Bug 424923: Remove support for cross-site XHR. r/sr=jst for code changes
authorjonas@sicking.cc
Tue, 25 Mar 2008 19:46:08 -0700
changeset 13557 2050cf0b5d3338f194557f9070e3e50580496811
parent 13556 253584b1c7372cb919d0da199703bf24a5c108cc
child 13558 bf8a63da45131d1cd35924da07337cb8960e8f93
push idunknown
push userunknown
push dateunknown
bugs424923
milestone1.9b5pre
Bug 424923: Remove support for cross-site XHR. r/sr=jst for code changes
content/base/src/Makefile.in
content/base/src/nsCrossSiteListenerProxy.cpp
content/base/src/nsCrossSiteListenerProxy.h
content/base/src/nsSyncLoadService.cpp
content/base/src/nsXMLHttpRequest.cpp
content/base/src/nsXMLHttpRequest.h
content/base/test/Makefile.in
content/base/test/file_CrossSiteXHR2_fail1.xml
content/base/test/file_CrossSiteXHR2_fail1.xml^headers^
content/base/test/file_CrossSiteXHR2_fail2.xml
content/base/test/file_CrossSiteXHR2_inner.html
content/base/test/file_CrossSiteXHR2_pass1.xml
content/base/test/file_CrossSiteXHR2_pass1.xml^headers^
content/base/test/file_CrossSiteXHR2_pass2.xml
content/base/test/file_CrossSiteXHR2_pass3.xml
content/base/test/file_CrossSiteXHR2_pass3.xml^headers^
content/base/test/file_CrossSiteXHR2_pass3_redirect.xml
content/base/test/file_CrossSiteXHR3_inner.html
content/base/test/file_CrossSiteXHR3_pass1.xml
content/base/test/file_CrossSiteXHR3_pass1.xml^headers^
content/base/test/file_CrossSiteXHR_fail1.xml
content/base/test/file_CrossSiteXHR_fail2.xml
content/base/test/file_CrossSiteXHR_fail2.xml^headers^
content/base/test/file_CrossSiteXHR_fail3.xml
content/base/test/file_CrossSiteXHR_fail4.xml
content/base/test/file_CrossSiteXHR_pass1.xml
content/base/test/file_CrossSiteXHR_pass1.xml^headers^
content/base/test/file_CrossSiteXHR_pass2.xml
content/base/test/file_CrossSiteXHR_pass3.xml
content/base/test/file_XHR_fail1.txt
content/base/test/file_XHR_fail1.txt^headers^
content/base/test/file_XHR_fail1b.txt
content/base/test/file_XHR_pass1.xml
content/base/test/file_XHR_pass2.txt
content/base/test/file_XHR_pass3.txt
content/base/test/file_XHR_pass3.txt^headers^
content/base/test/test_CrossSiteXHR.html
content/base/test/test_CrossSiteXHR2.html
content/base/test/test_CrossSiteXHR3.html
content/base/test/test_XHR.html
content/html/document/src/nsHTMLDocument.cpp
content/html/document/src/nsHTMLDocument.h
content/html/document/src/nsIHTMLDocument.h
content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
--- a/content/base/src/Makefile.in
+++ b/content/base/src/Makefile.in
@@ -112,17 +112,16 @@ CPPSRCS		= \
 		nsCommentNode.cpp \
 		nsContentAreaDragDrop.cpp \
 		nsContentIterator.cpp \
 		nsContentList.cpp \
 		nsContentPolicy.cpp \
 		nsContentSink.cpp \
 		nsContentUtils.cpp \
 		nsCopySupport.cpp \
-		nsCrossSiteListenerProxy.cpp \
 		nsDataDocumentContentPolicy.cpp \
 		nsDOMAttribute.cpp \
 		nsDOMAttributeMap.cpp \
 		nsDOMDocumentType.cpp \
 		nsDOMFile.cpp \
 		nsDOMLists.cpp \
 		nsDOMParser.cpp \
 		nsDOMSerializer.cpp \
deleted file mode 100644
--- a/content/base/src/nsCrossSiteListenerProxy.cpp
+++ /dev/null
@@ -1,969 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is Mozilla Foundation.
