab got removed before being completely restored
       aTabData.shift();
     }
     if (aTabs.length == 0) {
       return; // no more tabs to restore
     }
@@ -2096,18 +2085,17 @@ SessionStoreService.prototype = {
     }
     else
       delete tab.__SS_extdata;
     
     for (var i = 0; i < tabData.entries.length; i++) {
       //XXXzpao Wallpaper patch for bug 514751
       if (!tabData.entries[i].url)
         continue;
-      history.addEntry(this._deserializeHistoryEntry(tabData.entries[i],
-                                                     aIdMap, aDocIdentMap), true);
+      history.addEntry(this._deserializeHistoryEntry(tabData.entries[i], aIdMap), true);
     }
     
     // make sure to reset the capabilities and attributes, in case this tab gets reused
     var disallow = (tabData.disallow)?tabData.disallow.split(","):[];
     CAPABILITIES.forEach(function(aCapability) {
       browser.docShell["allow" + aCapability] = disallow.indexOf(aCapability) == -1;
     });
     Array.filter(tab.attributes, function(aAttr) {
@@ -2159,32 +2147,28 @@ SessionStoreService.prototype = {
     // Handle userTypedValue. Setting userTypedValue seems to update gURLbar
     // as needed. Calling loadURI will cancel form filling in restoreDocument_proxy
     if (tabData.userTypedValue) {
       browser.userTypedValue = tabData.userTypedValue;
       if (tabData.userTypedClear)
         browser.loadURI(tabData.userTypedValue, null, null, true);
     }
 
-    aWindow.setTimeout(function(){
-      _this.restoreHistory(aWindow, aTabs, aTabData, aIdMap, aDocIdentMap);
-    }, 0);
+    aWindow.setTimeout(function(){ _this.restoreHistory(aWindow, aTabs, aTabData, aIdMap); }, 0);
   },
 
   /**
    * expands serialized history data into a session-history-entry instance
    * @param aEntry
    *        Object containing serialized history data for a URL
    * @param aIdMap
    *        Hash for ensuring unique frame IDs
    * @returns nsISHEntry
    */
-  _deserializeHistoryEntry:
-    function sss_deserializeHistoryEntry(aEntry, aIdMap, aDocIdentMap) {
-
+  _deserializeHistoryEntry: function sss_deserializeHistoryEntry(aEntry, aIdMap) {
     var shEntry = Cc["@mozilla.org/browser/session-history-entry;1"].
                   createInstance(Ci.nsISHEntry);
 
     shEntry.setURI(IOSvc.newURI(aEntry.url, null, null));
     shEntry.setTitle(aEntry.title || aEntry.url);
     if (aEntry.subframe)
       shEntry.setIsSubFrame(aEntry.subframe || false);
     shEntry.loadType = Ci.nsIDocShellLoadInfo.loadHistory;
@@ -2206,21 +2190,17 @@ SessionStoreService.prototype = {
       var id = aIdMap[aEntry.ID] || 0;
       if (!id) {
         for (id = Date.now(); id in aIdMap.used; id++);
         aIdMap[aEntry.ID] = id;
         aIdMap.used[id] = true;
       }
       shEntry.ID = id;
     }
-
-    if (aEntry.stateData) {
-      shEntry.stateData = aEntry.stateData;
-    }
-
+    
     if (aEntry.scroll) {
       var scrollPos = (aEntry.scroll || "0,0").split(",");
       scrollPos = [parseInt(scrollPos[0]) || 0, parseInt(scrollPos[1]) || 0];
       shEntry.setScrollPosition(scrollPos[0], scrollPos[1]);
     }
 
     var postdata;
     if (aEntry.postdata_b64) {  // Firefox 3
@@ -2231,38 +2211,16 @@ SessionStoreService.prototype = {
 
     if (postdata) {
       var stream = Cc["@mozilla.org/io/string-input-stream;1"].
                    createInstance(Ci.nsIStringInputStream);
       stream.setData(postdata, postdata.length);
       shEntry.postData = stream;
     }
 
-    if (aEntry.docIdentifier) {
-      // Get a new document identifier for this entry to ensure that history
-      // entries after a session restore are considered to have different
-      // documents from the history entries before the session restore.
-      // Document identifiers are 64-bit ints, so JS will loose precision and
-      // start assigning all entries the same doc identifier if these ever get
-      // large enough.
-      //
-      // It's a potential security issue if document identifiers aren't
-      // globally unique, but shEntry.setUniqueDocIdentifier() below guarantees
-      // that we won't re-use a doc identifier within a given instance of the
-      // application.
-      let ident = aDocIdentMap[aEntry.docIdentifier];
-      if (!ident) {
-        shEntry.setUniqueDocIdentifier();
-        aDocIdentMap[aEntry.docIdentifier] = shEntry.docIdentifier;
-      }
-      else {
-        shEntry.docIdentifier = ident;
-      }
-    }
-
     if (aEntry.owner_b64) {  // Firefox 3
       var ownerInput = Cc["@mozilla.org/io/string-input-stream;1"].
                        createInstance(Ci.nsIStringInputStream);
       var binaryData = atob(aEntry.owner_b64);
       ownerInput.setData(binaryData, binaryData.length);
       var binaryStream = Cc["@mozilla.org/binaryinputstream;1"].
                          createInstance(Ci.nsIObjectInputStream);
       binaryStream.setInputStream(ownerInput);
@@ -2274,18 +2232,17 @@ SessionStoreService.prototype = {
       shEntry.owner = SecuritySvc.getCodebasePrincipal(uriObj);
     }
     
     if (aEntry.children && shEntry instanceof Ci.nsISHContainer) {
       for (var i = 0; i < aEntry.children.length; i++) {
         //XXXzpao Wallpaper patch for bug 514751
         if (!aEntry.children[i].url)
           continue;
-        shEntry.AddChild(this._deserializeHistoryEntry(aEntry.children[i], aIdMap,
-                                                       aDocIdentMap), i);
+        shEntry.AddChild(this._deserializeHistoryEntry(aEntry.children[i], aIdMap), i);
       }
     }
     
     return shEntry;
   },
 
   /**
    * restores all sessionStorage "super cookies"
--- a/browser/components/sessionstore/test/browser/Makefile.in
+++ b/browser/components/sessionstore/test/browser/Makefile.in
@@ -103,17 +103,16 @@ include $(topsrcdir)/config/rules.mk
 	browser_485482.js \
 	browser_485482_sample.html \
 	browser_485563.js \
 	browser_490040.js \
 	browser_491168.js \
 	browser_491577.js \
 	browser_493467.js \
 	browser_495495.js \
-	browser_500328.js \
 	browser_506482.js \
 	browser_514751.js \
 	browser_522545.js \
 	browser_524745.js \
 	browser_528776.js \
 	$(NULL)
 
 libs:: $(_BROWSER_TEST_FILES)
deleted file mode 100644
--- a/browser/components/sessionstore/test/browser/browser_500328.js
+++ /dev/null
@@ -1,135 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is sessionstore test code.
- *
- * The Initial Developer of the Original Code is
- *  Justin Lebar <justin.lebar@gmail.com>
- * Portions created by the Initial Developer are Copyright (C) 2009
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-function checkState(tab) {
-  // Go back and then forward, and make sure that the state objects received
-  // from the popState event are as we expect them to be.
-  //
-  // We also add a node to the document's body when after going back and make
-  // sure it's still there after we go forward -- this is to test that the two
-  // history entries correspond to the same document.
-
-  let popStateCount = 0;
-
-  tab.linkedBrowser.addEventListener("popstate", function(aEvent) {
-    let contentWindow = tab.linkedBrowser.contentWindow;
-    if (popStateCount == 0) {
-      popStateCount++;
-      ok(aEvent.state, "Event should have a state property.");
-      is(JSON.stringify(aEvent.state), JSON.stringify({obj1:1}),
-         "first popstate object.");
-
-      // Add a node with id "new-elem" to the document.
-      let doc = contentWindow.document;
-      ok(!doc.getElementById("new-elem"),
-         "doc shouldn't contain new-elem before we add it.");
-      let elem = doc.createElement("div");
-      elem.id = "new-elem";
-      doc.body.appendChild(elem);
-
-      contentWindow.history.forward();
-    }
-    else if (popStateCount == 1) {
-      popStateCount++;
-      is(JSON.stringify(aEvent.state), JSON.stringify({obj3:3}),
-         "second popstate object.");
-
-      // Make sure that the new-elem node is present in the document.  If it's
-      // not, then this history entry has a different doc identifier than the
-      // previous entry, which is bad.
-      let doc = contentWindow.document;
-      let newElem = doc.getElementById("new-elem");
-      ok(newElem, "doc should contain new-elem.");
-      newElem.parentNode.removeChild(newElem);
-      ok(!doc.getElementById("new-elem"), "new-elem should be removed.");
-
-      // Clean up after ourselves and finish the test.
-      tab.linkedBrowser.removeEventListener("popstate", arguments.callee, false);
-      gBrowser.removeTab(tab);
-      finish();
-    }
-  }, true);
-
-  tab.linkedBrowser.contentWindow.history.back();
-}
-
-function test() {
-  // Tests session restore functionality of history.pushState and
-  // history.replaceState().  (Bug 500328)
-
-  let ss = Cc["@mozilla.org/browser/sessionstore;1"].getService(Ci.nsISessionStore);
-  waitForExplicitFinish();
-
-  // We open a new blank window, let it load, and then load in
-  // http://example.com.  We need to load the blank window first, otherwise the
-  // docshell gets confused and doesn't have a current history entry.
-  let tab = gBrowser.addTab("about:blank");
-  let tabBrowser = tab.linkedBrowser;
-
-  tabBrowser.addEventListener("load", function(aEvent) {
-    tabBrowser.removeEventListener("load", arguments.callee, true);
-
-    tabBrowser.loadURI("http://example.com", null, null);
-
-    tabBrowser.addEventListener("load", function(aEvent) {
-      tabBrowser.removeEventListener("load", arguments.callee, true);
-
-      // After these push/replaceState calls, the window should have three
-      // history entries:
-      //   testURL (state object: null)      <-- oldest
-      //   testURL (state object: {obj1:1})
-      //   page2   (state object: {obj3:3})  <-- newest
-      let contentWindow = tab.linkedBrowser.contentWindow;
-      let history = contentWindow.history;
-      history.pushState({obj1:1}, "title-obj1");
-      history.pushState({obj2:2}, "title-obj2", "page2");
-      history.replaceState({obj3:3}, "title-obj3");
-
-      let state = ss.getTabState(tab);
-
-      // In order to make sure that setWindowState actually modifies the
-      // window's state, we modify the state here.  checkState will fail if
-      // this change isn't overwritten by setWindowState.
-      history.replaceState({should_be_overwritten:true}, "title-overwritten");
-
-      // Restore the state and make sure it looks right, after giving the event
-      // loop a chance to flush.
-      ss.setTabState(tab, state, true);
-      executeSoon(function() { checkState(tab); });
-
-    }, true);
-  }, true);
-}
--- a/content/base/public/nsIDocument.h
+++ b/content/base/public/nsIDocument.h
@@ -101,18 +101,18 @@ class nsBindingManager;
 class nsIDOMNodeList;
 class mozAutoSubtreeModified;
 struct JSObject;
 class nsFrameLoader;
 class nsIBoxObject;
 
 // IID for the nsIDocument interface
 #define NS_IDOCUMENT_IID      \
-{ 0x6b2f1996, 0x95d4, 0x48db, \
-  {0xaf, 0xd1, 0xfd, 0xaa, 0x75, 0x4c, 0x79, 0x92 } }
+  { 0xb04d9176, 0xf087, 0x4d3c, \
+    { 0x87, 0x11, 0x13, 0x9d, 0x19, 0x95, 0x43, 0x55 } }
 
 // Flag for AddStyleSheet().
 #define NS_STYLESHEET_FROM_CATALOG                (1 << 0)
 
 //----------------------------------------------------------------------
 
 // Document interface.  This is implemented by all document objects in
 // Gecko.
@@ -1221,38 +1221,16 @@ public:
     Doc_Theme_Uninitialized, // not determined yet
     Doc_Theme_None,
     Doc_Theme_Neutral,
     Doc_Theme_Dark,
     Doc_Theme_Bright
   };
 
   /**
-   * Returns the document's pending state object (serialized to JSON), or the
-   * empty string if one doesn't exist.
-   *
-   * This field serves as a waiting place for the history entry's state object:
-   * We set the field's value to the history entry's state object early on in
-   * the load, then after we fire onload we deserialize the field's value and
-   * fire a popstate event containing the resulting object.
-   */
-  nsAString& GetPendingStateObject()
-  {
-    return mPendingStateObject;
-  }
-
-  /**
-   * Set the document's pending state object (as serialized to JSON).
-   */
-  void SetPendingStateObject(nsAString &obj)
-  {
-    mPendingStateObject.Assign(obj);
-  }
-
-  /**
    * Returns Doc_Theme_None if there is no lightweight theme specified,
    * Doc_Theme_Dark for a dark theme, Doc_Theme_Bright for a light theme, and
    * Doc_Theme_Neutral for any other theme. This is used to determine the state
    * of the pseudoclasses :-moz-lwtheme and :-moz-lwtheme-text.
    */
   virtual int GetDocumentLWTheme() { return Doc_Theme_None; }
 
   /**
@@ -1405,18 +1383,16 @@ protected:
   PRUint32            mSubtreeModifiedDepth;
 
   // If we're an external resource document, this will be non-null and will
   // point to our "display document": the one that all resource lookups should
   // go to.
   nsCOMPtr<nsIDocument> mDisplayDocument;
 
   PRUint32 mEventsSuppressed;
-
-  nsString mPendingStateObject;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(nsIDocument, NS_IDOCUMENT_IID)
 
 /**
  * mozAutoSubtreeModified batches DOM mutations so that a DOMSubtreeModified
  * event is dispatched, if necessary, when the outermost mozAutoSubtreeModified
  * object is deleted.
--- a/content/base/src/nsContentUtils.cpp
+++ b/content/base/src/nsContentUtils.cpp
@@ -402,17 +402,16 @@ nsContentUtils::InitializeEventTable() {
     { &nsGkAtoms::onblur,                        { NS_BLUR_CONTENT, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onoffline,                     { NS_OFFLINE, EventNameType_HTMLXUL }},
     { &nsGkAtoms::ononline,                      { NS_ONLINE, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onsubmit,                      { NS_FORM_SUBMIT, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onreset,                       { NS_FORM_RESET, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onchange,                      { NS_FORM_CHANGE, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onselect,                      { NS_FORM_SELECTED, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onload,                        { NS_LOAD, EventNameType_All }},
-    { &nsGkAtoms::onpopstate,                    { NS_POPSTATE, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onunload,                      { NS_PAGE_UNLOAD,
                                                  (EventNameType_HTMLXUL | EventNameType_SVGSVG) }},
     { &nsGkAtoms::onhashchange,                  { NS_HASHCHANGE, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onbeforeunload,                { NS_BEFORE_PAGE_UNLOAD, EventNameType_HTMLXUL }},
     { &nsGkAtoms::onabort,                       { NS_IMAGE_ABORT,
                                                  (EventNameType_HTMLXUL | EventNameType_SVGSVG) }},
     { &nsGkAtoms::onerror,                       { NS_LOAD_ERROR,
                                                  (EventNameType_HTMLXUL | EventNameType_SVGSVG) }},
--- a/content/base/src/nsGkAtomList.h
+++ b/content/base/src/nsGkAtomList.h
@@ -645,17 +645,16 @@ GK_ATOM(onfocus, "onfocus")
 GK_ATOM(onget, "onget")
 GK_ATOM(onhashchange, "onhashchange")
 GK_ATOM(oninput, "oninput")
 GK_ATOM(onkeydown, "onkeydown")
 GK_ATOM(onkeypress, "onkeypress")
 GK_ATOM(onkeyup, "onkeyup")
 GK_ATOM(onLoad, "onLoad")
 GK_ATOM(onload, "onload")
-GK_ATOM(onpopstate, "onpopstate")
 GK_ATOM(only, "only")               // this one is not an event
 GK_ATOM(onmousedown, "onmousedown")
 GK_ATOM(onmousemove, "onmousemove")
 GK_ATOM(onmouseout, "onmouseout")
 GK_ATOM(onmouseover, "onmouseover")
 GK_ATOM(onmouseup, "onmouseup")
 GK_ATOM(onMozAfterPaint, "onMozAfterPaint")
 GK_ATOM(onMozMousePixelScroll, "onMozMousePixelScroll")
--- a/content/events/src/Makefile.in
+++ b/content/events/src/Makefile.in
@@ -77,17 +77,16 @@ CPPSRCS		= \
 		nsEventListenerService.cpp \
 		nsDOMProgressEvent.cpp \
 		nsDOMDataTransfer.cpp \
 		nsDOMNotifyPaintEvent.cpp \
 		nsDOMSimpleGestureEvent.cpp \
 		nsDOMEventTargetHelper.cpp \
 		nsDOMScrollAreaEvent.cpp \
 		nsDOMTransitionEvent.cpp \
-		nsDOMPopStateEvent.cpp \
 		$(NULL)
 
 # we don't want the shared lib, but we want to force the creation of a static lib.
 FORCE_STATIC_LIB = 1
 
 include $(topsrcdir)/config/rules.mk
 
 LOCAL_INCLUDES	= \
--- a/content/events/src/nsDOMEvent.cpp
+++ b/content/events/src/nsDOMEvent.cpp
@@ -50,23 +50,22 @@
 #include "nsIInterfaceRequestorUtils.h"
 #include "prmem.h"
 #include "nsGkAtoms.h"
 #include "nsMutationEvent.h"
 #include "nsContentUtils.h"
 #include "nsIURI.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIScriptError.h"
-#include "nsDOMPopStateEvent.h"
 
 static const char* const sEventNames[] = {
   "mousedown", "mouseup", "click", "dblclick", "mouseover",
   "mouseout", "mousemove", "contextmenu", "keydown", "keyup", "keypress",
-  "focus", "blur", "load", "popstate", "beforeunload", "unload", "hashchange",
-  "abort", "error", "submit", "reset", "change", "select", "input", "text",
+  "focus", "blur", "load", "beforeunload", "unload", "hashchange", "abort", "error",
+  "submit", "reset", "change", "select", "input" ,"text",
   "compositionstart", "compositionend", "popupshowing", "popupshown",
   "popuphiding", "popuphidden", "close", "command", "broadcast", "commandupdate",
   "dragenter", "dragover", "dragexit", "dragdrop", "draggesture",
   "drag", "dragend", "dragstart", "dragleave", "drop", "resize",
   "scroll", "overflow", "underflow", "overflowchanged",
   "DOMSubtreeModified", "DOMNodeInserted", "DOMNodeRemoved", 
   "DOMNodeRemovedFromDocument", "DOMNodeInsertedIntoDocument",
   "DOMAttrModified", "DOMCharacterDataModified",
@@ -1320,18 +1319,16 @@ const char* nsDOMEvent::GetEventName(PRU
   case NS_FOCUS_CONTENT:
     return sEventNames[eDOMEvents_focus];
   case NS_BLUR_CONTENT:
     return sEventNames[eDOMEvents_blur];
   case NS_XUL_CLOSE:
     return sEventNames[eDOMEvents_close];
   case NS_LOAD:
     return sEventNames[eDOMEvents_load];
-  case NS_POPSTATE:
-    return sEventNames[eDOMEvents_popstate];
   case NS_BEFORE_PAGE_UNLOAD:
     return sEventNames[eDOMEvents_beforeunload];
   case NS_PAGE_UNLOAD:
     return sEventNames[eDOMEvents_unload];
   case NS_HASHCHANGE:
     return sEventNames[eDOMEvents_hashchange];
   case NS_IMAGE_ABORT:
     return sEventNames[eDOMEvents_abort];
--- a/content/events/src/nsDOMEvent.h
+++ b/content/events/src/nsDOMEvent.h
@@ -53,33 +53,32 @@
 class nsIContent;
  
 class nsDOMEvent : public nsIDOMEvent,
                    public nsIDOMNSEvent,
                    public nsIPrivateDOMEvent
 {
 public:
 
