Bug 1050049 - Whitelist bindings that we actually expect to use in content. r=smaug
authorBobby Holley <bobbyholley@gmail.com>
Mon, 11 Aug 2014 20:06:55 -0700
changeset 198962 ce94fbaec83c207f00d47b22c114c21e55174bca
parent 198961 d78a39f01102f1206679adee3890b8a509213702
child 198963 1358c1ad00b483a7d6815a5c516be07b2107cc4e
push id47545
push userbobbyholley@gmail.com
push dateTue, 12 Aug 2014 03:07:16 +0000
treeherdermozilla-inbound@9648b3e555db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1050049
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1050049 - Whitelist bindings that we actually expect to use in content. r=smaug
browser/components/feeds/content/subscribe.xml
dom/xbl/builtin/android/platformHTMLBindings.xml
dom/xbl/builtin/emacs/platformHTMLBindings.xml
dom/xbl/builtin/mac/platformHTMLBindings.xml
dom/xbl/builtin/unix/platformHTMLBindings.xml
dom/xbl/builtin/win/platformHTMLBindings.xml
dom/xbl/test/file_bug944407.xml
dom/xbl/test/file_bug950909.xml
dom/xml/resources/XMLPrettyPrint.xml
layout/style/xbl-marquee/xbl-marquee.xml
toolkit/content/widgets/scrollbar.xml
toolkit/mozapps/plugins/content/pluginProblem.xml
--- a/browser/components/feeds/content/subscribe.xml
+++ b/browser/components/feeds/content/subscribe.xml
@@ -6,17 +6,17 @@
 <!DOCTYPE bindings [
   <!ENTITY % feedDTD
     SYSTEM "chrome://browser/locale/feeds/subscribe.dtd">
   %feedDTD;
 ]>
 <bindings id="feedBindings"
           xmlns="http://www.mozilla.org/xbl"
           xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
-  <binding id="feedreaderUI">
+  <binding id="feedreaderUI" bindToUntrustedContent="true">
     <content>
       <xul:vbox>
         <xul:hbox align="center">
           <xul:description anonid="subscribeUsingDescription" class="subscribeUsingDescription"/>
           <xul:menulist anonid="handlersMenuList" class="handlersMenuList" aria-labelledby="subscribeUsingDescription">
             <xul:menupopup anonid="handlersMenuPopup" class="handlersMenuPopup">
               <xul:menuitem anonid="liveBookmarksMenuItem" label="&feedLiveBookmarks;" class="menuitem-iconic liveBookmarksMenuItem" image="chrome://browser/skin/page-livemarks.png" selected="true"/>
               <xul:menuseparator/>
--- a/dom/xbl/builtin/android/platformHTMLBindings.xml
+++ b/dom/xbl/builtin/android/platformHTMLBindings.xml
@@ -3,17 +3,17 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <bindings id="htmlBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
 
-  <binding id="inputFields">
+  <binding id="inputFields" bindToUntrustedContent="true">
     <handlers>
 #include ../input-fields-base.inc
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
 
       <handler event="keypress" keycode="VK_LEFT" modifiers="control" command="cmd_wordPrevious"/>
       <handler event="keypress" keycode="VK_RIGHT" modifiers="control" command="cmd_wordNext"/>
       <handler event="keypress" keycode="VK_LEFT" modifiers="shift,control" command="cmd_selectWordPrevious"/>
       <handler event="keypress" keycode="VK_RIGHT" modifiers="shift,control" command="cmd_selectWordNext"/>
@@ -29,17 +29,17 @@
 
       <handler event="keypress" keycode="VK_BACK" modifiers="shift" command="cmd_deleteCharForward"/>
       <handler event="keypress" keycode="VK_BACK" modifiers="shift,alt" command="cmd_deleteToEndOfLine"/>
       <handler event="keypress" keycode="VK_BACK" modifiers="alt" command="cmd_deleteToBeginningOfLine"/>
       <handler event="keypress" keycode="VK_DELETE" modifiers="alt" command="cmd_deleteToEndOfLine"/>
     </handlers>
   </binding>
 
-  <binding id="textAreas">
+  <binding id="textAreas" bindToUntrustedContent="true">
     <handlers>
 #include ../textareas-base.inc
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
 