- * Portions created by the Initial Developer are Copyright (C) 2007
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Jonas Sicking <jonas@sicking.cc> (Original Author)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either of the GNU General Public License Version 2 or later (the "GPL"),
- * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsCrossSiteListenerProxy.h"
-#include "nsIChannel.h"
-#include "nsIHttpChannel.h"
-#include "nsDOMError.h"
-#include "nsContentUtils.h"
-#include "nsIScriptSecurityManager.h"
-#include "nsNetUtil.h"
-#include "nsIParser.h"
-#include "nsParserCIID.h"
-#include "nsICharsetAlias.h"
-#include "nsMimeTypes.h"
-#include "nsIStreamConverterService.h"
-#include "nsStringStream.h"
-#include "nsParserUtils.h"
-#include "nsGkAtoms.h"
-#include "nsWhitespaceTokenizer.h"
-#include "nsIChannelEventSink.h"
-
-static NS_DEFINE_CID(kCParserCID, NS_PARSER_CID);
-
-NS_IMPL_ISUPPORTS7(nsCrossSiteListenerProxy, nsIStreamListener,
-                   nsIRequestObserver, nsIContentSink, nsIXMLContentSink,
-                   nsIExpatSink, nsIChannelEventSink, nsIInterfaceRequestor)
-
-nsCrossSiteListenerProxy::nsCrossSiteListenerProxy(nsIStreamListener* aOuter,
-                                                   nsIPrincipal* aRequestingPrincipal,
-                                                   nsIChannel* aChannel,
-                                                   nsresult* aResult)
-  : mOuterListener(aOuter),
-    mRequestingPrincipal(aRequestingPrincipal),
-    mAcceptState(eNotSet),
-    mHasForwardedRequest(PR_FALSE),
-    mHasBeenCrossSite(PR_FALSE)
-{
-  aRequestingPrincipal->GetURI(getter_AddRefs(mRequestingURI));
-  aChannel->GetNotificationCallbacks(getter_AddRefs(mOuterNotificationCallbacks));
-  aChannel->SetNotificationCallbacks(this);
-
-  *aResult = UpdateChannel(aChannel);
-}
-
-nsresult
-nsCrossSiteListenerProxy::ForwardRequest(PRBool aFromStop)
-{
-  if (mHasForwardedRequest) {
-    return NS_OK;
-  }
-
-  mHasForwardedRequest = PR_TRUE;
-
-  if (mParser) {
-    mParser->Terminate();
-    mParser = nsnull;
-    mParserListener = nsnull;
-  }
-
-  if (mAcceptState != eAccept) {
-    mAcceptState = eDeny;
-    mOuterRequest->Cancel(NS_ERROR_DOM_BAD_URI);
-    mOuterListener->OnStartRequest(mOuterRequest, mOuterContext);
-
-    // Only call OnStopRequest here if we were called from OnStopRequest.
-    // Otherwise the call to Cancel will make us get an OnStopRequest later
-    // so we'll forward OnStopRequest then.
-    if (aFromStop) {
-      mOuterListener->OnStopRequest(mOuterRequest, mOuterContext,
-                                    NS_ERROR_DOM_BAD_URI);
-    }
-
-    // Clear this data just in case since it should never be forwarded.