-  // Note: this enum must be kept in sync with sEventNames in nsDOMEvent.cpp
+  // Note: this enum must be kept in sync with mEventNames in nsDOMEvent.cpp
   enum nsDOMEvents {
     eDOMEvents_mousedown=0,
     eDOMEvents_mouseup,
     eDOMEvents_click,
     eDOMEvents_dblclick,
     eDOMEvents_mouseover,
     eDOMEvents_mouseout,
     eDOMEvents_mousemove,
     eDOMEvents_contextmenu,
     eDOMEvents_keydown,
     eDOMEvents_keyup,
     eDOMEvents_keypress,
     eDOMEvents_focus,
     eDOMEvents_blur,
     eDOMEvents_load,
-    eDOMEvents_popstate,
     eDOMEvents_beforeunload,
     eDOMEvents_unload,
     eDOMEvents_hashchange,
     eDOMEvents_abort,
     eDOMEvents_error,
     eDOMEvents_submit,
     eDOMEvents_reset,
     eDOMEvents_change,
deleted file mode 100644
--- a/content/events/src/nsDOMPopStateEvent.cpp
+++ /dev/null
@@ -1,93 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is the Mozilla Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2009
- * the Initial Developer. All Rights Reserved.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either of the GNU General Public License Version 2 or later (the "GPL"),
- * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsDOMPopStateEvent.h"
-#include "nsCycleCollectionParticipant.h"
-
-NS_IMPL_CYCLE_COLLECTION_CLASS(nsDOMPopStateEvent)
-
-NS_IMPL_ADDREF_INHERITED(nsDOMPopStateEvent, nsDOMEvent)
-NS_IMPL_RELEASE_INHERITED(nsDOMPopStateEvent, nsDOMEvent)
-
-NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(nsDOMPopStateEvent, nsDOMEvent)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mState)
-NS_IMPL_CYCLE_COLLECTION_UNLINK_END
-
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(nsDOMPopStateEvent, nsDOMEvent)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mState)
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
-
-NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(nsDOMPopStateEvent)
-  NS_INTERFACE_MAP_ENTRY(nsIDOMPopStateEvent)
-  NS_INTERFACE_MAP_ENTRY_CONTENT_CLASSINFO(PopStateEvent)
-NS_INTERFACE_MAP_END_INHERITING(nsDOMEvent)
-
-nsDOMPopStateEvent::~nsDOMPopStateEvent()
-{
-}
-
-NS_IMETHODIMP
-nsDOMPopStateEvent::GetState(nsIVariant **aState)
-{
-  NS_PRECONDITION(aState, "null state arg");
-  NS_IF_ADDREF(*aState = mState);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsDOMPopStateEvent::InitPopStateEvent(const nsAString &aTypeArg,
-                                      PRBool aCanBubbleArg,
-                                      PRBool aCancelableArg,
-                                      nsIVariant *aStateArg)
-{
-  nsresult rv = nsDOMEvent::InitEvent(aTypeArg, aCanBubbleArg, aCancelableArg);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  mState = aStateArg;
-  return NS_OK;
-}
-
-nsresult NS_NewDOMPopStateEvent(nsIDOMEvent** aInstancePtrResult,
-                                nsPresContext* aPresContext,
-                                nsEvent* aEvent)
-{
-  nsDOMPopStateEvent* event =
-    new nsDOMPopStateEvent(aPresContext, aEvent);
-
-  if (!event) {
-    return NS_ERROR_OUT_OF_MEMORY;
-  }
-
-  return CallQueryInterface(event, aInstancePtrResult);
-}
deleted file mode 100644
--- a/content/events/src/nsDOMPopStateEvent.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is the Mozilla Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2009
- * the Initial Developer. All Rights Reserved.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either of the GNU General Public License Version 2 or later (the "GPL"),
- * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef nsDOMPopStateEvent_h__
-#define nsDOMPopStateEvent_h__
-
-class nsEvent;
-
-#include "nsIDOMPopStateEvent.h"
-#include "nsDOMEvent.h"
-#include "nsIVariant.h"
-#include "nsCycleCollectionParticipant.h"
-
-class nsDOMPopStateEvent : public nsDOMEvent,
-                           public nsIDOMPopStateEvent
-{
-public:
-  nsDOMPopStateEvent(nsPresContext* aPresContext, nsEvent* aEvent)
-    : nsDOMEvent(aPresContext, aEvent)  // state
-  {
-  }
-
-  virtual ~nsDOMPopStateEvent();
-
-  NS_DECL_ISUPPORTS_INHERITED
-  NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(nsDOMPopStateEvent, nsDOMEvent)
-
-  NS_DECL_NSIDOMPOPSTATEEVENT
-
-  NS_FORWARD_TO_NSDOMEVENT
-
-protected:
-  nsCOMPtr<nsIVariant> mState;
-};
-
-nsresult NS_NewDOMPopStateEvent(nsIDOMEvent** aInstancePtrResult,
-                                nsPresContext* aPresContext,
-                                nsEvent* aEvent);
-
-#endif // nsDOMPopStateEvent_h__
--- a/content/events/src/nsEventDispatcher.cpp
+++ b/content/events/src/nsEventDispatcher.cpp
@@ -43,17 +43,16 @@
 #include "nsEventListenerManager.h"
 #include "nsContentUtils.h"
 #include "nsDOMError.h"
 #include "nsMutationEvent.h"
 #include NEW_H
 #include "nsFixedSizeAllocator.h"
 #include "nsINode.h"
 #include "nsPIDOMWindow.h"
-#include "nsDOMPopStateEvent.h"
 
 #define NS_TARGET_CHAIN_FORCE_CONTENT_DISPATCH  (1 << 0)
 #define NS_TARGET_CHAIN_WANTS_WILL_HANDLE_EVENT (1 << 1)
 #define NS_TARGET_CHAIN_MAY_HAVE_MANAGER        (1 << 2)
 
 // nsEventTargetChainItem represents a single item in the event target chain.
 class nsEventTargetChainItem
 {
@@ -792,13 +791,11 @@ nsEventDispatcher::CreateEvent(nsPresCon
   if (aEventType.LowerCaseEqualsLiteral("pagetransition"))
     return NS_NewDOMPageTransitionEvent(aDOMEvent, aPresContext, nsnull);
   if (aEventType.LowerCaseEqualsLiteral("scrollareaevent"))
     return NS_NewDOMScrollAreaEvent(aDOMEvent, aPresContext, nsnull);
   // FIXME: Should get spec to say what the right string is here!  This
   // is probably wrong!
   if (aEventType.LowerCaseEqualsLiteral("transitionevent"))
     return NS_NewDOMTransitionEvent(aDOMEvent, aPresContext, nsnull);
-  if (aEventType.LowerCaseEqualsLiteral("popstateevent"))
-    return NS_NewDOMPopStateEvent(aDOMEvent, aPresContext, nsnull);
 
   return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
 }
deleted file mode 100644
--- a/docshell/base/crashtests/500328-1.html
+++ /dev/null
@@ -1,17 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<body onload="test();">
-<script>
-  function test() {
-    // Test that calling pushState() with a state object which calls
-    // history.back() doesn't crash. We need to make sure that there's at least
-    // one entry in the history before we do anything else.
-    history.pushState(null, "");
-
-    x = {};
-    x.toJSON = { history.back(); return "{a:1}"; };
-    history.pushState(x, "");
-  }
-</script>
-</body>
-</html>
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@@ -1,9 +1,8 @@
 load 40929-1.html
 load 369126-1.html
 load 403574-1.xhtml
 load 430124-1.html
 load 430628-1.html
 load 432114-1.html
 load 432114-2.html
 load 436900-1.html
-load 500328-1.html
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -104,17 +104,16 @@
 #include "nsDOMJSUtils.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsIView.h"
 #include "nsIViewManager.h"
 #include "nsIScriptChannel.h"
 #include "nsIURIClassifier.h"
 #include "nsIOfflineCacheUpdate.h"
 #include "nsCPrefetchService.h"
-#include "nsJSON.h"
 
 // we want to explore making the document own the load group
 // so we can associate the document URI with the load group.
 // until this point, we have an evil hack:
 #include "nsIHttpChannelInternal.h"  
 
 
 // Local Includes
@@ -651,18 +650,16 @@ DispatchPings(nsIContent *content, nsIUR
     return;
 
   info.numPings = 0;
   info.referrer = referrer;
 
   ForEachPing(content, SendPing, &info);
 }
 
-static nsISHEntry* GetRootSHEntry(nsISHEntry *entry);
-
 //*****************************************************************************
 //***    nsDocShell: Object Management
 //*****************************************************************************
 
 // Note: operator new zeros our memory
 nsDocShell::nsDocShell():
     nsDocLoader(),
     mDefaultScrollbarPref(Scrollbar_Auto, Scrollbar_Auto),
@@ -861,24 +858,16 @@ NS_IMETHODIMP nsDocShell::GetInterface(c
              NS_SUCCEEDED(EnsureScriptEnvironment())) {
         return mScriptGlobal->QueryInterface(aIID, aSink);
     }
     else if (aIID.Equals(NS_GET_IID(nsIDOMDocument)) &&
              NS_SUCCEEDED(EnsureContentViewer())) {
         mContentViewer->GetDOMDocument((nsIDOMDocument **) aSink);
         return *aSink ? NS_OK : NS_NOINTERFACE;
     }
-    else if (aIID.Equals(NS_GET_IID(nsIDocument)) &&
-             NS_SUCCEEDED(EnsureContentViewer())) {
-        nsCOMPtr<nsIDOMDocument> domDoc;
-        mContentViewer->GetDOMDocument(getter_AddRefs(domDoc));
-        if (!domDoc)
-            return NS_NOINTERFACE;
-        return domDoc->QueryInterface(aIID, aSink);
-    }
     else if (aIID.Equals(NS_GET_IID(nsIApplicationCacheContainer))) {
         *aSink = nsnull;
 
         // Return application cache associated with this docshell, if any
 
         nsCOMPtr<nsIContentViewer> contentViewer;
         GetContentViewer(getter_AddRefs(contentViewer));
         if (!contentViewer)
@@ -1202,17 +1191,17 @@ nsDocShell::LoadURI(nsIURI * aURI,
                     // This is a newly created frame. Check for exception cases first. 
                     // By default the subframe will inherit the parent's loadType.
                     if (shEntry && (parentLoadType == LOAD_NORMAL ||
                                     parentLoadType == LOAD_LINK   ||
                                     parentLoadType == LOAD_NORMAL_EXTERNAL)) {
                         // The parent was loaded normally. In this case, this *brand new* child really shouldn't
                         // have a SHEntry. If it does, it could be because the parent is replacing an
                         // existing frame with a new frame, in the onLoadHandler. We don't want this
-                        // url to get into session history. Clear off shEntry, and set load type to
+                        // url to get into session history. Clear off shEntry, and set laod type to
                         // LOAD_BYPASS_HISTORY. 
                         PRBool inOnLoadHandler=PR_FALSE;
                         parentDS->GetIsExecutingOnLoadHandler(&inOnLoadHandler);
                         if (inOnLoadHandler) {
                             loadType = LOAD_NORMAL_REPLACE;
                             shEntry = nsnull;
                         }
                     }   
@@ -3232,21 +3221,21 @@ nsDocShell::GetChildSHEntry(PRInt32 aChi
                 (*aResult)->SetLoadType(loadType);            
         }
     }
     return rv;
 }
 
 NS_IMETHODIMP
 nsDocShell::AddChildSHEntry(nsISHEntry * aCloneRef, nsISHEntry * aNewEntry,
-                            PRInt32 aChildOffset, PRUint32 loadType)
+                            PRInt32 aChildOffset)
 {
     nsresult rv;
 
-    if (mLSHE && loadType != LOAD_PUSHSTATE) {
+    if (mLSHE) {
         /* You get here if you are currently building a 
          * hierarchy ie.,you just visited a frameset page
          */
         nsCOMPtr<nsISHContainer> container(do_QueryInterface(mLSHE, &rv));
         if (container) {
             rv = container->AddChild(aNewEntry, aChildOffset);
         }
     }
@@ -3291,18 +3280,17 @@ nsDocShell::AddChildSHEntry(nsISHEntry *
             }
         }
     }
     else {
         /* Just pass this along */
         nsCOMPtr<nsIDocShellHistory> parent =
             do_QueryInterface(GetAsSupports(mParent), &rv);
         if (parent) {
-            rv = parent->AddChildSHEntry(aCloneRef, aNewEntry, aChildOffset,
-                                         loadType);
+            rv = parent->AddChildSHEntry(aCloneRef, aNewEntry, aChildOffset);
         }          
     }
     return rv;
 }
 
 nsresult
 nsDocShell::DoAddChildSHEntry(nsISHEntry* aNewEntry, PRInt32 aChildOffset)
 {
@@ -3320,17 +3308,17 @@ nsDocShell::DoAddChildSHEntry(nsISHEntry
     if (rootSH) {
         rootSH->GetIndex(&mPreviousTransIndex);
     }
 
     nsresult rv;
     nsCOMPtr<nsIDocShellHistory> parent =
         do_QueryInterface(GetAsSupports(mParent), &rv);
     if (parent) {
-        rv = parent->AddChildSHEntry(mOSHE, aNewEntry, aChildOffset, mLoadType);
+        rv = parent->AddChildSHEntry(mOSHE, aNewEntry, aChildOffset);
     }
 
 
     if (rootSH) {
         rootSH->GetIndex(&mLoadedTransIndex);
 #ifdef DEBUG_PAGE_CACHE
         printf("Previous index: %d, Loaded index: %d\n\n", mPreviousTransIndex,
                mLoadedTransIndex);
@@ -3464,16 +3452,17 @@ NS_IMETHODIMP nsDocShell::GotoIndex(PRIn
     rv = GetRootSessionHistory(getter_AddRefs(rootSH));
     nsCOMPtr<nsIWebNavigation> webnav(do_QueryInterface(rootSH));
     NS_ENSURE_TRUE(webnav, NS_ERROR_FAILURE);
     rv = webnav->GotoIndex(aIndex);
     return rv;
 
 }
 
+
 NS_IMETHODIMP
 nsDocShell::LoadURI(const PRUnichar * aURI,
                     PRUint32 aLoadFlags,
                     nsIURI * aReferringURI,
                     nsIInputStream * aPostStream,
                     nsIInputStream * aHeaderStream)
 {
     NS_ASSERTION((aLoadFlags & 0xf) == 0, "Unexpected flags");
@@ -3852,23 +3841,16 @@ nsDocShell::LoadErrorPage(nsIURI *aURI, 
                ("nsDocShell[%p]::LoadErrorPage(\"%s\", \"%s\", {...}, [%s])\n", this,
                 spec.get(), NS_ConvertUTF16toUTF8(aURL).get(), chanName.get()));
     }
 #endif
     mFailedChannel = aFailedChannel;
     mFailedURI = aURI;
     mFailedLoadType = mLoadType;
 
-    if (mLSHE) {
-        // If we don't give mLSHE a new doc identifier here, when we go back or
-        // forward to another SHEntry with the same doc identifier, the error
-        // page will persist.
-        mLSHE->SetUniqueDocIdentifier();
-    }
-
     nsCAutoString url;
     nsCAutoString charset;
     if (aURI)
     {
         nsresult rv = aURI->GetSpec(url);
         rv |= aURI->GetOriginCharset(charset);
         NS_ENSURE_SUCCESS(rv, rv);
     }
@@ -5727,23 +5709,23 @@ nsDocShell::EndPageLoad(nsIWebProgress *
     // someone is so very very rude as to bring this window down
     // during this load handler.
     //
     nsCOMPtr<nsIDocShell> kungFuDeathGrip(this);
 
     // We're done with the URI classifier for this channel
     mClassifier = nsnull;
 
-    // Notify the ContentViewer that the Document has finished loading.  This
-    // will cause any OnLoad(...) and PopState(...) handlers to fire.
+    //
+    // Notify the ContentViewer that the Document has finished loading...
+    //
+    // This will cause any OnLoad(...) handlers to fire, if it is a HTML
+    // document...
+    //
     if (!mEODForCurrentDocument && mContentViewer) {
-        // Set the pending state object which will be returned to the page in
-        // the popstate event.
-        SetDocPendingStateObj(mLSHE);
-
         mIsExecutingOnLoadHandler = PR_TRUE;
         mContentViewer->LoadComplete(aStatus);
         mIsExecutingOnLoadHandler = PR_FALSE;
 
         mEODForCurrentDocument = PR_TRUE;
 
         // If all documents have completed their loading
         // favor native event dispatch priorities
@@ -7381,36 +7363,16 @@ nsDocShell::SetupNewViewer(nsIContentVie
 
     // We don't show the mContentViewer yet, since we want to draw the old page
     // until we have enough of the new page to show.  Just return with the new
     // viewer still set to hidden.
 
     return NS_OK;
 }
 
-nsresult
-nsDocShell::SetDocPendingStateObj(nsISHEntry *shEntry)
-{
-    nsresult rv;
-
-    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
-    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
-
-    nsAutoString stateData;
-    if (shEntry) {
-        rv = shEntry->GetStateData(stateData);
-        NS_ENSURE_SUCCESS(rv, rv);
-
-        // if shEntry is null, we just set the pending state object to the
-        // empty string.
-    }
-
-    document->SetPendingStateObject(stateData);
-    return NS_OK;
-}
 
 nsresult
 nsDocShell::CheckLoadingPermissions()
 {
     // This method checks whether the caller may load content into
     // this docshell. Even though we've done our best to hide windows
     // from code that doesn't have the right to access them, it's
     // still possible for an evil site to open a window and access
@@ -7877,121 +7839,86 @@ nsDocShell::InternalLoad(nsIURI * aURI,
         if (allowScroll) {
             nsCOMPtr<nsIInputStream> currentPostData;
             mOSHE->GetPostData(getter_AddRefs(currentPostData));
             NS_ASSERTION(currentPostData == aPostData,
                          "Different POST data for entries for the same page?");
         }
 #endif
     }
-
-    if (aLoadType == LOAD_NORMAL ||
-        aLoadType == LOAD_STOP_CONTENT ||
-        LOAD_TYPE_HAS_FLAGS(aLoadType, LOAD_FLAGS_REPLACE_HISTORY) ||
-        aLoadType == LOAD_HISTORY ||
-        aLoadType == LOAD_LINK) {
-
+    
+    if ((aLoadType == LOAD_NORMAL ||
+         aLoadType == LOAD_STOP_CONTENT ||
+         LOAD_TYPE_HAS_FLAGS(aLoadType, LOAD_FLAGS_REPLACE_HISTORY) ||
+         aLoadType == LOAD_HISTORY ||
+         aLoadType == LOAD_LINK) && allowScroll) {
         PRBool wasAnchor = PR_FALSE;
         PRBool doHashchange = PR_FALSE;
         nscoord cx, cy;
-
-        if (allowScroll) {
-            NS_ENSURE_SUCCESS(ScrollIfAnchor(aURI, &wasAnchor, aLoadType, &cx,
-                                             &cy, &doHashchange),
-                              NS_ERROR_FAILURE);
-        }
-
-        // If this is a history load, aSHEntry will have document identifier X
-        // if it was created as a result of a History.pushState() from a
-        // SHEntry with doc ident X, or if it was created by changing the hash
-        // of the URI corresponding to a SHEntry with doc ident X.
-        PRBool sameDocIdent = PR_FALSE;
-        if (mOSHE && aSHEntry) {
-          PRUint64 ourDocIdent, otherDocIdent;
-          mOSHE->GetDocIdentifier(&ourDocIdent);
-          aSHEntry->GetDocIdentifier(&otherDocIdent);
-          sameDocIdent = (ourDocIdent == otherDocIdent);
-        }
-
-        // Do a short-circuited load if the new URI differs from the current
-        // URI only in the hash, or if the two entries belong to the same
-        // document and don't point to the same object.
-        //
-        // (If we didn't check that the SHEntries are different objects,
-        // history.go(0) would short-circuit instead of triggering a true
-        // load, and we wouldn't dispatch an onload event to the page.)
-        if (wasAnchor || (sameDocIdent && (mOSHE != aSHEntry))) {
+        NS_ENSURE_SUCCESS(ScrollIfAnchor(aURI, &wasAnchor, aLoadType, &cx, &cy,
+                                         &doHashchange),
+                          NS_ERROR_FAILURE);
+
+        if (wasAnchor) {
             mLoadType = aLoadType;
             mURIResultedInDocument = PR_TRUE;
 
-            /* we need to assign mLSHE to aSHEntry right here, so that on History loads,
-             * SetCurrentURI() called from OnNewURI() will send proper
+            /* we need to assign mLSHE to aSHEntry right here, so that on History loads, 
+             * SetCurrentURI() called from OnNewURI() will send proper 
              * onLocationChange() notifications to the browser to update
-             * back/forward buttons.
+             * back/forward buttons. 
              */
             SetHistoryEntry(&mLSHE, aSHEntry);
 
             /* This is a anchor traversal with in the same page.
              * call OnNewURI() so that, this traversal will be 
              * recorded in session and global history.
              */
             nsCOMPtr<nsISupports> owner;
             if (mOSHE) {
                 mOSHE->GetOwner(getter_AddRefs(owner));
             }
             OnNewURI(aURI, nsnull, owner, mLoadType, PR_TRUE);
-
             nsCOMPtr<nsIInputStream> postData;
             PRUint32 pageIdent = PR_UINT32_MAX;
             nsCOMPtr<nsISupports> cacheKey;
-
+            
             if (mOSHE) {
                 /* save current position of scroller(s) (bug 59774) */
                 mOSHE->SetScrollPosition(cx, cy);
                 // Get the postdata and page ident from the current page, if
                 // the new load is being done via normal means.  Note that
                 // "normal means" can be checked for just by checking for
                 // LOAD_CMD_NORMAL, given the loadType and allowScroll check
                 // above -- it filters out some LOAD_CMD_NORMAL cases that we
                 // wouldn't want here.
                 if (aLoadType & LOAD_CMD_NORMAL) {
                     mOSHE->GetPostData(getter_AddRefs(postData));
                     mOSHE->GetPageIdentifier(&pageIdent);
                     mOSHE->GetCacheKey(getter_AddRefs(cacheKey));
                 }
-
-                if (mLSHE && wasAnchor) {
-                    // If it's an anchor load, set mLSHE's doc identifier to
-                    // mOSHE's doc identifier -- These are the same documents,
-                    // as far as HTML5 is concerned.
-                    PRUint64 docIdent;
-                    rv = mOSHE->GetDocIdentifier(&docIdent);
-                    if (NS_SUCCEEDED(rv)) {
-                        mLSHE->SetDocIdentifier(docIdent);
-                    }
-                }
             }
-
+            
             /* Assign mOSHE to mLSHE. This will either be a new entry created
              * by OnNewURI() for normal loads or aSHEntry for history loads.
              */
             if (mLSHE) {
                 SetHistoryEntry(&mOSHE, mLSHE);
                 // Save the postData obtained from the previous page
                 // in to the session history entry created for the 
                 // anchor page, so that any history load of the anchor
                 // page will restore the appropriate postData.
                 if (postData)
                     mOSHE->SetPostData(postData);
 