       <handler event="keypress" keycode="VK_LEFT" modifiers="control" command="cmd_wordPrevious"/>
       <handler event="keypress" keycode="VK_RIGHT" modifiers="control" command="cmd_wordNext"/>
       <handler event="keypress" keycode="VK_LEFT" modifiers="shift,control" command="cmd_selectWordPrevious"/>
       <handler event="keypress" keycode="VK_RIGHT" modifiers="shift,control" command="cmd_selectWordNext"/>
--- a/dom/xbl/builtin/emacs/platformHTMLBindings.xml
+++ b/dom/xbl/builtin/emacs/platformHTMLBindings.xml
@@ -3,17 +3,17 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <bindings id="htmlBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  
-  <binding id="inputFields">
+  <binding id="inputFields" bindToUntrustedContent="true">
     <handlers>
 #include ../input-fields-base.inc
     <!-- Emacsish single-line motion and delete keys -->
     <handler event="keypress" key="a" modifiers="control"
         command="cmd_beginLine"/>
     <handler event="keypress" key="e" modifiers="control"
         command="cmd_endLine"/>
     <handler event="keypress" key="b" modifiers="control"
@@ -71,17 +71,17 @@
         command="cmd_selectWordNext"/>
     <handler event="keypress" key="y" modifiers="accel"
         command="cmd_redo"/>
     <handler event="keypress" key="a" modifiers="alt"
         command="cmd_selectAll"/>
     </handlers>
   </binding>
 
-  <binding id="textAreas">
+  <binding id="textAreas" bindToUntrustedContent="true">
     <handlers>
 #include ../textareas-base.inc
     <!-- Emacsish single-line motion and delete keys -->
     <handler event="keypress" key="a" modifiers="control"
         command="cmd_beginLine"/>
     <handler event="keypress" key="e" modifiers="control"
         command="cmd_endLine"/>
     <handler event="keypress" id="key_left" key="b" modifiers="control"
--- a/dom/xbl/builtin/mac/platformHTMLBindings.xml
+++ b/dom/xbl/builtin/mac/platformHTMLBindings.xml
@@ -3,28 +3,28 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <bindings id="htmlBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
 
-  <binding id="inputFields">
+  <binding id="inputFields" bindToUntrustedContent="true">
     <handlers>
       <handler event="keypress" key="c" modifiers="accel" command="cmd_copy"/>
       <handler event="keypress" key="x" modifiers="accel" command="cmd_cut"/>
       <handler event="keypress" key="v" modifiers="accel" command="cmd_paste"/>
       <handler event="keypress" key="z" modifiers="accel" command="cmd_undo"/>
       <handler event="keypress" key="z" modifiers="accel,shift" command="cmd_redo"/>
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
     </handlers>
   </binding>
 
-  <binding id="textAreas">
+  <binding id="textAreas" bindToUntrustedContent="true">
     <handlers>
       <handler event="keypress" key="c" modifiers="accel" command="cmd_copy"/>
       <handler event="keypress" key="x" modifiers="accel" command="cmd_cut"/>
       <handler event="keypress" key="v" modifiers="accel" command="cmd_paste"/>
       <handler event="keypress" key="z" modifiers="accel" command="cmd_undo"/>
       <handler event="keypress" key="z" modifiers="accel,shift" command="cmd_redo"/>
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
     </handlers>
--- a/dom/xbl/builtin/unix/platformHTMLBindings.xml
+++ b/dom/xbl/builtin/unix/platformHTMLBindings.xml
@@ -3,29 +3,29 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <bindings id="htmlBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  
-  <binding id="inputFields">
+  <binding id="inputFields" bindToUntrustedContent="true">
     <handlers>
 #include ../input-fields-base.inc
     <handler event="keypress" key="a" modifiers="alt"
         command="cmd_selectAll"/>
     <handler event="keypress" key="y" modifiers="accel"
         command="cmd_redo"/>
     <handler event="keypress" key="z" modifiers="accel,shift" command="cmd_redo"/>
     <handler event="keypress" key="z" modifiers="accel" command="cmd_undo"/>
     </handlers>
   </binding>
 