-    mStoredData.Truncate();
-
-    return NS_ERROR_DOM_BAD_URI;
-  }
-
-  nsresult rv = mOuterListener->OnStartRequest(mOuterRequest, mOuterContext);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  if (!mStoredData.IsEmpty()) {
-    nsCOMPtr<nsIInputStream> stream;
-    rv = NS_NewCStringInputStream(getter_AddRefs(stream), mStoredData);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    rv = mOuterListener->OnDataAvailable(mOuterRequest, mOuterContext, stream,
-                                         0, mStoredData.Length());
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::OnStartRequest(nsIRequest* aRequest,
-                                         nsISupports* aContext)
-{
-  mOuterRequest = aRequest;
-  mOuterContext = aContext;
-
-  // Check if the request failed
-  nsresult status;
-  nsresult rv = aRequest->GetStatus(&status);
-  NS_ENSURE_SUCCESS(rv, rv);
-  if (NS_FAILED(status)) {
-    mAcceptState = eDeny;
-    return ForwardRequest(PR_FALSE);
-  }
-
-  // Check if this was actually a cross domain request
-  nsCOMPtr<nsIChannel> channel = do_QueryInterface(aRequest);
-  if (!channel) {
-    return NS_ERROR_DOM_BAD_URI;
-  }
-  nsCOMPtr<nsIURI> finalURI;
-  channel->GetURI(getter_AddRefs(finalURI));
-
-  if (!mHasBeenCrossSite) {
-    mAcceptState = eAccept;
-    return ForwardRequest(PR_FALSE);
-  }
-
-  nsCOMPtr<nsIHttpChannel> http = do_QueryInterface(channel);
-  if (http) {
-    PRBool succeeded;
-    rv = http->GetRequestSucceeded(&succeeded);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    if (!succeeded) {
-      mAcceptState = eDeny;
-      return ForwardRequest(PR_FALSE);
-    }
-  }
-
-  // Get the list of subdomains out of mRequestingURI
-  nsCString host;
-  rv = mRequestingURI->GetAsciiHost(host);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  PRInt32 nextDot, currDot = 0;
-  while ((nextDot = host.FindChar('.', currDot)) != -1) {
-    mReqSubdomains.AppendElement(Substring(host, currDot, nextDot - currDot));
-    currDot = nextDot + 1;
-  }
-  mReqSubdomains.AppendElement(Substring(host, currDot));
-
-  // Check the Access-Control header
-  if (http) {
-    nsCAutoString ac;
-    rv = http->GetResponseHeader(NS_LITERAL_CSTRING("Access-Control"), ac);
-    
-    if (NS_SUCCEEDED(rv)) {
-      CheckHeader(ac);
-    }
-  }
-
-  if (mAcceptState == eDeny) {
-    return ForwardRequest(PR_FALSE);
-  }
-
-  // Set up a parser with us as a sink to look for PIs
-  mParser = do_CreateInstance(kCParserCID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  mParserListener = do_QueryInterface(mParser);
-
-  mParser->SetCommand(kLoadAsData);
-  mParser->SetContentSink(this);
-  mParser->Parse(finalURI);
-
-  // check channel's charset...
-  nsCAutoString charset(NS_LITERAL_CSTRING("UTF-8"));
-  PRInt32 charsetSource = kCharsetFromDocTypeDefault;
-  nsCAutoString charsetVal;
-  rv = channel->GetContentCharset(charsetVal);
-  if (NS_SUCCEEDED(rv)) {
-    nsCOMPtr<nsICharsetAlias> calias =
-      do_GetService(NS_CHARSETALIAS_CONTRACTID);
-
-    if (calias) {
-      nsCAutoString preferred;
-      rv = calias->GetPreferred(charsetVal, preferred);
-      if (NS_SUCCEEDED(rv)) {            
-        charset = preferred;
-        charsetSource = kCharsetFromChannel;
-      }
-    }
-  }
-
-  mParser->SetDocumentCharset(charset, charsetSource);
-
-  nsCAutoString contentType;
-  channel->GetContentType(contentType);
-
-  // Time to sniff! Note: this should go away once file channels do
-  // sniffing themselves.