                 // Make sure we won't just repost without hitting the
                 // cache first
                 if (cacheKey)
                     mOSHE->SetCacheKey(cacheKey);
-
+                
                 // Propagate our page ident to the new mOSHE so that
                 // we'll know it just differed by a scroll on the page.
                 if (pageIdent != PR_UINT32_MAX)
                     mOSHE->SetPageIdentifier(pageIdent);
             }
 
             /* restore previous position of scroller(s), if we're moving
              * back in history (bug 59774)
@@ -8017,37 +7944,22 @@ nsDocShell::InternalLoad(nsIURI * aURI,
                 mSessionHistory->GetEntryAtIndex(index, PR_FALSE,
                                                  getter_AddRefs(hEntry));
                 NS_ENSURE_TRUE(hEntry, NS_ERROR_FAILURE);
                 nsCOMPtr<nsISHEntry> shEntry(do_QueryInterface(hEntry));
                 if (shEntry)
                     shEntry->SetTitle(mTitle);
             }
 
-            if (sameDocIdent) {
-                // Set the doc's URI according to the new history entry's URI
-                nsCOMPtr<nsIURI> newURI;
-                mOSHE->GetURI(getter_AddRefs(newURI));
-                NS_ENSURE_TRUE(newURI, NS_ERROR_FAILURE);
-                nsCOMPtr<nsIDocument> doc =
-                  do_GetInterface(GetAsSupports(this));
-                NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
-
-                doc->SetDocumentURI(newURI);
-            }
-
-            SetDocPendingStateObj(mOSHE);
-
-            // Dispatch the popstate and hashchange events, as appropriate
-            nsCOMPtr<nsPIDOMWindow> window = do_QueryInterface(mScriptGlobal);
-            if (window) {
-                window->DispatchSyncPopState();
-
-                if (doHashchange)
-                  window->DispatchSyncHashchange();
+            if (doHashchange) {
+                nsCOMPtr<nsPIDOMWindow> window =
+                    do_QueryInterface(mScriptGlobal);
+
+                if (window)
+                    window->DispatchSyncHashchange();
             }
 
             return NS_OK;
         }
     }
     
     // mContentViewer->PermitUnload can destroy |this| docShell, which
     // causes the next call of CanSavePresentation to crash. 
@@ -8920,24 +8832,16 @@ nsDocShell::OnNewURI(nsIURI * aURI, nsIC
             GetHttpChannel(aChannel, getter_AddRefs(httpChannel));
         }
 
         if (httpChannel) {
             nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(httpChannel));
             if (uploadChannel) {
                 uploadChannel->GetUploadStream(getter_AddRefs(inputStream));
             }
-
-            // If the response status indicates an error, unlink this session
-            // history entry from any entries sharing its doc ident.
-            PRUint32 responseStatus;
-            nsresult rv = httpChannel->GetResponseStatus(&responseStatus);
-            if (mLSHE && NS_SUCCEEDED(rv) && responseStatus >= 400) {
-                mLSHE->SetUniqueDocIdentifier();
-            }
         }
     }
     /* Create SH Entry (mLSHE) only if there is a  SessionHistory object (mSessionHistory) in
      * the current frame or in the root docshell
      */
     nsCOMPtr<nsISHistory> rootSH = mSessionHistory;
     if (!rootSH) {
         // Get the handle to SH from the root docshell          
@@ -8949,17 +8853,17 @@ nsDocShell::OnNewURI(nsIURI * aURI, nsIC
 
     // Determine if this type of load should update history.
     if (aLoadType == LOAD_BYPASS_HISTORY ||
         aLoadType == LOAD_ERROR_PAGE ||
         aLoadType & LOAD_CMD_HISTORY ||
         aLoadType & LOAD_CMD_RELOAD)
         updateHistory = PR_FALSE;
 
-    // Check if the url to be loaded is the same as the one already loaded.
+    // Check if the url to be loaded is the same as the one already loaded. 
     if (mCurrentURI)
         aURI->Equals(mCurrentURI, &equalUri);
 
 #ifdef DEBUG
     PR_LOG(gDocShellLog, PR_LOG_DEBUG,
            ("  shAvailable=%i updateHistory=%i equalURI=%i\n",
             shAvailable, updateHistory, equalUri));
 #endif
@@ -8986,16 +8890,17 @@ nsDocShell::OnNewURI(nsIURI * aURI, nsIC
     }
 
     // If this is a refresh to the currently loaded url, we don't
     // have to update session or global history.
     if (mLoadType == LOAD_REFRESH && !inputStream && equalUri) {
         SetHistoryEntry(&mLSHE, mOSHE);
     }
 
+
     /* If the user pressed shift-reload, cache will create a new cache key
      * for the page. Save the new cacheKey in Session History. 
      * see bug 90098
      */
     if (aChannel &&
         (aLoadType == LOAD_RELOAD_BYPASS_CACHE ||
          aLoadType == LOAD_RELOAD_BYPASS_PROXY ||
          aLoadType == LOAD_RELOAD_BYPASS_PROXY_AND_CACHE)) {
@@ -9075,293 +8980,17 @@ nsDocShell::OnLoadingSite(nsIChannel * a
 void
 nsDocShell::SetReferrerURI(nsIURI * aURI)
 {
     mReferrerURI = aURI;        // This assigment addrefs
 }
 
 //*****************************************************************************
 // nsDocShell: Session History
-//*****************************************************************************
-
-nsresult
-nsDocShell::StringifyJSValVariant(nsIVariant *aData, nsAString &aResult)
-{
-    nsresult rv;
-    aResult.Truncate();
-
-    // First, try to extract a jsval from the variant |aData|.  This works only
-    // if the variant implements GetAsJSVal.
-    jsval jsData;
-    rv = aData->GetAsJSVal(&jsData);
-    NS_ENSURE_SUCCESS(rv, NS_ERROR_UNEXPECTED);
-
-    // Now get the JSContext associated with the current document.
-    // First get the current document.
-    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
-    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
-
-    // Get the JSContext from the document, like we do in
-    // nsContentUtils::GetContextFromDocument().
-    nsIScriptGlobalObject *sgo = document->GetScopeObject();
-    NS_ENSURE_TRUE(sgo, NS_ERROR_FAILURE);
-
-    nsIScriptContext *scx = sgo->GetContext();
-    NS_ENSURE_TRUE(scx, NS_ERROR_FAILURE);
-
-    JSContext *cx = (JSContext *)scx->GetNativeContext();
-
-    // If our json call triggers a JS-to-C++ call, we want that call to use cx
-    // as the context.  So we push cx onto the context stack.
-    nsCOMPtr<nsIJSContextStack> contextStack =
-        do_GetService("@mozilla.org/js/xpc/ContextStack;1", &rv);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    contextStack->Push(cx);
-
-    nsCOMPtr<nsIJSON> json = do_GetService("@mozilla.org/dom/json;1");
-    if(json) {
-        // Do the encoding
-        rv = json->EncodeFromJSVal(&jsData, cx, aResult);
-    }
-    else {
-        rv = NS_ERROR_FAILURE;
-    }
-
-    // Always pop the stack!
-    contextStack->Pop(&cx);
-
-    return rv;
-}
-
-NS_IMETHODIMP
-nsDocShell::AddState(nsIVariant *aData, const nsAString& aTitle,
-                     const nsAString& aURL, PRBool aReplace)
-{
-    // Implements History.pushState and History.replaceState
-
-    // Here's what we do, roughly in the order specified by HTML5:
-    // 1. Serialize aData to JSON.
-    // 2. If the third argument is present,
-    //     a. Resolve the url, relative to the first script's base URL
-    //     b. If (a) fails, raise a SECURITY_ERR
-    //     c. Compare the resulting absolute URL to the document's address.  If
-    //        any part of the URLs difer other than the <path>, <query>, and
-    //        <fragment> components, raise a SECURITY_ERR and abort.
-    // 3. If !aReplace:
-    //     Remove from the session history all entries after the current entry,
-    //     as we would after a regular navigation.
-    // 4. As apropriate, either add a state object entry to the session history
-    //    after the current entry with the following properties, or modify the
-    //    current session history entry to set
-    //      a. cloned data as the state object,
-    //      b. the given title as the title, and,
-    //      c. if the third argument was present, the absolute URL found in
-    //         step 2
-    // 5. If aReplace is false (i.e. we're doing a pushState instead of a
-    //    replaceState), notify bfcache that we've navigated to a new page.
-    // 6. If the third argument is present, set the document's current address
-    //    to the absolute URL found in step 2.
-    //
-    // It's important that this function not run arbitrary scripts after step 1
-    // and before completing step 5.  For example, if a script called
-    // history.back() before we completed step 5, bfcache might destroy an
-    // active content viewer.  Since EvictContentViewers at the end of step 5
-    // might run script, we can't just put a script blocker around the critical
-    // section.
-
-    nsresult rv;
-
-    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
-    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
-
-    mLoadType = LOAD_PUSHSTATE;
-
-    // Step 1: Clone aData by getting its JSON representation
-    nsString dataStr;
-    rv = StringifyJSValVariant(aData, dataStr);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // Check that the state object isn't too long.
-    // Default max length: 640k chars.
-    PRInt32 maxStateObjSize = 0xA0000;
-    if (mPrefs) {
-      mPrefs->GetIntPref("browser.history.maxStateObjectSize",
-                         &maxStateObjSize);
-    }
-    if (maxStateObjSize < 0)
-      maxStateObjSize = 0;
-    NS_ENSURE_TRUE(dataStr.Length() <= (PRUint32)maxStateObjSize,
-                   NS_ERROR_ILLEGAL_VALUE);
-
-    // Step 2: Resolve aURL
-    PRBool equalURIs = PR_TRUE;
-    nsCOMPtr<nsIURI> oldURI = mCurrentURI;
-    nsCOMPtr<nsIURI> newURI;
-    if (aURL.Length() == 0) {
-      newURI = mCurrentURI;
-    }
-    else {
-        // 2a: Resolve aURL relative to mURI
-
-        nsIURI* docBaseURI = document->GetBaseURI();
-        if (!docBaseURI)
-            return NS_ERROR_FAILURE;
-
-        nsCAutoString spec;
-        docBaseURI->GetSpec(spec);
-
-        nsCAutoString charset;
-        rv = docBaseURI->GetOriginCharset(charset);
-        NS_ENSURE_SUCCESS(rv, NS_ERROR_FAILURE);
-
-        rv = NS_NewURI(getter_AddRefs(newURI), aURL,
-                       charset.get(), docBaseURI);
-
-        // 2b: If 2a fails, raise a SECURITY_ERR
-        if (NS_FAILED(rv)) {
-            return NS_ERROR_DOM_SECURITY_ERR;
-        }
-
-        // 2c: Same-origin check.
-        if (!URIIsLocalFile(newURI)) {
-            // In addition to checking that the security manager says that
-            // the new URI has the same origin as our current URI, we also
-            // check that the two URIs have the same userpass. (The
-            // security manager says that |http://foo.com| and
-            // |http://me@foo.com| have the same origin.)  mCurrentURI
-            // won't contain the password part of the userpass, so this
-            // means that it's never valid to specify a password in a
-            // pushState or replaceState URI.
-
-            nsCOMPtr<nsIScriptSecurityManager> secMan =
-                do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-            NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-            // It's very important that we check that newURI is of the same
-            // origin as mCurrentURI, not docBaseURI, because a page can
-            // set docBaseURI arbitrarily to any domain.
-            nsCAutoString currentUserPass, newUserPass;
-            NS_ENSURE_SUCCESS(mCurrentURI->GetUserPass(currentUserPass),
-                              NS_ERROR_FAILURE);
-            NS_ENSURE_SUCCESS(newURI->GetUserPass(newUserPass),
-                              NS_ERROR_FAILURE);
-            if (NS_FAILED(secMan->CheckSameOriginURI(mCurrentURI,
-                                                     newURI, PR_TRUE)) ||
-                !currentUserPass.Equals(newUserPass)) {
-
-                return NS_ERROR_DOM_SECURITY_ERR;
-            }
-        }
-        else {
-            // It's a file:// URI
-            nsCOMPtr<nsIScriptObjectPrincipal> docScriptObj =
-                do_QueryInterface(document);
-
-            if (!docScriptObj) {
-                return NS_ERROR_DOM_SECURITY_ERR;
-            }
-
-            nsCOMPtr<nsIPrincipal> principal = docScriptObj->GetPrincipal();
-
-            if (!principal ||
-                NS_FAILED(principal->CheckMayLoad(newURI, PR_TRUE))) {
-
-                return NS_ERROR_DOM_SECURITY_ERR;
-            }
-        }
-
-        mCurrentURI->Equals(newURI, &equalURIs);
-
-    } // end of same-origin check
-
-    nsCOMPtr<nsISHistory> sessionHistory = mSessionHistory;
-    if (!sessionHistory) {
-        // Get the handle to SH from the root docshell
-        GetRootSessionHistory(getter_AddRefs(sessionHistory));
-    }
-    NS_ENSURE_TRUE(sessionHistory, NS_ERROR_FAILURE);
-
-    nsCOMPtr<nsISHistoryInternal> shInternal =
-      do_QueryInterface(sessionHistory, &rv);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // Step 3: Create a new entry in the session history; this will erase
-    // all SHEntries after the new entry and make this entry the current
-    // one.  This operation may modify mOSHE, which we need later, so we
-    // keep a reference here.
-    NS_ENSURE_TRUE(mOSHE, NS_ERROR_FAILURE);
-    nsCOMPtr<nsISHEntry> oldOSHE = mOSHE;
-
-    nsCOMPtr<nsISHEntry> newSHEntry;
-    if (!aReplace) {
-        rv = AddToSessionHistory(newURI, nsnull, nsnull,
-                                 getter_AddRefs(newSHEntry));
-        NS_ENSURE_SUCCESS(rv, rv);
-
-        NS_ENSURE_TRUE(newSHEntry, NS_ERROR_FAILURE);
-
-        // Set the new SHEntry's document identifier, if we can.
-        PRUint64 ourDocIdent;
-        NS_ENSURE_SUCCESS(oldOSHE->GetDocIdentifier(&ourDocIdent),
-                          NS_ERROR_FAILURE);
-        NS_ENSURE_SUCCESS(newSHEntry->SetDocIdentifier(ourDocIdent),
-                          NS_ERROR_FAILURE);
-
-        // AddToSessionHistory may not modify mOSHE.  In case it doesn't,
-        // we'll just set mOSHE here.
-        mOSHE = newSHEntry;
-
-    } else {
-        newSHEntry = mOSHE;
-        newSHEntry->SetURI(newURI);
-    }
-
-    // Step 4: Modify new/original session history entry
-    newSHEntry->SetStateData(dataStr);
-
-    // Step 5: If aReplace is false, indicating that we're doing a pushState
-    // rather than a replaceState, notify bfcache that we've added a page to
-    // the history so it can evict content viewers if appropriate.
-    if (!aReplace) {
-        nsCOMPtr<nsISHistory> rootSH;
-        GetRootSessionHistory(getter_AddRefs(rootSH));
-        NS_ENSURE_TRUE(rootSH, NS_ERROR_UNEXPECTED);
-
-        nsCOMPtr<nsISHistoryInternal> internalSH =
-            do_QueryInterface(rootSH);
-        NS_ENSURE_TRUE(internalSH, NS_ERROR_UNEXPECTED);
-
-        PRInt32 curIndex = -1;
-        rv = rootSH->GetIndex(&curIndex);
-        if (NS_SUCCEEDED(rv) && curIndex > -1) {
-            internalSH->EvictContentViewers(curIndex - 1, curIndex);
-        }
-    }
-
-    // Step 6: If the document's URI changed, update document's URI and update
-    // global history
-    if (!equalURIs) {
-        SetCurrentURI(newURI, nsnull, PR_TRUE);
-        document->SetDocumentURI(newURI);
-
-        AddToGlobalHistory(newURI, PR_FALSE, oldURI);
-    }
-
-    // Try to set the title of the current history element
-    if (mOSHE)
-      mOSHE->SetTitle(aTitle);
-
-    // We need this to ensure that the back button is enabled after a
-    // pushState, if it wasn't already enabled.
-    FireOnLocationChange(this, nsnull, mCurrentURI);
-
-    return NS_OK;
-}
-
+//*****************************************************************************   
 PRBool
 nsDocShell::ShouldAddToSessionHistory(nsIURI * aURI)
 {
     // I believe none of the about: urls should go in the history. But then
     // that could just be me... If the intent is only deny about:blank then we
     // should just do a spec compare, rather than two gets of the scheme and
     // then the path.  -Gagan
     nsresult rv;
@@ -9794,16 +9423,17 @@ nsDocShell::CloneAndReplace(nsISHEntry *
 
     CloneAndReplaceData data(aCloneID, aReplaceEntry, nsnull);
     nsresult rv = CloneAndReplaceChild(aSrcEntry, aSrcShell, 0, &data);
 
     data.resultEntry.swap(*aResultEntry);
     return rv;
 }
 
+
 void
 nsDocShell::SwapHistoryEntries(nsISHEntry *aOldEntry, nsISHEntry *aNewEntry)
 {
     if (aOldEntry == mOSHE)
         mOSHE = aNewEntry;
 
     if (aOldEntry == mLSHE)
         mLSHE = aNewEntry;
@@ -10044,59 +9674,51 @@ NS_IMETHODIMP nsDocShell::MakeEditable(P
 
   return mEditorData->MakeEditable(inWaitForUriLoad);
 }
 
 nsresult
 nsDocShell::AddToGlobalHistory(nsIURI * aURI, PRBool aRedirect,
                                nsIChannel * aChannel)
 {
+    if (mItemType != typeContent || !mGlobalHistory)
+        return NS_OK;
+
     // If this is a POST request, we do not want to include this in global
     // history, so return early.
     nsCOMPtr<nsIHttpChannel> hchan(do_QueryInterface(aChannel));
     if (hchan) {
         nsCAutoString type;
         nsresult rv = hchan->GetRequestMethod(type);
         if (NS_SUCCEEDED(rv) && type.EqualsLiteral("POST"))
             return NS_OK;
     }
 
-    nsCOMPtr<nsIURI> referrer;
-    if (aChannel)
-        NS_GetReferrerFromChannel(aChannel, getter_AddRefs(referrer));
-
-    return AddToGlobalHistory(aURI, aRedirect, referrer);
-}
-
-nsresult
-nsDocShell::AddToGlobalHistory(nsIURI * aURI, PRBool aRedirect,
-                               nsIURI * aReferrer)
-{
-    if (mItemType != typeContent || !mGlobalHistory)
-        return NS_OK;
-
     PRBool visited;
     nsresult rv = mGlobalHistory->IsVisited(aURI, &visited);
     if (NS_FAILED(rv))
         return rv;
 
-    rv = mGlobalHistory->AddURI(aURI, aRedirect, !IsFrame(), aReferrer);
+    nsCOMPtr<nsIURI> referrer;
+    if (aChannel)
+        NS_GetReferrerFromChannel(aChannel, getter_AddRefs(referrer));
+
+    rv = mGlobalHistory->AddURI(aURI, aRedirect, !IsFrame(), referrer);
     if (NS_FAILED(rv))
         return rv;
 
     if (!visited) {
         nsCOMPtr<nsIObserverService> obsService =
             do_GetService("@mozilla.org/observer-service;1");
         if (obsService) {
             obsService->NotifyObservers(aURI, NS_LINK_VISITED_EVENT_TOPIC, nsnull);
         }
     }
 
     return NS_OK;
-
 }
 
 //*****************************************************************************
 // nsDocShell: Helper Routines
 //*****************************************************************************
 
 NS_IMETHODIMP
 nsDocShell::SetLoadType(PRUint32 aLoadType)
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -359,20 +359,16 @@ protected:
     // exists).  The channel will be suspended until the classification is
     // complete.
     nsresult CheckClassifier(nsIChannel *aChannel);
 
     nsresult ScrollIfAnchor(nsIURI * aURI, PRBool * aWasAnchor,
                             PRUint32 aLoadType, nscoord *cx, nscoord *cy,
                             PRBool * aDoHashchange);
 