-  <binding id="textAreas">
+  <binding id="textAreas" bindToUntrustedContent="true">
     <handlers>
 #include ../textareas-base.inc
     <handler event="keypress" key="a" modifiers="alt"
         command="cmd_selectAll"/>
     <handler event="keypress" key="y" modifiers="accel"
         command="cmd_redo"/>
     <handler event="keypress" key="z" modifiers="accel" command="cmd_undo"/>
     <handler event="keypress" key="z" modifiers="accel,shift" command="cmd_redo"/>
--- a/dom/xbl/builtin/win/platformHTMLBindings.xml
+++ b/dom/xbl/builtin/win/platformHTMLBindings.xml
@@ -3,17 +3,17 @@
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 
 <bindings id="htmlBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  
-  <binding id="inputFields">
+  <binding id="inputFields" bindToUntrustedContent="true">
     <handlers>
 #include ../input-fields-base.inc
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
       <handler event="keypress" keycode="VK_HOME" command="cmd_beginLine"/>
       <handler event="keypress" keycode="VK_END" command="cmd_endLine"/>
       <handler event="keypress" keycode="VK_HOME" modifiers="shift" command="cmd_selectBeginLine"/>
       <handler event="keypress" keycode="VK_END" modifiers="shift" command="cmd_selectEndLine"/>
       <handler event="keypress" keycode="VK_HOME" modifiers="shift,control"
@@ -47,17 +47,17 @@
         command="cmd_undo"/>
       <handler event="keypress" keycode="VK_BACK" modifiers="alt,shift"
         command="cmd_redo"/>
       <handler event="keypress" keycode="VK_BACK" modifiers="control"
         command="cmd_deleteWordBackward"/>
     </handlers>
   </binding>
 
-  <binding id="textAreas">
+  <binding id="textAreas" bindToUntrustedContent="true">
     <handlers>
 #include ../textareas-base.inc
       <handler event="keypress" key="a" modifiers="accel" command="cmd_selectAll"/>
       <handler event="keypress" keycode="VK_HOME" 
         command="cmd_beginLine"/>
       <handler event="keypress" keycode="VK_END" 
         command="cmd_endLine"/>
       <handler event="keypress" keycode="VK_HOME" modifiers="shift" 
--- a/dom/xbl/test/file_bug944407.xml
+++ b/dom/xbl/test/file_bug944407.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0"?>
 <bindings id="testBindings" xmlns="http://www.mozilla.org/xbl"
           xmlns:html="http://www.w3.org/1999/xhtml">
-  <binding id="testAllowScript">
+  <binding id="testAllowScript" bindToUntrustedContent="true">
     <implementation>
        <property name="someProp" onget="return 2;" readonly="true"></property>
        <method name="someMethod"><body> return 3; </body></method>
        <method name="startTest">
          <body>
          <![CDATA[
            // Make sure we only get constructed when we're loaded from a domain
            // with script enabled.
--- a/dom/xbl/test/file_bug950909.xml
+++ b/dom/xbl/test/file_bug950909.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0"?>
 <bindings id="chromeTestBindings" xmlns="http://www.mozilla.org/xbl">
-  <binding id="testBinding">
+  <binding id="testBinding" bindToUntrustedContent="true">
     <implementation implements="nsIObserver">
       <constructor>
       <![CDATA[
         // This binding gets applied to a content object, and thus is actually
         // running in a content XBL scope.
         var win = XPCNativeWrapper.unwrap(window);
         var SpecialPowers = win.SpecialPowers;
         var ok = SpecialPowers.unwrap(SpecialPowers.wrap(window).parent.ok);
--- a/dom/xml/resources/XMLPrettyPrint.xml
+++ b/dom/xml/resources/XMLPrettyPrint.xml
@@ -1,17 +1,17 @@
 <?xml version="1.0"?>
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <bindings xmlns="http://www.mozilla.org/xbl"
           xmlns:html="http://www.w3.org/1999/xhtml">
 
-  <binding id="prettyprint">
+  <binding id="prettyprint" bindToUntrustedContent="true">
 
     <content><html:div id='top'/>
       <html:span style="display: none;"><children/></html:span>
     </content>
 
     <handlers>
       <handler event="click" button="0">
       <![CDATA[
--- a/layout/style/xbl-marquee/xbl-marquee.xml
+++ b/layout/style/xbl-marquee/xbl-marquee.xml
@@ -5,17 +5,17 @@
 
 <bindings id="marqueeBindings"
           xmlns="http://www.mozilla.org/xbl"
           xmlns:html="http://www.w3.org/1999/xhtml"
           xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
           xmlns:xbl="http://www.mozilla.org/xbl">
 
 
-  <binding id="marquee">
+  <binding id="marquee" bindToUntrustedContent="true">
 
     <resources>
       <stylesheet src="chrome://xbl-marquee/content/xbl-marquee.css"/>
     </resources>
     <implementation>
 
       <property name="scrollAmount" exposeToUntrustedContent="true">
         <getter>
@@ -618,17 +618,17 @@
             }
           }
         ]]>
       </handler>
     </handlers>
 
   </binding>
 
-  <binding id="marquee-horizontal"
+  <binding id="marquee-horizontal" bindToUntrustedContent="true"
            extends="chrome://xbl-marquee/content/xbl-marquee.xml#marquee"
            inheritstyle="false">
 