-  PRBool sniff;
-  if (NS_SUCCEEDED(finalURI->SchemeIs("file", &sniff)) && sniff &&
-    contentType.Equals(UNKNOWN_CONTENT_TYPE)) {
-    nsCOMPtr<nsIStreamConverterService> serv =
-      do_GetService("@mozilla.org/streamConverters;1", &rv);
-    if (NS_SUCCEEDED(rv)) {
-      nsCOMPtr<nsIStreamListener> converter;
-      rv = serv->AsyncConvertData(UNKNOWN_CONTENT_TYPE,
-                                  "*/*",
-                                  mParserListener,
-                                  aContext,
-                                  getter_AddRefs(converter));
-      if (NS_SUCCEEDED(rv)) {
-        mParserListener = converter;
-      }
-    }
-  }
-
-  // Hold a local reference to make sure the parser doesn't go away
-  nsCOMPtr<nsIStreamListener> stackedListener = mParserListener;
-  return stackedListener->OnStartRequest(aRequest, aContext);
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::OnStopRequest(nsIRequest* aRequest,
-                                        nsISupports* aContext,
-                                        nsresult aStatusCode)
-{
-  if (mHasForwardedRequest) {
-    return mOuterListener->OnStopRequest(aRequest, aContext, aStatusCode);
-  }
-
-  mAcceptState = eDeny;
-  return ForwardRequest(PR_TRUE);
-}
-
-NS_METHOD
-StringSegmentWriter(nsIInputStream *aInStream,
-                    void *aClosure,
-                    const char *aFromSegment,
-                    PRUint32 aToOffset,
-                    PRUint32 aCount,
-                    PRUint32 *aWriteCount)
-{
-  nsCString* dest = static_cast<nsCString*>(aClosure);
-
-  dest->Append(aFromSegment, aCount);
-  *aWriteCount = aCount;
-  
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::OnDataAvailable(nsIRequest* aRequest,
-                                          nsISupports* aContext, 
-                                          nsIInputStream* aInputStream,
-                                          PRUint32 aOffset,
-                                          PRUint32 aCount)
-{
-  if (mHasForwardedRequest) {
-    if (mAcceptState != eAccept) {
-      return NS_ERROR_DOM_BAD_URI;
-    }
-    return mOuterListener->OnDataAvailable(aRequest, aContext, aInputStream,
-                                           aOffset, aCount);
-  }
-
-  NS_ASSERTION(mStoredData.Length() == aOffset,
-               "Stored wrong amount of data");
-
-  PRUint32 read;
-  nsresult rv = aInputStream->ReadSegments(StringSegmentWriter, &mStoredData,
-                                           aCount, &read);
-  NS_ENSURE_SUCCESS(rv, rv);
-  NS_ASSERTION(read == aCount, "didn't store all of the stream");
-
-  nsCOMPtr<nsIInputStream> stream;
-  rv = NS_NewCStringInputStream(getter_AddRefs(stream),
-                                Substring(mStoredData, aOffset));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Hold a local reference to make sure the parser doesn't go away
-  nsCOMPtr<nsIStreamListener> stackedListener = mParserListener;
-  rv = stackedListener->OnDataAvailable(aRequest, aContext, stream, aOffset,
-                                        aCount);
-  // When we forward the request we also terminate the parsing which will
-  // result in an error bubbling up to here. We want to ignore the error
-  // in that case.
-  if (mHasForwardedRequest) {
-    rv = mAcceptState == eAccept ? NS_OK : NS_ERROR_DOM_BAD_URI;
-  }
-  return rv;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleStartElement(const PRUnichar *aName,
-                                             const PRUnichar **aAtts,
-                                             PRUint32 aAttsCount,
-                                             PRInt32 aIndex,
-                                             PRUint32 aLineNumber)
-{
-  // We're done processing the prolog.
-  ForwardRequest(PR_FALSE);
-
-  // Stop the parser since we don't want to spend more cycles on parsing
-  // stuff.
-  return NS_ERROR_HTMLPARSER_STOPPARSING;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleEndElement(const PRUnichar *aName)
-{
-  NS_ASSERTION(mHasForwardedRequest, "Should have forwarded request");
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleComment(const PRUnichar *aName)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleCDataSection(const PRUnichar *aData,
-                                             PRUint32 aLength)
-{
-  NS_ASSERTION(mHasForwardedRequest, "Should have forwarded request");