-    // Tries to stringify a given variant by converting it to JSON.  This only
-    // works if the variant is backed by a JSVal.
-    nsresult StringifyJSValVariant(nsIVariant *aData, nsAString &aResult);
-
     // Returns PR_TRUE if would have called FireOnLocationChange,
     // but did not because aFireOnLocationChange was false on entry.
     // In this case it is the caller's responsibility to ensure
     // FireOnLocationChange is called.
     // In all other cases PR_FALSE is returned.
     PRBool OnLoadingSite(nsIChannel * aChannel,
                          PRBool aFireOnLocationChange,
                          PRBool aAddToGlobalHistory = PR_TRUE);
@@ -464,21 +460,18 @@ protected:
     // overridden from nsDocLoader, this provides more information than the
     // normal OnStateChange with flags STATE_REDIRECTING
     virtual void OnRedirectStateChange(nsIChannel* aOldChannel,
                                        nsIChannel* aNewChannel,
                                        PRUint32 aRedirectFlags,
                                        PRUint32 aStateFlags);
 
     // Global History
-
     nsresult AddToGlobalHistory(nsIURI * aURI, PRBool aRedirect,
                                 nsIChannel * aChannel);
-    nsresult AddToGlobalHistory(nsIURI * aURI, PRBool aRedirect,
-                                nsIURI * aReferrer);
 
     // Helper Routines
     nsresult   ConfirmRepost(PRBool * aRepost);
     NS_IMETHOD GetPromptAndStringBundle(nsIPrompt ** aPrompt,
         nsIStringBundle ** aStringBundle);
     NS_IMETHOD GetChildOffset(nsIDOMNode * aChild, nsIDOMNode * aParent,
         PRInt32 * aOffset);
     nsIScrollableFrame* GetRootScrollFrame();
@@ -517,21 +510,16 @@ protected:
     //
     // Helper method that is called when a new document (including any
     // sub-documents - ie. frames) has been completely loaded.
     //
     virtual nsresult EndPageLoad(nsIWebProgress * aProgress,
                                  nsIChannel * aChannel,
                                  nsresult aResult);
 
-    // Sets the current document's pending state object to the given SHEntry's
-    // state object.  The pending state object is eventually given to the page
-    // in the PopState event.
-    nsresult SetDocPendingStateObj(nsISHEntry *shEntry);
-
     nsresult CheckLoadingPermissions();
 
     // Security checks to prevent frameset spoofing.  See comments at
     // implementation sites.
     static PRBool CanAccessItem(nsIDocShellTreeItem* aTargetItem,
                                 nsIDocShellTreeItem* aAccessingItem,
                                 PRBool aConsiderOpener = PR_TRUE);
     static PRBool ValidateOrigin(nsIDocShellTreeItem* aOriginTreeItem,
--- a/docshell/base/nsDocShellLoadTypes.h
+++ b/docshell/base/nsDocShellLoadTypes.h
@@ -87,17 +87,16 @@ enum LoadType {
     LOAD_RELOAD_BYPASS_PROXY = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_RELOAD, nsIWebNavigation::LOAD_FLAGS_BYPASS_PROXY),
     LOAD_RELOAD_BYPASS_PROXY_AND_CACHE = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_RELOAD, nsIWebNavigation::LOAD_FLAGS_BYPASS_CACHE | nsIWebNavigation::LOAD_FLAGS_BYPASS_PROXY),
     LOAD_LINK = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, nsIWebNavigation::LOAD_FLAGS_IS_LINK),
     LOAD_REFRESH = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, nsIWebNavigation::LOAD_FLAGS_IS_REFRESH),
     LOAD_RELOAD_CHARSET_CHANGE = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_RELOAD, nsIWebNavigation::LOAD_FLAGS_CHARSET_CHANGE),
     LOAD_BYPASS_HISTORY = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, nsIWebNavigation::LOAD_FLAGS_BYPASS_HISTORY),
     LOAD_STOP_CONTENT = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, nsIWebNavigation::LOAD_FLAGS_STOP_CONTENT),
     LOAD_STOP_CONTENT_AND_REPLACE = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, nsIWebNavigation::LOAD_FLAGS_STOP_CONTENT | nsIWebNavigation::LOAD_FLAGS_REPLACE_HISTORY),
-    LOAD_PUSHSTATE = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_PUSHSTATE, nsIWebNavigation::LOAD_FLAGS_NONE),
     /**
      * Load type for an error page. These loads are never triggered by users of
      * Docshell. Instead, Docshell triggers the load itself when a
      * consumer-triggered load failed.
      */
     LOAD_ERROR_PAGE = MAKE_LOAD_TYPE(nsIDocShell::LOAD_CMD_NORMAL, LOAD_FLAGS_ERROR_PAGE)
 
     // NOTE: Adding a new value? Remember to update IsValidLoadType!
@@ -118,17 +117,16 @@ static inline PRBool IsValidLoadType(PRU
     case LOAD_RELOAD_BYPASS_PROXY:
     case LOAD_RELOAD_BYPASS_PROXY_AND_CACHE:
     case LOAD_LINK:
     case LOAD_REFRESH:
     case LOAD_RELOAD_CHARSET_CHANGE:
     case LOAD_BYPASS_HISTORY:
     case LOAD_STOP_CONTENT:
     case LOAD_STOP_CONTENT_AND_REPLACE:
-    case LOAD_PUSHSTATE:
     case LOAD_ERROR_PAGE:
         return PR_TRUE;
     }
     return PR_FALSE;
 }
 
 #endif // MOZILLA_INTERNAL_API
 #endif 
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@@ -64,19 +64,18 @@ interface nsISimpleEnumerator;
 interface nsIInputStream;
 interface nsIRequest;
 interface nsISHEntry;
 interface nsILayoutHistoryState;
 interface nsISecureBrowserUI;
 interface nsIDOMStorage;
 interface nsIPrincipal;
 interface nsIWebBrowserPrint;
-interface nsIVariant;
 
-[scriptable, uuid(3adde256-05a9-43a7-a190-f8fe75eecfd6)]
+[scriptable, uuid(c95eaff1-14e6-4db1-a806-46be97d5a9b6)]
 interface nsIDocShell : nsISupports
 {
   /**
    * Loads a given URI.  This will give priority to loading the requested URI
    * in the object implementing	this interface.  If it can't be loaded here
    * however, the URL dispatcher will go through its normal process of content
    * loading.
    *
@@ -166,23 +165,16 @@ interface nsIDocShell : nsISupports
                               in nsIInputStream aHeadersStream,
                               in unsigned long aLoadFlags,
                               in nsISHEntry aSHEntry,
                               in boolean firstParty,
                               out nsIDocShell aDocShell,
                               out nsIRequest aRequest);
 
   /**
-   * Do either a history.pushState() or history.replaceState() operation,
-   * depending on the value of aReplace.
-   */
-  void addState(in nsIVariant aData, in DOMString aTitle,
-                in DOMString aURL, in boolean aReplace);
-
-  /**
    * Creates a DocShellLoadInfo object that you can manipulate and then pass
    * to loadURI.
    */
   void createLoadInfo(out nsIDocShellLoadInfo loadInfo);
 
   /**
    * Reset state to a new content model within the current document and the document
    * viewer.  Called by the document before initiating an out of band document.write().
@@ -342,20 +334,19 @@ interface nsIDocShell : nsISupports
   const unsigned long BUSY_FLAGS_NONE             = 0;
   const unsigned long BUSY_FLAGS_BUSY             = 1;
   const unsigned long BUSY_FLAGS_BEFORE_PAGE_LOAD = 2;
   const unsigned long BUSY_FLAGS_PAGE_LOADING     = 4;
 
   /**
    * Load commands for the document 
    */
-  const unsigned long LOAD_CMD_NORMAL  = 0x1;   // Normal load
-  const unsigned long LOAD_CMD_RELOAD  = 0x2;   // Reload
-  const unsigned long LOAD_CMD_HISTORY = 0x4;   // Load from history
-  const unsigned long LOAD_CMD_PUSHSTATE = 0x8; // History.pushState()
+  const unsigned long LOAD_CMD_NORMAL  = 0x1; // Normal load
+  const unsigned long LOAD_CMD_RELOAD  = 0x2; // Reload
+  const unsigned long LOAD_CMD_HISTORY = 0x4; // Load from history
 
   readonly attribute unsigned long busyFlags;
 
   /* 
    * attribute to access the loadtype  for the document
    */
   attribute unsigned long  loadType;
 
--- a/docshell/base/nsIDocShellHistory.idl
+++ b/docshell/base/nsIDocShellHistory.idl
@@ -34,30 +34,29 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "nsISupports.idl"
 interface nsISHEntry;
 
-[scriptable, uuid(a89b80a8-3c44-4a25-9d2c-2fb42358b46e)]
+[scriptable, uuid(89caa9f0-8b1c-47fb-b0d3-f0aef0bff749)]
 interface nsIDocShellHistory : nsISupports
 {
   /**
    * Get the SHEntry associated with a child docshell
    */
   nsISHEntry getChildSHEntry(in long aChildOffset);
 
   /**
-   * Add a Child SHEntry for a frameset page, given the child's loadtype.
+   * Add a Child SHEntry for a frameset page
    */
   void addChildSHEntry(in nsISHEntry aCloneReference,
                        in nsISHEntry aHistoryEntry,
-                       in long aChildOffset,
-                       in unsigned long aLoadType);
+                       in long aChildOffset);
 
   /*
    * Whether this docshell should save entries in global history.
    */
   attribute boolean useGlobalHistory;
 };
 
--- a/docshell/shistory/public/nsISHEntry.idl
+++ b/docshell/shistory/public/nsISHEntry.idl
@@ -53,17 +53,17 @@ interface nsISupportsArray;
 %{C++
 struct nsIntRect;
 class nsDocShellEditorData;
 %}
 [ref] native nsIntRect(nsIntRect);
 [ptr] native nsDocShellEditorDataPtr(nsDocShellEditorData);
 
 
-[scriptable, uuid(62b0603f-57ca-439e-a0fb-6f6978500755)]
+[scriptable, uuid(09fecea6-5453-43ba-bf91-3ff32618f037)]
 interface nsISHEntry : nsIHistoryEntry
 {
     /** URI for the document */
     void setURI(in nsIURI aURI);
 
     /** Referrer URI */
     attribute nsIURI referrerURI;
 
@@ -144,31 +144,16 @@ interface nsISHEntry : nsIHistoryEntry
      * attached to the same docshell only if the two entries are entries for
      * the same page in the sense that one could go from the state represented
      * by one to the state represented by the other simply by scrolling (so the
      * entries are separated by an anchor traversal or a subframe navigation in
      * some other frame).
      */
     attribute unsigned long pageIdentifier;
 
-    /**
-     * docIdentifier is an integer that should be the same for two entries
-     * attached to the same docshell if and only if the two entries are entries
-     * for the same document.  In practice, two entries A and B will have the
-     * same docIdentifier if they have the same pageIdentifier or if B was
-     * created by A calling history.pushState().
-     */
-    attribute unsigned long long docIdentifier;
-
-    /**
-     * Changes this entry's doc identifier to a new value which is unique
-     * among those of all other entries.
-     */
-    void setUniqueDocIdentifier();
-
     /** attribute to set and get the cache key for the entry */
     attribute nsISupports cacheKey;
 
     /** attribute to indicate whether layoutHistoryState should be saved */
     attribute boolean saveLayoutStateFlag;
 
     /** attribute to indicate whether the page is already expired in cache */
     attribute boolean expirationStatus;
@@ -203,22 +188,16 @@ interface nsISHEntry : nsIHistoryEntry
     /**
      * Get the owner, if any, that was associated with the channel
      * that the document that was loaded to create this history entry
      * came from.
      */
     attribute nsISupports owner;
 
     /**
-     * Get/set data associated with this history state via a pushState() call,
-     * encoded as JSON.
-     **/
-    attribute AString stateData;
-
-    /**
      * Gets the owning pointer to the editor data assosicated with
      * this shistory entry. This forgets its pointer, so free it when
      * you're done.
      */
     [noscript, notxpcom] nsDocShellEditorDataPtr forgetEditorData();
 
     /**
      * Sets the owning pointer to the editor data assosicated with
--- a/docshell/shistory/src/nsSHEntry.cpp
+++ b/docshell/shistory/src/nsSHEntry.cpp
@@ -70,17 +70,16 @@ protected:
   virtual void NotifyExpired(nsSHEntry* aObj) {
     RemoveObject(aObj);
     aObj->Expire();
   }
 };
 
 static HistoryTracker *gHistoryTracker = nsnull;
 static PRUint32 gEntryID = 0;
-static PRUint64 gEntryDocIdentifier = 0;
 
 nsresult nsSHEntry::Startup()
 {
   gHistoryTracker = new HistoryTracker();
   return gHistoryTracker ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
 void nsSHEntry::Shutdown()
@@ -100,17 +99,16 @@ static void StopTrackingEntry(nsSHEntry 
 //***    nsSHEntry: Object Management
 //*****************************************************************************
 
 
 nsSHEntry::nsSHEntry() 
   : mLoadType(0)
   , mID(gEntryID++)
   , mPageIdentifier(mID)
-  , mDocIdentifier(gEntryDocIdentifier++)
   , mScrollPositionX(0)
   , mScrollPositionY(0)
   , mIsFrameNavigation(PR_FALSE)
   , mSaveLayoutState(PR_TRUE)
   , mExpired(PR_FALSE)
   , mSticky(PR_TRUE)
   , mParent(nsnull)
   , mViewerBounds(0, 0, 0, 0)
@@ -122,17 +120,16 @@ nsSHEntry::nsSHEntry(const nsSHEntry &ot
   , mReferrerURI(other.mReferrerURI)
   // XXX why not copy mDocument?
   , mTitle(other.mTitle)
   , mPostData(other.mPostData)
   , mLayoutHistoryState(other.mLayoutHistoryState)
   , mLoadType(0)         // XXX why not copy?
   , mID(other.mID)
   , mPageIdentifier(other.mPageIdentifier)
-  , mDocIdentifier(other.mDocIdentifier)
   , mScrollPositionX(0)  // XXX why not copy?
   , mScrollPositionY(0)  // XXX why not copy?
   , mIsFrameNavigation(other.mIsFrameNavigation)
   , mSaveLayoutState(other.mSaveLayoutState)
   , mExpired(other.mExpired)
   , mSticky(PR_TRUE)
   // XXX why not copy mContentType?
   , mCacheKey(other.mCacheKey)
@@ -391,40 +388,16 @@ NS_IMETHODIMP nsSHEntry::GetPageIdentifi
 }
 
 NS_IMETHODIMP nsSHEntry::SetPageIdentifier(PRUint32 aPageIdentifier)
 {
   mPageIdentifier = aPageIdentifier;
   return NS_OK;
 }
 
-NS_IMETHODIMP nsSHEntry::GetDocIdentifier(PRUint64 * aResult)
-{
-  *aResult = mDocIdentifier;
-  return NS_OK;
-}
-
-NS_IMETHODIMP nsSHEntry::SetDocIdentifier(PRUint64 aDocIdentifier)
-{
-  // This ensures that after a session restore, gEntryDocIdentifier is greater
-  // than all SHEntries' docIdentifiers, which ensures that we'll never repeat
-  // a doc identifier.
-  if (aDocIdentifier >= gEntryDocIdentifier)
-    gEntryDocIdentifier = aDocIdentifier + 1;
-
-  mDocIdentifier = aDocIdentifier;
-  return NS_OK;
-}
-
-NS_IMETHODIMP nsSHEntry::SetUniqueDocIdentifier()
-{
-  mDocIdentifier = gEntryDocIdentifier++;
-  return NS_OK;
-}
-
 NS_IMETHODIMP nsSHEntry::GetIsSubFrame(PRBool * aFlag)
 {
   *aFlag = mIsFrameNavigation;
   return NS_OK;
 }
 
 NS_IMETHODIMP nsSHEntry::SetIsSubFrame(PRBool  aFlag)
 {
@@ -492,17 +465,17 @@ nsSHEntry::Create(nsIURI * aURI, const n
                   nsISupports* aOwner)
 {
   mURI = aURI;
   mTitle = aTitle;
   mPostData = aInputStream;
   mCacheKey = aCacheKey;
   mContentType = aContentType;
   mOwner = aOwner;
-
+    
   // Set the LoadType by default to loadHistory during creation
   mLoadType = (PRUint32) nsIDocShellLoadInfo::loadHistory;
 
   // By default all entries are set false for subframe flag. 
   // nsDocShell::CloneAndReplace() which creates entries for
   // all subframe navigations, sets the flag to true.
   mIsFrameNavigation = PR_FALSE;
 
@@ -888,22 +861,8 @@ nsSHEntry::SetEditorData(nsDocShellEdito
 }
 
 PRBool
 nsSHEntry::HasDetachedEditor()
 {
   return mEditorData != nsnull;
 }
 
-NS_IMETHODIMP
-nsSHEntry::GetStateData(nsAString &aStateData)
-{
-  aStateData.Assign(mStateData);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSHEntry::SetStateData(const nsAString &aDataStr)
-{
-  mStateData.Assign(aDataStr);
-  return NS_OK;
-}
-
--- a/docshell/shistory/src/nsSHEntry.h
+++ b/docshell/shistory/src/nsSHEntry.h
@@ -91,32 +91,30 @@ private:
   nsCOMPtr<nsIURI>                mURI;
   nsCOMPtr<nsIURI>                mReferrerURI;
   nsCOMPtr<nsIContentViewer>      mContentViewer;
   nsCOMPtr<nsIDocument>           mDocument; // document currently being observed
   nsString                        mTitle;
   nsCOMPtr<nsIInputStream>        mPostData;
   nsCOMPtr<nsILayoutHistoryState> mLayoutHistoryState;
   nsCOMArray<nsISHEntry>          mChildren;
-  PRUint32                        mLoadType;
+  PRUint32                        mLoadType;  
   PRUint32                        mID;
   PRUint32                        mPageIdentifier;
-  PRInt64                         mDocIdentifier;
   PRInt32                         mScrollPositionX;
   PRInt32                         mScrollPositionY;
   PRPackedBool                    mIsFrameNavigation;
   PRPackedBool                    mSaveLayoutState;
   PRPackedBool                    mExpired;
   PRPackedBool                    mSticky;
   nsCString                       mContentType;
   nsCOMPtr<nsISupports>           mCacheKey;
   nsISHEntry *                    mParent;  // weak reference
   nsCOMPtr<nsISupports>           mWindowState;
   nsIntRect                       mViewerBounds;
   nsCOMArray<nsIDocShellTreeItem> mChildShells;
   nsCOMPtr<nsISupportsArray>      mRefreshURIList;
   nsCOMPtr<nsISupports>           mOwner;
   nsExpirationState               mExpirationState;
   nsAutoPtr<nsDocShellEditorData> mEditorData;
-  nsString                        mStateData;
 };
 
 #endif /* nsSHEntry_h */
--- a/docshell/shistory/src/nsSHistory.cpp
+++ b/docshell/shistory/src/nsSHistory.cpp
@@ -473,36 +473,35 @@ nsSHistory::PrintHistory()
     nsCOMPtr<nsISHEntry>  entry;
     rv = txn->GetSHEntry(getter_AddRefs(entry));
     if (NS_FAILED(rv) && !entry)
       return NS_ERROR_FAILURE;
 
     nsCOMPtr<nsILayoutHistoryState> layoutHistoryState;
     nsCOMPtr<nsIURI>  uri;
     nsXPIDLString title;
-
+              
     entry->GetLayoutHistoryState(getter_AddRefs(layoutHistoryState));
     nsCOMPtr<nsIHistoryEntry> hEntry(do_QueryInterface(entry));
     if (hEntry) {
       hEntry->GetURI(getter_AddRefs(uri));
       hEntry->GetTitle(getter_Copies(title));              
     }
 