     <!-- White-space isn't allowed because a marquee could be 
          inside 'white-space: pre' -->
     <content>
       <html:div style="display: -moz-box; overflow: hidden; width: -moz-available;"
         ><html:div style="display: -moz-box;"
@@ -638,46 +638,46 @@
             /></html:div
           ></html:div
         ></html:div
       ></html:div>
     </content>
 
   </binding>
 
-  <binding id="marquee-vertical"
+  <binding id="marquee-vertical" bindToUntrustedContent="true"
            extends="chrome://xbl-marquee/content/xbl-marquee.xml#marquee"
            inheritstyle="false">
 
     <!-- White-space isn't allowed because a marquee could be 
          inside 'white-space: pre' -->
     <content>
       <html:div style="overflow: hidden; width: -moz-available;"
         ><html:div class="innerDiv"
           ><children
         /></html:div
       ></html:div>
     </content>
 
   </binding>
 
-  <binding id="marquee-horizontal-editable"
+  <binding id="marquee-horizontal-editable" bindToUntrustedContent="true"
            inheritstyle="false">
 
     <!-- White-space isn't allowed because a marquee could be 
          inside 'white-space: pre' -->
     <content>
       <html:div style="display: inline-block; overflow: auto; width: -moz-available;"
         ><children
       /></html:div>
     </content>
 
   </binding>
 
-  <binding id="marquee-vertical-editable"
+  <binding id="marquee-vertical-editable" bindToUntrustedContent="true"
            inheritstyle="false">
 
     <!-- White-space isn't allowed because a marquee could be 
          inside 'white-space: pre' -->
     <content>
       <html:div style="overflow: auto; height: inherit; width: -moz-available;"
         ><children/></html:div>
     </content>
--- a/toolkit/content/widgets/scrollbar.xml
+++ b/toolkit/content/widgets/scrollbar.xml
@@ -6,26 +6,26 @@
 
 <bindings id="scrollbarBindings"
    xmlns="http://www.mozilla.org/xbl"
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
    xmlns:xbl="http://www.mozilla.org/xbl">
   
   <binding id="thumb" extends="xul:button" />
 
-  <binding id="scrollbar-base">
+  <binding id="scrollbar-base" bindToUntrustedContent="true">
     <handlers>
       <handler event="contextmenu" preventdefault="true" action="event.stopPropagation();"/>
       <handler event="click" preventdefault="true" action="event.stopPropagation();"/>
       <handler event="dblclick" action="event.stopPropagation();"/>
       <handler event="command" action="event.stopPropagation();"/>
     </handlers>
   </binding>
 
-  <binding id="scrollbar" extends="chrome://global/content/bindings/scrollbar.xml#scrollbar-base">
+  <binding id="scrollbar" bindToUntrustedContent="true" extends="chrome://global/content/bindings/scrollbar.xml#scrollbar-base">
     <content clickthrough="always">
       <xul:scrollbarbutton sbattr="scrollbar-up-top" type="decrement" xbl:inherits="curpos,maxpos,disabled,sborient=orient"/>
       <xul:scrollbarbutton sbattr="scrollbar-down-top" type="increment" xbl:inherits="curpos,maxpos,disabled,sborient=orient"/>
       <xul:slider flex="1" xbl:inherits="disabled,curpos,maxpos,pageincrement,increment,orient,sborient=orient">
         <xul:thumb sbattr="scrollbar-thumb" xbl:inherits="orient,sborient=orient,collapsed=disabled" 
                    align="center" pack="center"/>
       </xul:slider>
       <xul:scrollbarbutton sbattr="scrollbar-up-bottom" type="decrement" xbl:inherits="curpos,maxpos,disabled,sborient=orient"/>
--- a/toolkit/mozapps/plugins/content/pluginProblem.xml
+++ b/toolkit/mozapps/plugins/content/pluginProblem.xml
@@ -10,17 +10,17 @@
   %globalDTD;
   %brandDTD;
 ]>
 
 <bindings id="pluginBindings"
               xmlns="http://www.mozilla.org/xbl"
               xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
               xmlns:html="http://www.w3.org/1999/xhtml">
-<binding id="pluginProblem" inheritstyle="false" chromeOnlyContent="true">
+<binding id="pluginProblem" inheritstyle="false" chromeOnlyContent="true" bindToUntrustedContent="true">
     <resources>
         <stylesheet src="chrome://mozapps/content/plugins/pluginProblemContent.css"/>
         <stylesheet src="chrome://mozapps/skin/plugins/pluginProblem.css"/>
     </resources>
 
     <content>
         <html:div class="mainBox" anonid="main" chromedir="&locale.dir;">
             <html:div class="hoverBox">