 #if 0
     nsCAutoString url;
     if (uri)
      uri->GetSpec(url);
 
     printf("**** SH Transaction #%d, Entry = %x\n", index, entry.get());
-    printf("\t\t URL = %s\n", url.get());
-
+    printf("\t\t URL = %s\n", url);
     printf("\t\t Title = %s\n", NS_LossyConvertUTF16toASCII(title).get());
-    printf("\t\t layout History Data = %x\n", layoutHistoryState.get());
+    printf("\t\t layout History Data = %x\n", layoutHistoryState);
 #endif
-
+      
     nsCOMPtr<nsISHTransaction> next;
     rv = txn->GetNext(getter_AddRefs(next));
     if (NS_SUCCEEDED(rv) && next) {
       txn = next;
       index++;
       continue;
     }
     else
@@ -860,17 +859,17 @@ nsSHistory::EvictContentViewersInRange(P
     trans->GetSHEntry(getter_AddRefs(entry));
     nsCOMPtr<nsIContentViewer> viewer;
     nsCOMPtr<nsISHEntry> ownerEntry;
     entry->GetAnyContentViewer(getter_AddRefs(ownerEntry),
                                getter_AddRefs(viewer));
     if (viewer) {
       NS_ASSERTION(ownerEntry,
                    "ContentViewer exists but its SHEntry is null");
-#ifdef DEBUG_PAGE_CACHE
+#ifdef DEBUG_PAGE_CACHE 
       nsCOMPtr<nsIURI> uri;
       ownerEntry->GetURI(getter_AddRefs(uri));
       nsCAutoString spec;
       if (uri)
         uri->GetSpec(spec);
 
       printf("per SHistory limit: evicting content viewer: %s\n", spec.get());
 #endif
@@ -1145,33 +1144,33 @@ NS_IMETHODIMP
 nsSHistory::LoadEntry(PRInt32 aIndex, long aLoadType, PRUint32 aHistCmd)
 {
   nsCOMPtr<nsIDocShell> docShell;
   nsCOMPtr<nsISHEntry> shEntry;
   // Keep note of requested history index in mRequestedIndex.
   mRequestedIndex = aIndex;
 
   nsCOMPtr<nsISHEntry> prevEntry;
-  GetEntryAtIndex(mIndex, PR_FALSE, getter_AddRefs(prevEntry));
-
-  nsCOMPtr<nsISHEntry> nextEntry;
+  GetEntryAtIndex(mIndex, PR_FALSE, getter_AddRefs(prevEntry));  
+   
+  nsCOMPtr<nsISHEntry> nextEntry;   
   GetEntryAtIndex(mRequestedIndex, PR_FALSE, getter_AddRefs(nextEntry));
   nsCOMPtr<nsIHistoryEntry> nHEntry(do_QueryInterface(nextEntry));
-  if (!nextEntry || !prevEntry || !nHEntry) {
+  if (!nextEntry || !prevEntry || !nHEntry) {    
     mRequestedIndex = -1;
     return NS_ERROR_FAILURE;
   }
-
+  
   // Send appropriate listener notifications
   PRBool canNavigate = PR_TRUE;
   // Get the uri for the entry we are about to visit
   nsCOMPtr<nsIURI> nextURI;
   nHEntry->GetURI(getter_AddRefs(nextURI));
-
-  if(mListener) {
+ 
+  if(mListener) {    
     nsCOMPtr<nsISHistoryListener> listener(do_QueryReferent(mListener));
     if (listener) {
       if (aHistCmd == HIST_CMD_BACK) {
         // We are going back one entry. Send GoBack notifications
         listener->OnHistoryGoBack(nextURI, &canNavigate);
       }
       else if (aHistCmd == HIST_CMD_FORWARD) {
         // We are going forward. Send GoForward notification
@@ -1218,28 +1217,31 @@ nsSHistory::LoadEntry(PRInt32 aIndex, lo
         mRequestedIndex = -1;
         return NS_ERROR_FAILURE; 
       }
       return rv;
     }   // (pCount >0)
     else
       docShell = mRootDocShell;
     }
+  
 
   if (!docShell) {
     // we did not successfully go to the proper index.
     // return error.
     mRequestedIndex = -1;
     return NS_ERROR_FAILURE;
   }
 
   // Start the load on the appropriate docshell
   return InitiateLoad(nextEntry, docShell, aLoadType);
 }
 
+
+
 nsresult
 nsSHistory::CompareFrames(nsISHEntry * aPrevEntry, nsISHEntry * aNextEntry, nsIDocShell * aParent, long aLoadType, PRBool * aIsFrameFound)
 {
   if (!aPrevEntry || !aNextEntry || !aParent)
     return PR_FALSE;
 
   nsresult result = NS_OK;
   PRUint32 prevID, nextID;
--- a/docshell/shistory/src/nsSHistory.h
+++ b/docshell/shistory/src/nsSHistory.h
@@ -61,17 +61,17 @@ class nsIDocShell;
 class nsSHEnumerator;
 class nsSHistoryObserver;
 class nsSHistory: public PRCList,
                   public nsISHistory,
                   public nsISHistoryInternal,
                   public nsIWebNavigation
 {
 public:
-  nsSHistory();
+	nsSHistory();
 
   NS_DECL_ISUPPORTS
   NS_DECL_NSISHISTORY
   NS_DECL_NSISHISTORYINTERNAL
   NS_DECL_NSIWEBNAVIGATION
 
   // One time initialization method called upon docshell module construction
   static nsresult Startup();
@@ -89,17 +89,17 @@ protected:
 
    // Could become part of nsIWebNavigation
    NS_IMETHOD GetEntryAtIndex(PRInt32 aIndex, PRBool aModifyIndex, nsISHEntry** aResult);
    NS_IMETHOD GetTransactionAtIndex(PRInt32 aIndex, nsISHTransaction ** aResult);
    nsresult CompareFrames(nsISHEntry * prevEntry, nsISHEntry * nextEntry, nsIDocShell * rootDocShell, long aLoadType, PRBool * aIsFrameFound);
    nsresult InitiateLoad(nsISHEntry * aFrameEntry, nsIDocShell * aFrameDS, long aLoadType);
 
    NS_IMETHOD LoadEntry(PRInt32 aIndex, long aLoadType, PRUint32 histCmd);
-
+	
 #ifdef DEBUG
    nsresult PrintHistory();
 #endif
 
   // Evict the viewers at indices between aStartIndex and aEndIndex,
   // including aStartIndex but not aEndIndex.
   void EvictContentViewersInRange(PRInt32 aStartIndex, PRInt32 aEndIndex);
   void EvictWindowContentViewers(PRInt32 aFromIndex, PRInt32 aToIndex);
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -77,17 +77,16 @@
 #include "nsIDOMDocument.h"
 #include "nsIDOM3Document.h"
 #include "nsIDOMXMLDocument.h"
 #include "nsIDOMNSDocument.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMNSEvent.h"
 #include "nsIDOMKeyEvent.h"
 #include "nsIDOMEventListener.h"
-#include "nsIDOMPopStateEvent.h"
 #include "nsContentUtils.h"
 #include "nsDOMWindowUtils.h"
 
 // Window scriptable helper includes
 #include "nsIDocShell.h"
 #include "nsIDocShellTreeItem.h"
 #include "nsIDocShellTreeNode.h"
 #include "nsIScriptExternalNameSet.h"
@@ -1326,25 +1325,23 @@ static nsDOMClassInfoData sClassInfoData
 
   NS_DEFINE_CLASSINFO_DATA(PaintRequest, nsDOMGenericSH,
                            DOM_DEFAULT_SCRIPTABLE_FLAGS)
   NS_DEFINE_CLASSINFO_DATA(PaintRequestList, nsPaintRequestListSH,
                            ARRAY_SCRIPTABLE_FLAGS)
 
   NS_DEFINE_CLASSINFO_DATA(ScrollAreaEvent, nsDOMGenericSH,
                            DOM_DEFAULT_SCRIPTABLE_FLAGS)
-  NS_DEFINE_CLASSINFO_DATA(PopStateEvent, nsDOMGenericSH,
-                           DOM_DEFAULT_SCRIPTABLE_FLAGS)
   NS_DEFINE_CLASSINFO_DATA(EventListenerInfo, nsDOMGenericSH,
                            DOM_DEFAULT_SCRIPTABLE_FLAGS)
   NS_DEFINE_CLASSINFO_DATA(TransitionEvent, nsDOMGenericSH,
                            DOM_DEFAULT_SCRIPTABLE_FLAGS)
 };
 
-// Objects that should be constructable through |new Name();|
+// Objects that shuld be constructable through |new Name();|
 struct nsContractIDMapData
 {
   PRInt32 mDOMClassInfoID;
   const char *mContractID;
 };
 
 #define NS_DEFINE_CONSTRUCTOR_DATA(_class, _contract_id)                      \
   { eDOMClassInfo_##_class##_id, _contract_id },
@@ -1418,17 +1415,16 @@ jsval nsDOMClassInfo::sOnkeypress_id    
 jsval nsDOMClassInfo::sOnmousemove_id     = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnfocus_id         = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnblur_id          = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnsubmit_id        = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnreset_id         = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnchange_id        = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnselect_id        = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnload_id          = JSVAL_VOID;
-jsval nsDOMClassInfo::sOnpopstate_id      = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnbeforeunload_id  = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnunload_id        = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnhashchange_id    = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnpageshow_id      = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnpagehide_id      = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnabort_id         = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnerror_id         = JSVAL_VOID;
 jsval nsDOMClassInfo::sOnpaint_id         = JSVAL_VOID;
@@ -1613,17 +1609,16 @@ nsDOMClassInfo::DefineStaticJSVals(JSCon
   SET_JSVAL_TO_STRING(sOnmousemove_id,     cx, "onmousemove");
   SET_JSVAL_TO_STRING(sOnfocus_id,         cx, "onfocus");
   SET_JSVAL_TO_STRING(sOnblur_id,          cx, "onblur");
   SET_JSVAL_TO_STRING(sOnsubmit_id,        cx, "onsubmit");
   SET_JSVAL_TO_STRING(sOnreset_id,         cx, "onreset");
   SET_JSVAL_TO_STRING(sOnchange_id,        cx, "onchange");
   SET_JSVAL_TO_STRING(sOnselect_id,        cx, "onselect");
   SET_JSVAL_TO_STRING(sOnload_id,          cx, "onload");
-  SET_JSVAL_TO_STRING(sOnpopstate_id,      cx, "onpopstate");
   SET_JSVAL_TO_STRING(sOnbeforeunload_id,  cx, "onbeforeunload");
   SET_JSVAL_TO_STRING(sOnunload_id,        cx, "onunload");
   SET_JSVAL_TO_STRING(sOnhashchange_id,    cx, "onhashchange");
   SET_JSVAL_TO_STRING(sOnpageshow_id,      cx, "onpageshow");
   SET_JSVAL_TO_STRING(sOnpagehide_id,      cx, "onpagehide");
   SET_JSVAL_TO_STRING(sOnabort_id,         cx, "onabort");
   SET_JSVAL_TO_STRING(sOnerror_id,         cx, "onerror");
   SET_JSVAL_TO_STRING(sOnpaint_id,         cx, "onpaint");
@@ -2232,21 +2227,16 @@ nsDOMClassInfo::Init()
 
   DOM_CLASSINFO_MAP_BEGIN(DragEvent, nsIDOMDragEvent)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMDragEvent)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMMouseEvent)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMNSMouseEvent)
     DOM_CLASSINFO_UI_EVENT_MAP_ENTRIES
   DOM_CLASSINFO_MAP_END
 
-  DOM_CLASSINFO_MAP_BEGIN(PopStateEvent, nsIDOMPopStateEvent)
-    DOM_CLASSINFO_MAP_ENTRY(nsIDOMPopStateEvent)
-    DOM_CLASSINFO_EVENT_MAP_ENTRIES
-  DOM_CLASSINFO_MAP_END
-
   DOM_CLASSINFO_MAP_BEGIN(HTMLDocument, nsIDOMHTMLDocument)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMHTMLDocument)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMNSHTMLDocument)
     DOM_CLASSINFO_DOCUMENT_MAP_ENTRIES
   DOM_CLASSINFO_MAP_END
 
   DOM_CLASSINFO_MAP_BEGIN(HTMLOptionsCollection, nsIDOMHTMLOptionsCollection)
     // Order is significant.  nsIDOMHTMLOptionsCollection.length shadows
@@ -7332,18 +7322,17 @@ nsEventReceiverSH::ReallyIsEventName(jsv
   case 'h' :
     return id == sOnhashchange_id;
   case 'l' :
     return id == sOnload_id;
   case 'p' :
     return (id == sOnpaint_id        ||
             id == sOnpageshow_id     ||
             id == sOnpagehide_id     ||
-            id == sOnpaste_id        ||
-            id == sOnpopstate_id);
+            id == sOnpaste_id);
   case 'k' :
     return (id == sOnkeydown_id      ||
             id == sOnkeypress_id     ||
             id == sOnkeyup_id);
   case 'u' :
     return id == sOnunload_id;
   case 'm' :
     return (id == sOnmousemove_id    ||
--- a/dom/base/nsDOMClassInfo.h
+++ b/dom/base/nsDOMClassInfo.h
@@ -322,17 +322,16 @@ protected:
   static jsval sOnmousemove_id;
   static jsval sOnfocus_id;
   static jsval sOnblur_id;
   static jsval sOnsubmit_id;
   static jsval sOnreset_id;
   static jsval sOnchange_id;
   static jsval sOnselect_id;
   static jsval sOnload_id;
-  static jsval sOnpopstate_id;
   static jsval sOnbeforeunload_id;
   static jsval sOnunload_id;
   static jsval sOnhashchange_id;
   static jsval sOnpageshow_id;
   static jsval sOnpagehide_id;
   static jsval sOnabort_id;
   static jsval sOnerror_id;
   static jsval sOnpaint_id;
--- a/dom/base/nsDOMClassInfoID.h
+++ b/dom/base/nsDOMClassInfoID.h
@@ -468,17 +468,16 @@ enum nsDOMClassInfoID {
   eDOMClassInfo_WebGLShader_id,
   eDOMClassInfo_WebGLFramebuffer_id,
   eDOMClassInfo_WebGLRenderbuffer_id,
 
   eDOMClassInfo_PaintRequest_id,
   eDOMClassInfo_PaintRequestList_id,
 
   eDOMClassInfo_ScrollAreaEvent_id,
-  eDOMClassInfo_PopStateEvent_id,
 
   eDOMClassInfo_EventListenerInfo_id,
 
   eDOMClassInfo_TransitionEvent_id,
 
   // This one better be the last one in this list
   eDOMClassInfoIDCount
 };
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -74,17 +74,16 @@
 #include "nsPluginArray.h"
 #include "nsIPluginHost.h"
 #include "nsGeolocation.h"
 #include "nsContentCID.h"
 #include "nsLayoutStatics.h"
 #include "nsCycleCollector.h"
 #include "nsCCUncollectableMarker.h"
 #include "nsDOMThreadService.h"
-#include "nsAutoJSValHolder.h"
 
 // Interfaces Needed
 #include "nsIFrame.h"
 #include "nsCanvasFrame.h"
 #include "nsIWidget.h"
 #include "nsIBaseWindow.h"
 #include "nsIAccelerometer.h"
 #include "nsWidgetsCID.h"
@@ -108,17 +107,16 @@
 #include "nsIDOMElement.h"
 #include "nsIDOMDocumentEvent.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMHTMLDocument.h"
 #include "nsIDOMHTMLElement.h"
 #include "nsIDOMKeyEvent.h"
 #include "nsIDOMMessageEvent.h"
 #include "nsIDOMPopupBlockedEvent.h"
-#include "nsIDOMPopStateEvent.h"
 #include "nsIDOMOfflineResourceList.h"
 #include "nsIDOMGeoGeolocation.h"
 #include "nsPIDOMStorage.h"
 #include "nsDOMString.h"
 #include "nsIEmbeddingSiteWindow2.h"
 #include "nsThreadUtils.h"
 #include "nsIEventStateManager.h"
 #include "nsIHttpProtocolHandler.h"
@@ -166,17 +164,16 @@
 #include "nsCSSProps.h"
 #include "nsIURIFixup.h"
 #include "nsCDefaultURIFixup.h"
 #include "nsEventDispatcher.h"
 #include "nsIObserverService.h"
 #include "nsIXULAppInfo.h"
 #include "nsNetUtil.h"
 #include "nsFocusManager.h"
-#include "nsIJSON.h"
 #ifdef MOZ_XUL
 #include "nsXULPopupManager.h"
 #include "nsIDOMXULControlElement.h"
 #include "nsIFrame.h"
 #endif
 
 #include "plbase64.h"
 
@@ -359,18 +356,16 @@ static PRBool               gDOMWindowDu
 // CIDs
 static NS_DEFINE_CID(kXULControllersCID, NS_XULCONTROLLERS_CID);
 
 static const char sJSStackContractID[] = "@mozilla.org/js/xpc/ContextStack;1";
 
 static const char kCryptoContractID[] = NS_CRYPTO_CONTRACTID;
 static const char kPkcs11ContractID[] = NS_PKCS11_CONTRACTID;
 
-static const char sPopStatePrefStr[] = "browser.history.allowPopState";
-
 static PRBool
 IsAboutBlank(nsIURI* aURI)
 {
   NS_PRECONDITION(aURI, "Must have URI");
     
   // GetSpec can be expensive for some URIs, so check the scheme first.
   PRBool isAbout = PR_FALSE;
   if (NS_FAILED(aURI->SchemeIs("about", &isAbout)) || !isAbout) {
@@ -6978,138 +6973,26 @@ nsresult
 nsGlobalWindow::DispatchSyncHashchange()
 {
   FORWARD_TO_INNER(DispatchSyncHashchange, (), NS_OK);
   NS_ASSERTION(nsContentUtils::IsSafeToRunScript(),
                "Must be safe to run script here.");
 
   // Don't do anything if the window is frozen.
   if (IsFrozen())
-    return NS_OK;
+      return NS_OK;
 
   // Dispatch the hashchange event, which doesn't bubble and isn't cancelable,
   // to the outer window.
   return nsContentUtils::DispatchTrustedEvent(mDoc, GetOuterWindow(),
                                               NS_LITERAL_STRING("hashchange"),
                                               PR_FALSE, PR_FALSE);
 }
 
-nsresult
-nsGlobalWindow::DispatchSyncPopState()
-{
-  FORWARD_TO_INNER(DispatchSyncPopState, (), NS_OK);
-
-  NS_ASSERTION(nsContentUtils::IsSafeToRunScript(),
-               "Must be safe to run script here.");
-
-  // Check that PopState hasn't been pref'ed off.
-  if (!nsContentUtils::GetBoolPref(sPopStatePrefStr, PR_FALSE))
-    return NS_OK;
-
-  nsresult rv = NS_OK;
-
-  // Bail if the window is frozen.
-  if (IsFrozen()) {
-    return NS_OK;
-  }
-
-  // Bail if there's no document or the document's readystate isn't "complete".
-  if (!mDoc) {
-    return NS_OK;
-  }
-
-  nsIDocument::ReadyState readyState = mDoc->GetReadyStateEnum();
-  if (readyState != nsIDocument::READYSTATE_COMPLETE) {
-    return NS_OK;
-  }
-
-  // Get the document's pending state object -- it contains the data we're
-  // going to send along with the popstate event.  The object is serialized as
-  // JSON.
-  nsAString& stateObjJSON = mDoc->GetPendingStateObject();
-
-  nsCOMPtr<nsIVariant> stateObj;
-  // Parse the JSON, if there's any to parse.
-  if (!stateObjJSON.IsEmpty()) {
-    // Get the JSContext associated with our document. We need this for
-    // deserialization.
-    nsCOMPtr<nsIDocument> document = do_QueryInterface(mDocument);
-    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
-
-    // Get the JSContext from the document, like we do in
-    // nsContentUtils::GetContextFromDocument().
-    nsIScriptGlobalObject *sgo = document->GetScopeObject();
-    NS_ENSURE_TRUE(sgo, NS_ERROR_FAILURE);
-
-    nsIScriptContext *scx = sgo->GetContext();
-    NS_ENSURE_TRUE(scx, NS_ERROR_FAILURE);
-
-    JSContext *cx = (JSContext*) scx->GetNativeContext();
-
-    // If our json call triggers a JS-to-C++ call, we want that call to use cx
-    // as the context.  So we push cx onto the context stack.
-    nsCxPusher cxPusher;
-
-    jsval jsStateObj = JSVAL_NULL;
-    // Root the container which will hold our decoded state object.
-    nsAutoGCRoot(&jsStateObj, &rv);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // Deserialize the state object into an nsIVariant.
-    nsCOMPtr<nsIJSON> json = do_GetService("@mozilla.org/dom/json;1");
-    NS_ENSURE_TRUE(cxPusher.Push(cx), NS_ERROR_FAILURE);
-    rv = json->DecodeToJSVal(stateObjJSON, cx, &jsStateObj);
-    NS_ENSURE_SUCCESS(rv, rv);
-    cxPusher.Pop();
-
-    nsCOMPtr<nsIXPConnect> xpconnect = do_GetService(nsIXPConnect::GetCID());
-    NS_ENSURE_TRUE(xpconnect, NS_ERROR_FAILURE);
-    rv = xpconnect->JSValToVariant(cx, &jsStateObj, getter_AddRefs(stateObj));
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  // Obtain a presentation shell for use in creating a popstate event.
-  nsIPresShell *shell = mDoc->GetPrimaryShell();
-  nsCOMPtr<nsPresContext> presContext;
-  if (shell) {
-    presContext = shell->GetPresContext();
-  }
-
-  // Create a new popstate event
-  nsCOMPtr<nsIDOMEvent> domEvent;
-  rv = nsEventDispatcher::CreateEvent(presContext, nsnull,
-                                      NS_LITERAL_STRING("popstateevent"),
-                                      getter_AddRefs(domEvent));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIPrivateDOMEvent> privateEvent = do_QueryInterface(domEvent);
-  NS_ENSURE_TRUE(privateEvent, NS_ERROR_FAILURE);
-
-  // Initialize the popstate event, which does bubble but isn't cancellable.
-  nsCOMPtr<nsIDOMPopStateEvent> popstateEvent = do_QueryInterface(domEvent);
-  rv = popstateEvent->InitPopStateEvent(NS_LITERAL_STRING("popstate"),
-                                        PR_TRUE, PR_FALSE,
-                                        stateObj);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = privateEvent->SetTrusted(PR_TRUE);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIDOMEventTarget> outerWindow =
-    do_QueryInterface(GetOuterWindow());
-  NS_ENSURE_TRUE(outerWindow, NS_ERROR_UNEXPECTED);
-
-  rv = privateEvent->SetTarget(outerWindow);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  PRBool dummy; // default action
-  return DispatchEvent(popstateEvent, &dummy);
-}
-
-// Find an nsICanvasFrame under aFrame.  Only search the principal
+// Find an nsCanvasFrame under aFrame.  Only search the principal
 // child lists.  aFrame must be non-null.
 static nsCanvasFrame* FindCanvasFrame(nsIFrame* aFrame)
 {
     nsCanvasFrame* canvasFrame = do_QueryFrame(aFrame);
     if (canvasFrame) {
         return canvasFrame;
     }
 
--- a/dom/base/nsGlobalWindow.h
+++ b/dom/base/nsGlobalWindow.h
@@ -443,18 +443,16 @@ public:
   virtual NS_HIDDEN_(void)
     CacheXBLPrototypeHandler(nsXBLPrototypeHandler* aKey,
                              nsScriptObjectHolder& aHandler);
 
   virtual PRBool TakeFocus(PRBool aFocus, PRUint32 aFocusMethod);
   virtual void SetReadyForFocus();
   virtual void PageHidden();
   virtual nsresult DispatchSyncHashchange();
-  virtual nsresult DispatchSyncPopState();
-
   virtual nsresult SetArguments(nsIArray *aArguments, nsIPrincipal *aOrigin);
 
   static PRBool DOMWindowDumpEnabled();
 
 protected:
   // Object Management
   virtual ~nsGlobalWindow();
   void CleanUp();
--- a/dom/base/nsHistory.cpp
+++ b/dom/base/nsHistory.cpp
@@ -52,23 +52,16 @@
 #include "nsIHistoryEntry.h"
 #include "nsIURI.h"
 #include "nsIServiceManager.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsDOMClassInfo.h"
 #include "nsContentUtils.h"
-#include "nsIDOMNSDocument.h"
-#include "nsISHistoryInternal.h"
-
-static const char* sAllowPushStatePrefStr  =
-  "browser.history.allowPushState";
-static const char* sAllowReplaceStatePrefStr =
-  "browser.history.allowReplaceState";
 
 //
 //  History class implementation 
 //
 nsHistory::nsHistory(nsIDocShell* aDocShell) : mDocShell(aDocShell)
 {
 }
 
@@ -260,72 +253,31 @@ nsHistory::Go(PRInt32 aDelta)
   NS_ENSURE_TRUE(session_history, NS_ERROR_FAILURE);
 
   // QI SHistory to nsIWebNavigation
   nsCOMPtr<nsIWebNavigation> webnav(do_QueryInterface(session_history));
   NS_ENSURE_TRUE(webnav, NS_ERROR_FAILURE);
 
   PRInt32 curIndex=-1;
   PRInt32 len = 0;
-  nsresult rv = session_history->GetIndex(&curIndex);
+  nsresult rv = session_history->GetIndex(&curIndex);  
   rv = session_history->GetCount(&len);
 
   PRInt32 index = curIndex + aDelta;
   if (index > -1  &&  index < len)
     webnav->GotoIndex(index);
 
   // We always want to return a NS_OK, since returning errors 
   // from GotoIndex() can lead to exceptions and a possible leak
   // of history length
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsHistory::PushState(nsIVariant *aData, const nsAString& aTitle,
-                     const nsAString& aURL)
-{
-  // Check that PushState hasn't been pref'ed off.
-  if (!nsContentUtils::GetBoolPref(sAllowPushStatePrefStr, PR_FALSE))
-    return NS_OK;
-
-  NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE);
-
-  // AddState might run scripts, so we need to hold a strong reference to the
-  // docShell here to keep it from going away.
-  nsCOMPtr<nsIDocShell> docShell = mDocShell;
-
-  // PR_FALSE tells the docshell to add a new history entry instead of
-  // modifying the current one.
-  nsresult rv = mDocShell->AddState(aData, aTitle, aURL, PR_FALSE);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsHistory::ReplaceState(nsIVariant *aData, const nsAString& aTitle,
-                        const nsAString& aURL)
-{
-  // Check that ReplaceState hasn't been pref'ed off
-  if (!nsContentUtils::GetBoolPref(sAllowReplaceStatePrefStr, PR_FALSE))
-    return NS_OK;
-
-  NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE);
-
-  // As in PushState(), we need to keep a strong reference to the docShell
-  // here.
-  nsCOMPtr<nsIDocShell> docShell = mDocShell;
-
-  // PR_TRUE tells the docshell to modify the current SHEntry, rather than
-  // create a new one.
-  return mDocShell->AddState(aData, aTitle, aURL, PR_TRUE);
-}
-
-NS_IMETHODIMP
 nsHistory::Item(PRUint32 aIndex, nsAString& aReturn)
 {
   aReturn.Truncate();
 
   nsresult rv = NS_OK;
   nsCOMPtr<nsISHistory>  session_history;
 
   GetSessionHistoryFromDocShell(mDocShell, getter_AddRefs(session_history));
--- a/dom/base/nsLocation.cpp
+++ b/dom/base/nsLocation.cpp
@@ -189,16 +189,17 @@ nsLocation::CheckURL(nsIURI* aURI, nsIDo
     return NS_ERROR_FAILURE;
 
   JSContext *cx;
 
   if (NS_FAILED(GetContextFromStack(stack, &cx)))
     return NS_ERROR_FAILURE;
 
   nsCOMPtr<nsISupports> owner;
+  nsCOMPtr<nsIURI> sourceURI;
 
   if (cx) {
     // No cx means that there's no JS running, or at least no JS that
     // was run through code that properly pushed a context onto the
     // context stack (as all code that runs JS off of web pages
     // does). We won't bother with security checks in this case, but
     // we need to create the loadinfo etc.
 
@@ -216,31 +217,30 @@ nsLocation::CheckURL(nsIURI* aURI, nsIDo
       return result;
 
     // Now get the principal to use when loading the URI
     nsCOMPtr<nsIPrincipal> principal;
     if (NS_FAILED(secMan->GetSubjectPrincipal(getter_AddRefs(principal))) ||
         !principal)
       return NS_ERROR_FAILURE;
     owner = do_QueryInterface(principal);
+    principal->GetURI(getter_AddRefs(sourceURI));
   }
 
   // Create load info
   nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
   docShell->CreateLoadInfo(getter_AddRefs(loadInfo));
   NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
 
   loadInfo->SetOwner(owner);
 
-  // Now set the referrer on the loadinfo.  We need to do this in order to get
-  // the correct referrer URI from a document which was pushStated.
-  nsCOMPtr<nsIURI> sourceURI;
-  result = GetURI(getter_AddRefs(sourceURI));
-  if (NS_SUCCEEDED(result))
+  // now set the referrer on the loadinfo
+  if (sourceURI) {
     loadInfo->SetReferrer(sourceURI);
+  }
 
   loadInfo.swap(*aLoadInfo);
 
   return NS_OK;
 }
 
 nsresult
 nsLocation::GetURI(nsIURI** aURI, PRBool aGetInnermostURI)
--- a/dom/base/nsPIDOMWindow.h
+++ b/dom/base/nsPIDOMWindow.h
@@ -456,20 +456,16 @@ public:
    */
   virtual void PageHidden() = 0;
 
   /**
    * Instructs this window to synchronously dispatch a hashchange event.
    */
   virtual nsresult DispatchSyncHashchange() = 0;
 
-  /**
-   * Instructs this window to synchronously dispatch a popState event.
-   */
-  virtual nsresult DispatchSyncPopState() = 0;
 
   /**
    * Tell this window that there is an observer for orientation changes
    */
   virtual void SetHasOrientationEventListener() = 0;
 
   /**
    * Set a arguments for this window. This will be set on the window
--- a/dom/interfaces/base/nsIDOMHistory.idl
+++ b/dom/interfaces/base/nsIDOMHistory.idl
@@ -34,30 +34,22 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "domstubs.idl"
 
-interface nsIVariant;
-
-[scriptable, uuid(208f2af7-9f2e-497c-8a53-9e7803280898)]
+[scriptable, uuid(896d1d20-b4c4-11d2-bd93-00805f8ae3f4)]
 interface nsIDOMHistory : nsISupports
 {
   readonly attribute long             length;
   readonly attribute DOMString        current;
   readonly attribute DOMString        previous;
   readonly attribute DOMString        next;
 
   void                       back();
   void                       forward();
 
   void                       go([optional] in long aDelta);
   DOMString                  item(in unsigned long index);
-  void                       pushState(in nsIVariant aData,
-                                       in DOMString aTitle,
-                                       [optional] in DOMString aURL);
-  void                       replaceState(in nsIVariant aData,
-                                          in DOMString aTitle,
-                                          [optional] in DOMString aURL);
 };
--- a/dom/interfaces/events/Makefile.in
+++ b/dom/interfaces/events/Makefile.in
@@ -78,12 +78,11 @@ XPIDLSRCS =					\
 	nsIDOMNotifyPaintEvent.idl              \
 	nsIDOMPaintRequest.idl			\
 	nsIDOMPaintRequestList.idl		\
 	nsIDOMSimpleGestureEvent.idl		\
 	nsIDOMNSMouseEvent.idl			\
 	nsIDOMOrientationEvent.idl              \
 	nsIDOMScrollAreaEvent.idl		\
 	nsIDOMTransitionEvent.idl		\
-	nsIDOMPopStateEvent.idl			\
 	$(NULL)
 
 include $(topsrcdir)/config/rules.mk
deleted file mode 100644
--- a/dom/interfaces/events/nsIDOMPopStateEvent.idl
+++ /dev/null
@@ -1,51 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is the Mozilla Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2009
- * the Initial Developer. All Rights Reserved.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either of the GNU General Public License Version 2 or later (the "GPL"),
- * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsIDOMEvent.idl"
-
-interface nsIVariant;
-
-[scriptable, uuid(f3834fd5-0ef5-4ccd-a741-0b6685414342)]
-interface nsIDOMPopStateEvent : nsIDOMEvent
-{
-  /**
-   * The state associated with this popstate event
-   */
-  readonly attribute nsIVariant state;
-
-  void initPopStateEvent(in DOMString typeArg,
-                         in boolean canBubbleArg,
-                         in boolean cancelableArg,
-                         in nsIVariant stateArg);
-};
--- a/dom/interfaces/json/nsIJSON.idl
+++ b/dom/interfaces/json/nsIJSON.idl
@@ -37,39 +37,26 @@
  * ***** END LICENSE BLOCK ***** */
 
 #include "domstubs.idl"
 
 interface nsIInputStream;
 interface nsIOutputStream;
 interface nsIScriptGlobalObject;
 
-%{ C++
-#include "jspubtd.h"
-%}
-
-      native JSVal(jsval);
-[ptr] native JSValPtr(jsval);
-[ptr] native JSContext(JSContext);
-
 /**
  * Encode and decode JSON text.
  */
-[scriptable, uuid(6fcf09ee-87d0-42ec-a72a-8d60114e974f)]
+[scriptable, uuid(45464c36-efde-4cb5-8e00-07480533ff35)]
 interface nsIJSON : nsISupports
 {
   AString encode(/* in JSObject value */);
 
   void encodeToStream(in nsIOutputStream stream,
                       in string charset,
                       in boolean writeBOM
                       /* in JSObject value */);
 
   void /* JSObject */ decode(in AString str);
 
   void /* JSObject */ decodeFromStream(in nsIInputStream stream,
                                        in long contentLength);
-
-  [noscript] AString  encodeFromJSVal(in JSValPtr value, in JSContext cx);
-
-  // Make sure you GCroot the result of this function before using it.
-  [noscript] JSVal    decodeToJSVal(in AString str, in JSContext cx);
 };
--- a/dom/src/json/Makefile.in
+++ b/dom/src/json/Makefile.in
@@ -46,19 +46,16 @@ MODULE         = dom
 LIBRARY_NAME   = json_s
 LIBXUL_LIBRARY = 1
 
 
 CPPSRCS =                      \
        nsJSON.cpp              \
        $(NULL)
 
-EXPORTS = nsJSON.h \
-          $(NULL)
-
 FORCE_STATIC_LIB = 1
 
 LOCAL_INCLUDES = \
 		-I$(srcdir)/../base \
 		-I$(topsrcdir)/content/events/src
 
 DEFINES += -D_IMPL_NS_LAYOUT
 
--- a/dom/src/json/nsJSON.cpp
+++ b/dom/src/json/nsJSON.cpp
@@ -190,37 +190,16 @@ WriteCallback(const jschar *buf, uint32 
   nsJSONWriter *writer = static_cast<nsJSONWriter*>(data);
   nsresult rv =  writer->Write((const PRUnichar*)buf, (PRUint32)len);
   if (NS_FAILED(rv))
     return JS_FALSE;
 
   return JS_TRUE;
 }
 
-NS_IMETHODIMP
-nsJSON::EncodeFromJSVal(jsval *value, JSContext *cx, nsAString &result)
-{
-  result.Truncate();
-
-  // Begin a new request
-  JSAutoRequest ar(cx);
-
-  nsJSONWriter writer;
-  JSBool ok = JS_Stringify(cx, value, NULL, JSVAL_NULL,
-                           WriteCallback, &writer);
-  if (!ok) {
-    return NS_ERROR_XPC_BAD_CONVERT_JS;
-  }
-
-  NS_ENSURE_TRUE(writer.DidWrite(), NS_ERROR_UNEXPECTED);
-  writer.FlushBuffer();
-  result.Assign(writer.mOutputString);
-  return NS_OK;
-}
-
 nsresult
 nsJSON::EncodeInternal(nsJSONWriter *writer)
 {
   nsresult rv;
   nsIXPConnect *xpc = nsContentUtils::XPConnect();
   if (!xpc)
     return NS_ERROR_FAILURE;
 
@@ -398,40 +377,16 @@ nsJSON::Decode(const nsAString& json)
 }
 
 NS_IMETHODIMP
 nsJSON::DecodeFromStream(nsIInputStream *aStream, PRInt32 aContentLength)
 {
   return DecodeInternal(aStream, aContentLength, PR_TRUE);
 }
 
-NS_IMETHODIMP
-nsJSON::DecodeToJSVal(const nsAString &str, JSContext *cx, jsval *result)
-{
-  JSAutoRequest ar(cx);
-
-  JSONParser *parser = JS_BeginJSONParse(cx, result);
-  NS_ENSURE_TRUE(parser, NS_ERROR_UNEXPECTED);
-
-  JSBool ok = JS_ConsumeJSONText(cx, parser,
-                                 (jschar*)PromiseFlatString(str).get(),
-                                 (uint32)str.Length());
-
-  // Since we've called JS_BeginJSONParse, we have to call JS_FinishJSONParse,
-  // even if JS_ConsumeJSONText fails.  But if either fails, we'll report an
-  // error.
-  ok = ok && JS_FinishJSONParse(cx, parser, JSVAL_NULL);
-
-  if (!ok) {
-    return NS_ERROR_UNEXPECTED;
-  }
-
-  return NS_OK;
-}
-
 nsresult
 nsJSON::DecodeInternal(nsIInputStream *aStream,
                        PRInt32 aContentLength,
                        PRBool aNeedsConverter)
 {
   nsresult rv;
   nsIXPConnect *xpc = nsContentUtils::XPConnect();
   if (!xpc)
--- a/dom/tests/mochitest/whatwg/Makefile.in
+++ b/dom/tests/mochitest/whatwg/Makefile.in
@@ -72,19 +72,16 @@ include $(topsrcdir)/config/rules.mk
 		test_postMessage_origin.xhtml \
 		postMessage_origin_helper.xhtml \
 		test_postMessage_closed.html \
 		postMessage_closed_helper.html \
 		test_postMessage_jar.html \
 		postMessage.jar \
 		postMessage.jar^headers^ \
 		test_bug477323.html \
-		test_bug500328.html \
-		file_bug500328_1.html \
-		file_bug500328_2.html \
 		$(NULL)
 
 _CHROME_FILES	= \
 		test_postMessage_chrome.html \
 		$(NULL)		
 
 libs:: 	$(_TEST_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
deleted file mode 100644
--- a/dom/tests/mochitest/whatwg/file_bug500328_1.html
+++ /dev/null
@@ -1,34 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-Inner frame for testing bug 500328.
-https://bugzilla.mozilla.org/show_bug.cgi?id=500328
--->
-<head>
-<title>test 1</title>
-</head>
-<body onload="load();" onpopstate="popstate(event);">
-<script type="application/javascript">
-  function load() {
-    if(parent && parent.onChildLoad)
-      parent.onChildLoad();
-    if(opener && opener.onChildLoad)
-      opener.onChildLoad();
-  }
-
-  function popstate(e) {
-    if(parent && parent.onChildLoad)
-      parent.onChildPopState(e);
-    if(opener && opener.onChildLoad)
-      opener.onChildPopState(e);
-  }
-
-  function navigateTo(loc) {
-    location = loc;
-  }
-</script>
-
-<a id="link-anchor1", href="#1">Link Anchor1</a>
-<a id="link-self" href="file_bug500328_1.html">Self</a>
-</body>
-</html>
deleted file mode 100644
--- a/dom/tests/mochitest/whatwg/file_bug500328_2.html
+++ /dev/null
@@ -1,17 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-Inner frame for testing bug 500328.
-https://bugzilla.mozilla.org/show_bug.cgi?id=500328
--->
-<head>
-</head>
-<body>
-<!--
- Yes, this page is basically blank.  But no, about:blank wouldn't do as a
- replacement, because we use this page to test that pushstate has correct
- same-origin checks.
--->
-file_bug500328_2.html
-</body>
-</html>
deleted file mode 100644
--- a/dom/tests/mochitest/whatwg/test_bug500328.html
+++ /dev/null
@@ -1,740 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=500328
--->
-<head>
-  <title>Test for Bug 500328</title>
-  <script type="application/javascript" src="/MochiKit/packed.js"></script>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=500328">Mozilla Bug 500328</a>
-<p id="display"></p>
-<div id="status"></div>
-<div id="content">
-  <iframe id="iframe"></iframe>
-  <iframe id="iframe2"></iframe>
-  <a id="link">link</a>
-</div>
-<pre id="test">
-<script type="application/javascript;version=1.7">
-
-/** Test for Bug 500328 **/
-
-SimpleTest.waitForExplicitFinish();
-
-var iframe = document.getElementById("iframe");
-var iframeCw = iframe.contentWindow;
-
-var iframe2 = document.getElementById("iframe2");
-var iframe2Cw = iframe2.contentWindow;
-
-var unvisitedColor;
-var visitedColor;
-
-var gCallbackOnIframeLoad = false;
-var gCallbackOnPopState = false;
-var gNumPopStates = 0;
-var gLastPopStateEvent;
-
-var gGen;
-
-function statusMsg(msg) {
-  var msgElem = document.createElement("p");
-  msgElem.appendChild(document.createTextNode(msg));
-
-  document.getElementById("status").appendChild(msgElem);
-}
-
-function longWait() {
-  setTimeout(function() { gGen.next(); }, 1000);
-}
-
-function shortWait() {
-  setTimeout(function() { gGen.next(); }, 0);
-}
-
-function onChildPopState(e) {
-  gNumPopStates++;
-  gLastPopStateEvent = e;
-  if (gCallbackOnPopState) {
-    statusMsg("Popstate(" + JSON.stringify(e.state) + ").  Calling gGen.next().");
-    gCallbackOnPopState = false;
-    gGen.next();
-  }
-  else {
-    statusMsg("Popstate(" + JSON.stringify(e.state) + ").  NOT calling gGen.next().");
-  }
-}
-
-function onChildLoad() {
-  if(gCallbackOnIframeLoad) {
-    statusMsg("Got load.  About to call gGen.next().");
-    gCallbackOnIframeLoad = false;
-    gGen.next();
-  }
-  else {
-    statusMsg("Got load, but not calling gGen.next() because gCallbackOnIframeLoad was false.");
-  }
-}
-
-function enableChildLoadCallback() {
-  gCallbackOnIframeLoad = true;
-}
-
-function enableChildPopStateCallback() {
-  gCallbackOnPopState = true;
-}
-
-function clearPopStateCounter() {
-  gNumPopStates = 0;
-}
-
-function noPopStateExpected(msg) {
-  is(gNumPopStates, 0, msg);
-
-  // Even if there's an error, set gNumPopStates to 0 so other tests don't
-  // fail.
-  gNumPopStates = 0;
-}
-
-function popstateExpected(msg) {
-  is(gNumPopStates, 1, msg);
-  gNumPopStates = 0;
-}
-
-function getColor(elem) {
-  return document.defaultView.getComputedStyle(elem, "").color;
-}
-
-function getSHistory(theWindow)
-{
-  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
-
-  const Ci = Components.interfaces;
-  var sh = theWindow.QueryInterface(Ci.nsIInterfaceRequestor)
-                    .getInterface(Ci.nsIWebNavigation)
-                    .sessionHistory;
-  if (!sh || sh == null)
-    throw("Couldn't get shistory for window!");
-
-  return sh;
-}
-
-function getChromeWin(theWindow)
-{
- netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
- const Ci = Components.interfaces;
- return theWindow
-           .QueryInterface(Ci.nsIInterfaceRequestor)
-           .getInterface(Ci.nsIWebNavigation)
-           .QueryInterface(Ci.nsIDocShellTreeItem)
-           .rootTreeItem
-           .QueryInterface(Ci.nsIInterfaceRequestor)
-           .getInterface(Ci.nsIDOMWindow)
-           .QueryInterface(Ci.nsIDOMChromeWindow);
-}
-
-function getSHTitle(sh, offset)
-{
-  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
-
-  if (!offset)
-    offset = 0;
-
-  // False instructs the SHistory not to modify its current index.
-  return sh.getEntryAtIndex(sh.index + offset, false).title;
-}
-
-// Tests that win's location ends with str
-function locationEndsWith(win, str) {
-  var exp = new RegExp(str + "$");
-  ok(win.location.toString().match(exp),
-     "Wrong window location.  Expected it to end with " +
-     str + ", but actuall was " + win.location);
-}
-
-function expectException(func, msg) {
-  var failed = false;
-  try {
-    func();
-  } catch(ex) {
-    failed = true;
-  }
-
-  ok(failed, msg + " succeeded, but should have failed.");
-}
-
-function runTest() {
-  // We can't enable universal XPConnect privleges in this function, because
-  // test 5 needs to be running at normal privleges in order to test the
-  // same-origin policy.
-
-  /**
-   * PRELIMINARY:
-   *  1. Clear the popstate counter
-   *  2. Get the visited and unvisited link colors.
-   */
-
-  clearPopStateCounter();
-
-  // Set the link's href to somewhere we haven't been so we can get the
-  // unvisited link color.
-  var rand = Date.now() + "-" + Math.random();
-  $("link").href = rand;
-  unvisitedColor = getColor($("link"));
-  statusMsg("Unvisited color is " + unvisitedColor);
-
-  // Set the link's href to our current location so we can get the visited link
-  // color.
-  $("link").href = document.location;
-  visitedColor = getColor($("link"));
-  statusMsg("Visited color is " + visitedColor);
-  isnot(visitedColor, unvisitedColor, "visited/unvisited link colors are the same?");
-
-  // The URL of file_bug500328_1.html on http://localhost:8888
-  var innerLoc;
-
-  // Now we can start the tests
-
-  /**
-   * TEST 1 tests basic pushState functionality
-   */
-  enableChildLoadCallback();
-  iframeCw.location = "file_bug500328_1.html";
-  yield;
-  innerLoc = iframeCw.location.toString();
-  // Load should be fired before popstate.
-  enableChildPopStateCallback();
-  yield;
-  popstateExpected("Expected initial popstate.");
-  statusMsg("Awake after first popstate.");
-
-  var testObj1 = 42;
-  var testObj2 = 4.2;
-  iframeCw.history.pushState(testObj1, "test 1");
-  is(iframeCw.location.search, "",
-     "First pushstate should leave us where we were.");
-
-  // Make sure that this pushstate doesn't trigger a hashchange.
-  iframeCw.onhashchange = function() {
-    ok(false, "Pushstate shouldn't trigger a hashchange.");
-  };
-
-  iframeCw.history.pushState(testObj2, "test 1#foo", "?test1#foo");
-  is(iframeCw.location.search, "?test1",
-     "Second pushstate should push us to '?test1'.");
-  is(iframeCw.location.hash, "#foo",
-     "Second pushstate should push us to '#foo'");
-  shortWait();
-  yield;
-
-  // Let the hashchange event fire, if it's going to.
-  longWait();
-  yield;
-  iframeCw.onhashchange = null;
-
-  statusMsg("About to go back to page 1.");
-  // We don't have to yield here because this back() and the resulting popstate
-  // are completely synchronous.  In fact, if we did yield, JS would throw an
-  // error because we'd be calling gGen.next from within gGen.next.
-  iframeCw.history.back();
-
-  statusMsg("Awake after going back to page 1.");
-  popstateExpected("Going back to page 1 should trigger a popstate.");
-  is(JSON.stringify(gLastPopStateEvent.state), JSON.stringify(testObj1),
-     "Wrong state object popped after going back to page 1.");
-  ok(iframeCw.location.toString().match(/file_bug500328_1.html$/),
-      "Going back to page 1 hould take us to original page.");
-
-  iframeCw.history.back();
-  popstateExpected("Going back to page 0 should trigger a popstate.");
-  is(gLastPopStateEvent.state, null,
-      "Going back to page 0 should pop a null state.");
-  is(iframeCw.location.search, "",
-      "Going back to page 0 should clear the querystring.");
-
-  iframeCw.history.forward();
-  popstateExpected("Going forward to page 1 should trigger a popstate.");
-  is(JSON.stringify(gLastPopStateEvent.state), JSON.stringify(testObj1),
-      "Wrong state object popped after going forward to page 1.");
-  ok(iframeCw.location.toString().match(/file_bug500328_1.html$/),
-      "Going forward to page 1 should leave us at original page.");
-
-
-  statusMsg("About to go forward to page 2.");
-  iframeCw.history.forward();
-  statusMsg("Awake after going forward to page 2.");
-  popstateExpected("Going forward to page 2 should trigger a popstate.");
-  is(JSON.stringify(gLastPopStateEvent.state), JSON.stringify(testObj2),
-     "Wrong state object popped after going forward to page 2.");
-  ok(iframeCw.location.toString().match(/file_bug500328_1.html\?test1#foo$/),
-     "Going forward to page 2 took us to " + iframeCw.location.toString());
-
-  // The iframe's current location is file_bug500328_1.html?test1#foo.
-  // Clicking link1 should take us to file_bug500328_1.html?test1#1.
-
-  enableChildPopStateCallback();
-  sendMouseEvent({type:'click'}, 'link-anchor1', iframeCw);
-  yield;
-  popstateExpected("Clicking on link-anchor1 should trigger a popstate.");
-  is(iframeCw.location.search, "?test1",
-      "search should be ?test1 after clicking link.");
-  is(iframeCw.location.hash, "#1",
-      "hash should be #1 after clicking link.");
-
-  /*
-   * Reload file_bug500328_1.html; we're now going to test that link hrefs
-   * and colors are updated correctly on push/popstates.
-   */
-
-  iframe.onload = onChildLoad;
-  enableChildLoadCallback();
-  iframeCw.location = "about:blank";
-  yield;
-  iframe.onload = null;
-  iframeCw.location = "file_bug500328_1.html";
-  enableChildPopStateCallback();
-  yield;
-  popstateExpected("No popstate after re-loading file_bug500328_1.html");
-  statusMsg("Done loading file_bug500328_1.html for the second time.");
-
-  var ifLink = iframeCw.document.getElementById("link-anchor1");
-  ifLink.href = rand;
-
-  // Poll the document until the link has the correct color, or this test times
-  // out.  Unfortunately I can't come up with a more elegant way to do this.
-  // We could listen to MozAfterPaint, but that doesn't guarantee that we'll
-  // observe the new color.
-  while (getColor(ifLink) != unvisitedColor) {
-    // Dump so something shows up in the mochitest logs if we spin here.
-    dump("ifLink has wrong initial color.  Spinning...\n");
-    setTimeout(function() { gGen.next(); }, 10);
-    yield;
-  }
-
-  // Navigate iframe2 to dir/${rand}
-  iframe2.onload = onChildLoad;
-  enableChildLoadCallback();
-  iframe2Cw.location = "mytestdir/" + rand;
-  yield;
-
-  // PushState the iframe into the mytestdir directory.  This should cause
-  // ifLink to turn purple, since we just visited mytestdir/${rand} in iframe2.
-  iframeCw.history.pushState(null, "foo", "mytestdir/foo");
-
-  // Check that the link's color is now visitedColor
-  while (getColor(ifLink) != visitedColor) {
-    dump("ifLink has wrong color after pushstate.  Spinning...\n");
-    setTimeout(function() { gGen.next(); }, 10);
-    yield;
-  }
-
-  ok(ifLink.href.match("mytestdir\\/" + rand + "$"),
-     "inner frame's link should end with 'mytestdir/${rand}'");
-
-  // Navigate out of the mytestdir directory.  This should cause ifLink to turn
-  // blue again.
-  iframeCw.history.pushState(null, "bar", "../file_bug500328_1.html");
-
-  // Check that the link's color is back to the unvisited color.
-  while (getColor(ifLink) != unvisitedColor) {
-    dump("ifLink has wrong color after pushstating out of dir.  Spinning...\n");
-    setTimeout(function() { gGen.next(); }, 10);
-    yield;
-  }
-
-  ok(!ifLink.href.match("mytestdir"),
-     "inner frame's link shouldn't contain 'mytestdir'.");
-
-  /*
-   * TEST 2 tests that pushstate's same-origin checks are correct.
-   */
-  var filename = 'file_bug500328_2.html';
-  // Get the directory we're currently in
-  var dirname = document.location.pathname.replace(/[^\/]*$/, '');
-  statusMsg("Dirname is: " + dirname);
-  var loc = 'http://example.com' + dirname + filename;
-  statusMsg("About to transfer iframe to " + loc);
-  iframeCw.location = loc;
-  // We have to register a listener like this because this file is hosted on a
-  // different domain and can't notify us on load.
-  iframe.onload = onChildLoad;
-  enableChildLoadCallback();
-  yield;
-
-  // This function tries to pushstate and replacestate to the given URL and
-  // fails the test if the calls succeed.
-  var tryBadPushAndReplaceState = function(url) {
-    // XXX ex should be a SECURITY_ERR, not a plain Error.
-
-    var hist = iframeCw.history;
-    var url2 = url + dirname + filename;
-
-    expectException(function() { hist.pushState({}, "foo", url); },
-                    'pushState to ' + url);
-
-    expectException(function() { hist.pushState({}, "foo", url2); },
-                    'pushState to ' + url2);
-
-    expectException(function() { hist.replaceState({}, "foo", url); },
-                    'replaceState to ' + url);
-
-    expectException(function() { hist.replaceState({}, "foo", url2); },
-                    'replaceState to ' + url2);
-  }
-
-  // We're currently at http://example.com/[dirname]/[filename]
-  tryBadPushAndReplaceState("https://example.com");
-  tryBadPushAndReplaceState("http://foo.example.com");
-  tryBadPushAndReplaceState("http://example.com:1234");
-  tryBadPushAndReplaceState("http://example.com.a");
-  tryBadPushAndReplaceState("http://example.con");
-  tryBadPushAndReplaceState("http://eexample.com");
-  tryBadPushAndReplaceState("http://me@example.com");
-
-  /**
-   * TEST 3 tests that the session history entries' titles are properly sync'ed
-   * after push/pop states.
-   *
-   * We have to run this test in a popup rather than an iframe because only the
-   * root docshell has a session history object.
-   */
-  statusMsg("About to open popup.");
-  var popup = window.open("file_bug500328_1.html", "popup0",
-                          "height=200,width=200,location=yes," +
-                          "menubar=yes,status=yes,toolbar=yes,dependent=yes");
-
-  var shistory = getSHistory(popup);
-
-  enableChildPopStateCallback();
-  yield;
-  popstateExpected("Didn't get popstate after opening window.");
-
-  popup.history.pushState(null, "title 0");
-  ok(!getChromeWin(popup).document
-        .getElementById("Browser:Back").hasAttribute("disabled"),
-     "Back button was not enabled after initial pushstate.");
-
-  popup.document.title = "title 1";
-
-  // Yield to the event loop so listeners will be notified of the title change
-  // and so that the hash change we trigger below generates a new session
-  // history entry.
-  shortWait();
-  yield;
-
-  // Check that the current session history entry's title has been updated to
-  // reflect the new document title.
-  is(getSHTitle(shistory), "title 1", "SHEntry title test 1");
-
-  // Change the page's hash to #1, which will trigger a popstate event.
-  // We don't have to wait, because this happens synchronously.
-  popup.location.hash = "#1";
-  popstateExpected("Didn't get popstate after changing hash.");
-
-  popup.document.title = "title 2";
-
-  // Yield so listeners will be notified of the title change we just performed.
-  shortWait();
-  yield;
-
-  is(getSHTitle(shistory), "title 2", "SHEntry title test 2");
-
-  // Go back.  Happens synchronously.  We should get a popstate.
-  statusMsg("About to go back.");
-  popup.history.go(-1);
-  popstateExpected("Didn't get a popstate after going back.");
-
-  // Even though we went back, we expect the SHEntry title to remain the same
-  // because the document didn't change.
-  is(getSHTitle(shistory), "title 2", "SHEntry title test 3");
-
-  popup.document.title = "Changed 1";
-  shortWait();
-  yield;
-
-  // This check is really a test of bug 509055.
-  is(getSHTitle(shistory), "Changed 1", "SHEntry title test 4");
-
-  popup.close();
-
-  /**
-   * TEST 4 tests replaceState and that we don't get double popstates on
-   * window.open.  It also stress-tests the system and its interaction with
-   * bfcache by making many push/replace state calls.
-   */
-  popup = window.open("file_bug500328_1.html", "popup1",
-                      "height=200,width=200,location=yes," +
-                      "menubar=yes,status=yes,toolbar=yes,dependent=yes");
-
-  // The initial about:blank load into the new window shouldn't result in us
-  // seeing a popstate.  Once file_bug500328_1.html is loaded, it'll overwrite
-  // popup.onpopstate, and this assertion won't fire for that popstate and
-  // others after.
-  //
-  // If we fired the popstate event asynchronously, we'd expect this assert to
-  // fire.
-  popup.onpopstate = function() {
-    ok(false, "Initial load of popup shouldn't give us a popstate.");
-  };
-
-  shistory = getSHistory(popup);
-
-  enableChildPopStateCallback();
-  yield;
-  statusMsg("Awake after loading content into popup.");
-
-  popup.history.replaceState({n:1, ok:true}, "state 1", "good1.html");
-  locationEndsWith(popup, "good1.html");
-  is(getSHTitle(shistory), "state 1", "SHEntry title 'state 1'");
-
-  // Flush the event loop so our next load creates a new session history entry.
-  shortWait();
-  yield;
-
-  enableChildPopStateCallback();
-  popup.location = "file_bug500328_1.html";
-  yield;
-
-  // Flush the event loop so nsDocShell::OnNewURI runs and our load is recorded
-  // properly.  OnNewURI is called after PopState fires, because OnNewURI
-  // results from an async event, while PopState is sync.  We'd have to do the
-  // same thing if we were listening to onload here, so this isn't
-  // unreasonable.
-  shortWait();
-  yield;
-
-  // Now go back and make sure everything is as it should be.
-  enableChildPopStateCallback();
-  popup.history.back();
-  yield;
-
-  // Flush the event loop so the document's location is updated.
-  shortWait();
-  yield;
-
-  // We had some popstates above without corresponding popstateExpected()
-  // calls, so we need to clear the counter.
-  clearPopStateCounter();
-
-  locationEndsWith(popup, "good1.html");
-  is(JSON.stringify(gLastPopStateEvent.state), '{"n":1,"ok":true}',
-     "Wrong state popped after going back to initial state.");
-
-  // We're back at state 0, which was replaceState-ed to state1.html.  Let's do
-  // some push/pop/replaces to make sure everything works OK when we involve
-  // large numbers of SHEntries.
-  for(var i = 2; i <= 30; i++) {
-    if (i % 3 == 0) {
-      popup.history.pushState({n:i, ok:true}, "state " + i, "good" + i + ".html");
-    }
-    else {
-      popup.history.pushState({n:i}, "state " + i, "state" + i + ".html");
-      for(var j = 0; j < i % 4; j++) {
-        popup.history.replaceState({n:i, nn:j}, "state " + i + ", " + j);
-      }
-      popup.history.replaceState({n:i, ok:true}, "state " + i, "good" + i + ".html");
-    }
-  }
-
-  for(var i = 29; i >= 1; i--) {
-    popup.history.back();
-    popstateExpected("Didn't get a popstate on iteration " + i);
-    locationEndsWith(popup, "good" + i + ".html");
-    is(gLastPopStateEvent.state.n, i, "Bad counter on last popstate event.");
-    ok(gLastPopStateEvent.state.ok,
-       "Last popstate event should have 'ok' set to true.");
-  }
-
-  popup.close();
-
-  /**
-   * TEST 5 tests misc security features and implementation details of
-   * Push/ReplaceState
-   */
-
-  /*
-   * Test that we can't push/replace an object with a large (over 640k
-   * characters) JSON representation.
-   */
-
-  // (In case you're curious, this loop generates an object which serializes to
-  // 694581 characters.)
-  var bigObject = new Object();
-  for(var i = 0; i < 51200; i++) {
-    bigObject[i] = i;
-  }
-  // statusMsg("Big object has size " + JSON.stringify(bigObject).length);
-
-  // We shouldn't be able to pushstate this large object, due to space
-  // constraints.
-  expectException(
-    function() { iframeCw.history.pushState(bigObject, "foo"); },
-    "pushState-ing large object");
-
-  expectException(
-    function() { iframeCw.history.replaceState(bigObject, "foo"); },
-    "replaceState-ing large object");
-
-  /*
-   * Make sure we can't push/replace state on an iframe of a different origin.
-   * This will work if this function has requested Universal XPConnect
-   * privileges, so any code which needs those privileges can't be in this
-   * function.
-   */
-  enableChildLoadCallback();
-  iframeCw.location = "http://example.com";
-  iframe.onload = onChildLoad;
-  yield;
-  iframe.onload = null;
-
-  expectException(
-    function() { iframeCw.history.pushState({}, "foo"); },
-    "pushState-ing in a different origin");
-
-  expectException(
-    function() { iframeCw.history.replaceState({}, "foo"); },
-    "replaceState-ing in a different origin");
-
-  /*
-   * If we do the following:
-   *   * Start at page A.
-   *   * PushState to page B.
-   *   * Refresh.  The server responds with a 404
-   *   * Go back.
-   * Then at the end, page A should be displayed, not the 404 page.
-   */
-  enableChildLoadCallback();
-  iframe.onload = onChildLoad;
-  iframeCw.location = "about:blank";
-  yield;
-  iframe.onload = null;
-
-  enableChildPopStateCallback();
-  // navigate to http://localhost:8888/[...]/file_bug500328_1.html
-  iframeCw.location = innerLoc;
-  yield;
-
-  // Let the PopState handler finish.  If we call refresh (below) from within
-  // the handler, we get slightly confused and can't tell that we're at a 404
-  // after the refresh.
-  shortWait();
-  yield;
-
-  // PushState to a URL which doesn't exist
-  iframeCw.history.pushState({}, "", rand);
-
-  // Refresh.  We'll end up a 404 page.
-  iframe.onload = onChildLoad;
-  enableChildLoadCallback();
-  iframeCw.location.reload(true);
-  yield;
-
-  // Since the last page was a 404, going back should actually show the
-  // contents of the old page, instead of persisting the contents of the 404
-  // page.
-  clearPopStateCounter();
-  enableChildPopStateCallback();
-  iframeCw.history.back();
-  yield;
-  popstateExpected("Didn't get popstate after going back.");
-
-  // Make sure that we're actually showing the contents of
-  // file_bug500328_1.html, as opposed to the 404 page.
-  var identifierElem = iframeCw.document.getElementById("link-anchor1");
-  ok(identifierElem != undefined && identifierElem != null,
-     "iframe didn't contain file_bug500328_1.html's contents.");
-
-  /**
-   * TEST 6 tests that the referrer is set properly after push/replace states.
-   */
-
-  /*
-   * First, a simple test:
-   *   * Load file_bug500328_1.html into iframe
-   *   * PushState to newpage1.html#foo
-   *   * Instruct the iframe to load file_bug500328_1.html into itself.
-   * The referer should be newpage1.html, without the hash.
-   *
-   * This also tests that we can call pushState from within the onload handler.
-   */
-  enableChildLoadCallback();
-  iframeCw.location = "file_bug500328_1.html";
-  yield;
-
-  // Run within the onload handler.  This should work without issue.
-  iframeCw.history.pushState(null, "", "newpage1.html");
-
-  // iframeCw.navigateTo() causes the iframe to set its location on our
-  // behalf.  We can't just set its location ourselves, because then *we*
-  // become the referrer.
-  enableChildPopStateCallback();
-  iframeCw.navigateTo("file_bug500328_1.html");
-  yield;
-
-  ok(iframeCw.document.referrer.toString().match(/newpage1.html$/),
-     "Wrong referrer after replaceState.  Expected newpage1.html, but was " +
-     iframeCw.document.referrer);
-
-  /*
-   * We're back at file_bug500328_1.html.  Now do the following:
-   *   * replaceState to newpage2.html#foo
-   *   * Click a link back to file_bug500328_1.html
-   * The referrer should be newpage2.html, without the hash.
-   */
-  iframeCw.history.replaceState(null, null, "newpage2.html#foo");
-  enableChildPopStateCallback();
-  sendMouseEvent({type:'click'}, 'link-self', iframeCw);
-  yield;
-
-  ok(iframeCw.document.referrer.toString().match(/newpage2.html$/),
-     "Wrong referrer after replaceState.  Expected newpage2.html, but was " +
-     iframeCw.document.referrer);
-
-
-  /*
-   * Set up a cycle with the popstate event to make sure it's properly
-   * collected.
-   */
-  var evt = document.createEvent("popstateevent");
-  evt.initEvent("foo", false, false, evt);
-
-  /* */
-  SimpleTest.finish();
-  statusMsg("********** Finished tests ***********");
-  while(true)
-  {
-    yield;
-
-    // I don't think this will actually make the mochitest fail, but there's
-    // not much we can do about this.  Realistically, though, regressions are
-    // not likely to fire extra events -- this trap is here mostly to catch
-    // errors made while wriring tests.
-    ok(false, "Got extra event!");
-  }
-
-  /*
-  statusMsg("XXXXXXXXXXXXXX");
-  while(true) {
-    yield;
-    statusMsg("Woken up.");
-  }
-  */
-}
-
-// Important: Wait to start the tests until the page has loaded.  Otherwise,
-// the test will occasionally fail when it begins running before the iframes
-// have finished their initial load of about:blank.
-window.addEventListener('load', function() {
-  gGen = runTest();
-  gGen.next();
-}, false);
-
-</script>
-</pre>
-</body>
-</html>
--- a/js/src/xpconnect/idl/nsIDispatchSupport.idl
+++ b/js/src/xpconnect/idl/nsIDispatchSupport.idl
@@ -52,16 +52,17 @@
 // as a class
 #pragma warning(push)
 #pragma warning(disable : 4099)
 #endif
 %}
 
 native COMVARIANT(VARIANT);
 [ptr] native COMVARIANTPtr(VARIANT);
+native JSVal(jsval);
 [ptr] native JSContextPtr(JSContext);
 
 interface IDispatch;
 
 [uuid(38df70e9-12f8-4732-af91-df36c38dc6f6)]
 interface nsIDispatchSupport : nsISupports
 {
     /**
--- a/js/src/xpconnect/idl/nsIXPConnect.idl
+++ b/js/src/xpconnect/idl/nsIXPConnect.idl
@@ -54,22 +54,21 @@
 %{ C++
 #include "jspubtd.h"
 #include "xptinfo.h"
 #include "nsAXPCNativeCallContext.h"
 %}
 
 /***************************************************************************/
 
-// NB: JSVal is declared in nsIVariant.idl
-
 [ptr] native JSContextPtr(JSContext);
 [ptr] native JSClassPtr(JSClass);
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native JSValPtr(jsval);
+      native JSVal(jsval);
       native JSEqualityOp(JSEqualityOp);
       native JSID(jsid);
 [ptr] native voidPtrPtr(void*);
 [ptr] native nsScriptObjectTracerPtr(nsScriptObjectTracer);
 [ref] native nsCCTraversalCallbackRef(nsCycleCollectionTraversalCallback);
 [ptr] native nsAXPCNativeCallContextPtr(nsAXPCNativeCallContext);
 
 /***************************************************************************/
@@ -527,22 +526,16 @@ interface nsIXPConnect : nsISupports
     */
     void
     wrapJS(in JSContextPtr aJSContext,
            in JSObjectPtr  aJSObj,
            in nsIIDRef     aIID,
            [iid_is(aIID),retval] out nsQIResult result);
 
     /**
-     * Wraps the given JSVal in a nsIVariant and returns the new variant.
-     */
-    nsIVariant
-    jSValToVariant(in JSContextPtr cx, in JSValPtr aJSVal);
-
-    /**
     * This only succeeds if the JSObject is a nsIXPConnectWrappedNative.
     * A new wrapper is *never* constructed.
     */
     nsIXPConnectWrappedNative
     getWrappedNativeOfJSObject(in JSContextPtr aJSContext,
                                in JSObjectPtr  aJSObj);
 
     [noscript, notxpcom] nsISupports
--- a/js/src/xpconnect/src/nsXPConnect.cpp
+++ b/js/src/xpconnect/src/nsXPConnect.cpp
@@ -1365,35 +1365,16 @@ nsXPConnect::WrapJS(JSContext * aJSConte
 
     nsresult rv;
     if(!XPCConvert::JSObject2NativeInterface(ccx, result, aJSObj,
                                              &aIID, nsnull, &rv))
         return rv;
     return NS_OK;
 }
 
-NS_IMETHODIMP
-nsXPConnect::JSValToVariant(JSContext *cx,
-                            jsval *aJSVal,
-                            nsIVariant ** aResult)
-{
-    NS_PRECONDITION(aJSVal, "bad param");
-    NS_PRECONDITION(aResult, "bad param");
-    *aResult = nsnull;
-
-    XPCCallContext ccx(NATIVE_CALLER, cx);
-    if(!ccx.IsValid())
-      return NS_ERROR_FAILURE;
-
-    *aResult = XPCVariant::newVariant(ccx, *aJSVal);
-    NS_ENSURE_TRUE(*aResult, NS_ERROR_OUT_OF_MEMORY);
-
-    return NS_OK;
-}
-
 /* void wrapJSAggregatedToNative (in nsISupports aOuter, in JSContextPtr aJSContext, in JSObjectPtr aJSObj, in nsIIDRef aIID, [iid_is (aIID), retval] out nsQIResult result); */
 NS_IMETHODIMP
 nsXPConnect::WrapJSAggregatedToNative(nsISupports *aOuter,
                                       JSContext * aJSContext,
                                       JSObject * aJSObj,
                                       const nsIID & aIID,
                                       void * *result)
 {
--- a/js/src/xpconnect/src/xpcprivate.h
+++ b/js/src/xpconnect/src/xpcprivate.h
@@ -4193,20 +4193,16 @@ public:
     // that case.
 
     // We #define and iid so that out module local code can use QI to detect 
     // if a given nsIVariant is in fact an XPCVariant. 
     NS_DECLARE_STATIC_IID_ACCESSOR(XPCVARIANT_IID)
 
     static XPCVariant* newVariant(XPCCallContext& ccx, jsval aJSVal);
 
-    /**
-     * nsIVariant exposes a GetAsJSVal() method, which also returns mJSVal.
-     * But if you can, you should call this one, since it can be inlined.
-     */
     jsval GetJSVal() const {return mJSVal;}
 
     XPCVariant(XPCCallContext& ccx, jsval aJSVal);
 
     /**
      * Convert a variant into a jsval.
      *
      * @param ccx the context for the whole procedure
--- a/js/src/xpconnect/src/xpcvariant.cpp
+++ b/js/src/xpconnect/src/xpcvariant.cpp
@@ -385,69 +385,62 @@ JSBool XPCVariant::InitializeData(XPCCal
     const nsIID& iid = NS_GET_IID(nsISupports);
 
     return nsnull != (xpc = nsXPConnect::GetXPConnect()) &&
            NS_SUCCEEDED(xpc->WrapJS(ccx, jsobj,
                         iid, getter_AddRefs(wrapper))) &&
            NS_SUCCEEDED(nsVariant::SetFromInterface(&mData, iid, wrapper));
 }
 
-NS_IMETHODIMP
-XPCVariant::GetAsJSVal(jsval* result)
-{
-  NS_PRECONDITION(result, "null result arg.");
-  *result = GetJSVal();
-  return NS_OK;
-}
-
 // static 
 JSBool 
 XPCVariant::VariantDataToJS(XPCLazyCallContext& lccx, 
                             nsIVariant* variant,
                             JSObject* scope, nsresult* pErr,
                             jsval* pJSVal)
 {
     // Get the type early because we might need to spoof it below.
     PRUint16 type;
-    if (NS_FAILED(variant->GetDataType(&type)))
+    if(NS_FAILED(variant->GetDataType(&type)))
         return JS_FALSE;
 
-    jsval realVal;
-    nsresult rv = variant->GetAsJSVal(&realVal);
-
-    if(NS_SUCCEEDED(rv) &&
-      (JSVAL_IS_PRIMITIVE(realVal) ||
-       type == nsIDataType::VTYPE_ARRAY ||
-       type == nsIDataType::VTYPE_EMPTY_ARRAY ||
-       type == nsIDataType::VTYPE_ID))
+    nsCOMPtr<XPCVariant> xpcvariant = do_QueryInterface(variant);
+    if(xpcvariant)
     {
-        // It's not a JSObject (or it's a JSArray or a JSObject representing an
-        // nsID).  Just pass through the underlying data.
-        *pJSVal = realVal;
-        return JS_TRUE;
-    }
+        jsval realVal = xpcvariant->GetJSVal();
+        if(JSVAL_IS_PRIMITIVE(realVal) || 
+           type == nsIDataType::VTYPE_ARRAY ||
+           type == nsIDataType::VTYPE_EMPTY_ARRAY ||
+           type == nsIDataType::VTYPE_ID)
+        {
+            // Not a JSObject (or is a JSArray or is a JSObject representing 
+            // an nsID),.
+            // So, just pass through the underlying data.
+            *pJSVal = realVal;
+            return JS_TRUE;
+        }
 
-    nsCOMPtr<XPCVariant> xpcvariant = do_QueryInterface(variant);
-    if(xpcvariant && xpcvariant->mReturnRawObject)
-    {
-        NS_ASSERTION(type == nsIDataType::VTYPE_INTERFACE ||
-                     type == nsIDataType::VTYPE_INTERFACE_IS,
-                     "Weird variant");
-        *pJSVal = realVal;
-        return JS_TRUE;
+        if(xpcvariant->mReturnRawObject)
+        {
+            NS_ASSERTION(type == nsIDataType::VTYPE_INTERFACE ||
+                         type == nsIDataType::VTYPE_INTERFACE_IS,
+                         "Weird variant");
+            *pJSVal = realVal;
+            return JS_TRUE;
+        }
 
         // else, it's an object and we really need to double wrap it if we've 
         // already decided that its 'natural' type is as some sort of interface.
-
+        
         // We just fall through to the code below and let it do what it does.
     }
 
     // The nsIVariant is not a XPCVariant (or we act like it isn't).
     // So we extract the data and do the Right Thing.
-
+    
     // We ASSUME that the variant implementation can do these conversions...
 
     nsXPTCVariant xpctvar;
     nsID iid;
     nsAutoString astring;
     nsCAutoString cString;
     nsUTF8String utf8String;
     PRUint32 size;
--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@@ -993,17 +993,17 @@ DocumentViewerImpl::LoadComplete(nsresul
   // Flush out layout so it's up-to-date by the time onload is called.
   // Note that this could destroy the window, so do this before
   // checking for our mDocument and its window.
   if (mPresShell && !mStopped) {
     // Hold strong ref because this could conceivably run script
     nsCOMPtr<nsIPresShell> shell = mPresShell;
     shell->FlushPendingNotifications(Flush_Layout);
   }
-
+  
   nsresult rv = NS_OK;
   NS_ENSURE_TRUE(mDocument, NS_ERROR_NOT_AVAILABLE);
 
   // First, get the window from the document...
   nsPIDOMWindow *window = mDocument->GetWindow();
 
   mLoaded = PR_TRUE;
 
@@ -1033,16 +1033,18 @@ DocumentViewerImpl::LoadComplete(nsresul
     docShell->GetRestoringDocument(&restoring);
     if (!restoring) {
       nsEventDispatcher::Dispatch(window, mPresContext, &event, nsnull,
                                   &status);
 #ifdef MOZ_TIMELINE
       // if navigator.xul's load is complete, the main nav window is visible
       // mark that point.
 
+      //printf("DEBUG: getting uri from document (%p)\n", mDocument.get());
+
       nsIURI *uri = mDocument ? mDocument->GetDocumentURI() : nsnull;
 
       if (uri) {
         //printf("DEBUG: getting spec for uri (%p)\n", uri.get());
         nsCAutoString spec;
         uri->GetSpec(spec);
         if (spec.EqualsLiteral("chrome://navigator/content/navigator.xul") ||
             spec.EqualsLiteral("chrome://browser/content/browser.xul")) {
@@ -1090,20 +1092,16 @@ DocumentViewerImpl::LoadComplete(nsresul
     mPrintIsPending        = PR_FALSE;
     mPrintDocIsFullyLoaded = PR_TRUE;
     Print(mCachedPrintSettings, mCachedPrintWebProgressListner);
     mCachedPrintSettings           = nsnull;
     mCachedPrintWebProgressListner = nsnull;
   }
 #endif
 
-  if (!mStopped) {
-    window->DispatchSyncPopState();
-  }
-
   return rv;
 }
 
 NS_IMETHODIMP
 DocumentViewerImpl::PermitUnload(PRBool aCallerClosesWindow, PRBool *aPermitUnload)
 {
   *aPermitUnload = PR_TRUE;
 
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -2833,14 +2833,8 @@ pref("html5.offmainthread", true);
 // first time the flush timer fires in the off-the-main-thread HTML5 parser.
 pref("html5.flushtimer.startdelay", 200);
 // Time in milliseconds between the return to non-speculating more and the 
 // first time the flush timer fires thereafter.
 pref("html5.flushtimer.continuedelay", 150);
 // Time in milliseconds between timer firings once the timer has starting 
 // firing.
 pref("html5.flushtimer.interval", 100);
-
-// Push/Pop/Replace State prefs
-pref("browser.history.allowPushState", true);
-pref("browser.history.allowReplaceState", true);
-pref("browser.history.allowPopState", true);
-pref("browser.history.maxStateObjectSize", 655360);
--- a/storage/src/Variant_inl.h
+++ b/storage/src/Variant_inl.h
@@ -246,17 +246,10 @@ Variant_base::GetAsStringWithSize(PRUint
 inline
 NS_IMETHODIMP
 Variant_base::GetAsWStringWithSize(PRUint32 *,
                                    PRUnichar **)
 {
   return NS_ERROR_CANNOT_CONVERT_DATA;
 }
 
-inline
-NS_IMETHODIMP
-Variant_base::GetAsJSVal(jsval *)
-{
-  return NS_ERROR_CANNOT_CONVERT_DATA;
-}
-
 } // namespace storage
 } // namespace mozilla
--- a/widget/public/nsGUIEvent.h
+++ b/widget/public/nsGUIEvent.h
@@ -51,17 +51,16 @@
 #include "nsIAtom.h"
 #include "nsIDOMKeyEvent.h"
 #include "nsIDOMDataTransfer.h"
 #include "nsWeakPtr.h"
 #include "nsIWidget.h"
 #include "nsTArray.h"
 #include "nsTraceRefcnt.h"
 #include "nsITransferable.h"
-#include "nsIVariant.h"
 
 class nsIRenderingContext;
 class nsIRegion;
 class nsIMenuItem;
 class nsIAccessible;
 class nsIContent;
 class nsIURI;
 class nsHashKey;
@@ -242,17 +241,16 @@ class nsHashKey;
 #define NS_SCROLLBAR_LINE_PREV          (NS_SCROLLBAR_MESSAGE_START + 4)
 
 #define NS_STREAM_EVENT_START           1100
 #define NS_LOAD                         (NS_STREAM_EVENT_START)
 #define NS_PAGE_UNLOAD                  (NS_STREAM_EVENT_START + 1)
 #define NS_HASHCHANGE                   (NS_STREAM_EVENT_START + 2)
 #define NS_IMAGE_ABORT                  (NS_STREAM_EVENT_START + 3)
 #define NS_LOAD_ERROR                   (NS_STREAM_EVENT_START + 4)
-#define NS_POPSTATE                     (NS_STREAM_EVENT_START + 5)
 #define NS_BEFORE_PAGE_UNLOAD           (NS_STREAM_EVENT_START + 6)
 #define NS_PAGE_RESTORE                 (NS_STREAM_EVENT_START + 7)
  
 #define NS_FORM_EVENT_START             1200
 #define NS_FORM_SUBMIT                  (NS_FORM_EVENT_START)
 #define NS_FORM_RESET                   (NS_FORM_EVENT_START + 1)
 #define NS_FORM_CHANGE                  (NS_FORM_EVENT_START + 2)
 #define NS_FORM_SELECTED                (NS_FORM_EVENT_START + 3)
--- a/widget/src/xpwidgets/nsBaseWidget.cpp
+++ b/widget/src/xpwidgets/nsBaseWidget.cpp
@@ -1093,17 +1093,16 @@ case _value: eventName.AssignWithConvers
     _ASSIGN_eventName(NS_MOUSE_EXIT,"NS_MOUSE_EXIT");
     _ASSIGN_eventName(NS_MOUSE_BUTTON_DOWN,"NS_MOUSE_BUTTON_DOWN");
     _ASSIGN_eventName(NS_MOUSE_BUTTON_UP,"NS_MOUSE_BUTTON_UP");
     _ASSIGN_eventName(NS_MOUSE_CLICK,"NS_MOUSE_CLICK");
     _ASSIGN_eventName(NS_MOUSE_DOUBLECLICK,"NS_MOUSE_DBLCLICK");
     _ASSIGN_eventName(NS_MOUSE_MOVE,"NS_MOUSE_MOVE");
     _ASSIGN_eventName(NS_MOVE,"NS_MOVE");
     _ASSIGN_eventName(NS_LOAD,"NS_LOAD");
-    _ASSIGN_eventName(NS_POPSTATE,"NS_POPSTATE");
     _ASSIGN_eventName(NS_PAGE_UNLOAD,"NS_PAGE_UNLOAD");
     _ASSIGN_eventName(NS_HASHCHANGE,"NS_HASHCHANGE");
     _ASSIGN_eventName(NS_PAINT,"NS_PAINT");
     _ASSIGN_eventName(NS_XUL_BROADCAST, "NS_XUL_BROADCAST");
     _ASSIGN_eventName(NS_XUL_COMMAND_UPDATE, "NS_XUL_COMMAND_UPDATE");
     _ASSIGN_eventName(NS_SCROLLBAR_LINE_NEXT,"NS_SB_LINE_NEXT");
     _ASSIGN_eventName(NS_SCROLLBAR_LINE_PREV,"NS_SB_LINE_PREV");
     _ASSIGN_eventName(NS_SCROLLBAR_PAGE_NEXT,"NS_SB_PAGE_NEXT");
--- a/xpcom/ds/nsIVariant.idl
+++ b/xpcom/ds/nsIVariant.idl
@@ -72,31 +72,26 @@ interface nsIDataType : nsISupports
     const PRUint16 VTYPE_WSTRING_SIZE_IS     = 22; // TD_PWSTRING_SIZE_IS  = 22,
     const PRUint16 VTYPE_UTF8STRING          = 23; // TD_UTF8STRING        = 23,
     const PRUint16 VTYPE_CSTRING             = 24; // TD_CSTRING           = 24,
     const PRUint16 VTYPE_ASTRING             = 25; // TD_ASTRING           = 25,
     const PRUint16 VTYPE_EMPTY_ARRAY         = 254;
     const PRUint16 VTYPE_EMPTY               = 255;
 };
 
-%{ C++
-#include "jspubtd.h"
-%}
-
-native JSVal(jsval);
 
 /**
  * XPConnect has magic to transparently convert between nsIVariant and JS types.
  * We mark the interface [scriptable] so that JS can use methods
  * that refer to this interface. But we mark all the methods and attributes
  * [noscript] since any nsIVariant object will be automatically converted to a
  * JS type anyway.
  */
 
-[scriptable, uuid(81e4c2de-acac-4ad6-901a-b5fb1b851a0d)]
+[scriptable, uuid(6c9eb060-8c6a-11d5-90f3-0010a4e73d9a)]
 interface nsIVariant : nsISupports
 {
     [noscript] readonly attribute PRUint16     dataType;
 
     [noscript] PRUint8      getAsInt8();
     [noscript] PRInt16      getAsInt16();
     [noscript] PRInt32      getAsInt32();
     [noscript] PRInt64      getAsInt64();
@@ -112,17 +107,16 @@ interface nsIVariant : nsISupports
     [notxpcom] nsresult     getAsID(out nsID retval);
     [noscript] AString      getAsAString();
     [noscript] DOMString    getAsDOMString();
     [noscript] ACString     getAsACString();
     [noscript] AUTF8String  getAsAUTF8String();
     [noscript] string       getAsString();
     [noscript] wstring      getAsWString();
     [noscript] nsISupports  getAsISupports();
-    [noscript] JSVal        getAsJSVal();
 
     [noscript] void getAsInterface(out nsIIDPtr iid, 
                                    [iid_is(iid), retval] out nsQIResult iface);
 
     [notxpcom] nsresult getAsArray(out PRUint16 type, out nsIID iid,
                                    out PRUint32 count, out voidPtr ptr);
 
     [noscript] void getAsStringWithSize(out PRUint32 size, 
--- a/xpcom/ds/nsVariant.cpp
+++ b/xpcom/ds/nsVariant.cpp
@@ -1881,23 +1881,16 @@ NS_IMETHODIMP nsVariant::GetAsWString(PR
 }
 
 /* nsISupports getAsISupports (); */
 NS_IMETHODIMP nsVariant::GetAsISupports(nsISupports **_retval)
 {
     return nsVariant::ConvertToISupports(mData, _retval);
 }
 
-/* jsval getAsJSVal() */
-NS_IMETHODIMP nsVariant::GetAsJSVal(jsval *_retval)
-{
-    // Can only get the JSVal from an XPCVariant.
-    return NS_ERROR_CANNOT_CONVERT_DATA;
-}
-
 /* void getAsInterface (out nsIIDPtr iid, [iid_is (iid), retval] out nsQIResult iface); */
 NS_IMETHODIMP nsVariant::GetAsInterface(nsIID * *iid, void * *iface)
 {
     return nsVariant::ConvertToInterface(mData, iid, iface);
 }
 
 /* [notxpcom] nsresult getAsArray (out PRUint16 type, out nsIID iid, out PRUint32 count, out voidPtr ptr); */
 NS_IMETHODIMP_(nsresult) nsVariant::GetAsArray(PRUint16 *type, nsIID *iid, PRUint32 *count, void * *ptr)