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleDoctypeDecl(const nsAString & aSubset,
-                                            const nsAString & aName,
-                                            const nsAString & aSystemId,
-                                            const nsAString & aPublicId,
-                                            nsISupports *aCatalogData)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleCharacterData(const PRUnichar *aData,
-                                              PRUint32 aLength)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleProcessingInstruction(const PRUnichar *aTarget,
-                                                      const PRUnichar *aData)
-{
-  if (mHasForwardedRequest ||
-      !NS_LITERAL_STRING("access-control").Equals(aTarget)) {
-    return NS_OK;
-  }
-
-  nsDependentString data(aData);
-
-  PRBool seenType = PR_FALSE, seenExclude = PR_FALSE;
-  PRBool ruleIsAllow = PR_FALSE;
-  nsAutoString itemList, excludeList;
-
-  PRUint32 i;
-  for (i = 0;; ++i) {
-    nsAutoString attrName;
-    if (nsParserUtils::GetQuotedAttrNameAt(data, i, attrName) &&
-        attrName.IsEmpty()) {
-      break;
-    }
-
-    nsCOMPtr<nsIAtom> attr = do_GetAtom(attrName);
-
-    PRBool res;
-    if (!seenType && attrName.EqualsLiteral("allow")) {
-      seenType = PR_TRUE;
-      ruleIsAllow = PR_TRUE;
-
-      res = nsParserUtils::GetQuotedAttributeValue(data, attr, itemList);
-    }
-    else if (!seenType && attrName.EqualsLiteral("deny")) {
-      seenType = PR_TRUE;
-      ruleIsAllow = PR_FALSE;
-
-      res = nsParserUtils::GetQuotedAttributeValue(data, attr, itemList);
-    }
-    else if (!seenExclude && attrName.EqualsLiteral("exclude")) {
-      seenExclude = PR_TRUE;
-
-      res = nsParserUtils::GetQuotedAttributeValue(data, attr, excludeList);
-    }
-    else {
-      res = PR_FALSE;
-    }
-    
-    if (!res) {
-      // parsing attribute value failed or unknown/duplicated attribute
-      mAcceptState = eDeny;
-      return ForwardRequest(PR_FALSE);
-    }
-  }
-
-  PRBool matchesRule = PR_FALSE;
-
-  nsWhitespaceTokenizer itemTok(itemList);
-
-  if (!itemTok.hasMoreTokens()) {
-    mAcceptState = eDeny;
-
-    return ForwardRequest(PR_FALSE);
-  }
-
-  while (itemTok.hasMoreTokens()) {
-    // Order is important here since we always want to call the function
-    matchesRule = VerifyAndMatchDomainPattern(
-      NS_ConvertUTF16toUTF8(itemTok.nextToken())) || matchesRule;
-  }
-
-  nsWhitespaceTokenizer excludeTok(excludeList);
-  while (excludeTok.hasMoreTokens()) {
-    // Order is important here since we always want to call the function
-    matchesRule = !VerifyAndMatchDomainPattern(
-      NS_ConvertUTF16toUTF8(excludeTok.nextToken())) && matchesRule;
-  }
-
-  if (matchesRule && mAcceptState != eDeny) {
-    mAcceptState = ruleIsAllow ? eAccept : eDeny;
-  }
-
-  if (mAcceptState == eDeny) {
-    return ForwardRequest(PR_FALSE);
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::HandleXMLDeclaration(const PRUnichar *aVersion,
-                                               const PRUnichar *aEncoding,
-                                               PRInt32 aStandalone)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::ReportError(const PRUnichar *aErrorText,
-                                      const PRUnichar *aSourceText,
-                                      nsIScriptError *aError,
-                                      PRBool *_retval)
-{
-  if (!mHasForwardedRequest) {
-    mAcceptState = eDeny;
-
-    return ForwardRequest(PR_FALSE);
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::WillBuildModel()
-{
-  nsCOMPtr<nsIDTD> dtd;
-  mParser->GetDTD(getter_AddRefs(dtd));
-  NS_ASSERTION(dtd, "missing dtd in WillBuildModel");
-  if (dtd && !(dtd->GetType() & NS_IPARSER_FLAG_XML)) {
-    ForwardRequest(PR_FALSE);
-    
-    // Stop the parser since we don't want to spend more cycles on parsing
-    // stuff.
-    return NS_ERROR_HTMLPARSER_STOPPARSING;
-  }
-
-  return NS_OK;
-}
-
-// Moves aIter past the LWS (RFC2616) directly following it.
-// Returns PR_TRUE and updates aIter if there was an LWS there,
-//         PR_FALSE otherwise
-static PRBool
-EatLWS(const char*& aIter, const char* aEnd)
-{
-  if (aIter + 1 < aEnd && *aIter == '\r' && *(aIter + 1) == '\n') {
-    aIter += 2;
-  }
-
-  PRBool res = PR_FALSE;
-  while (aIter < aEnd && (*aIter == '\t' || *aIter == ' ')) {
-    ++aIter;
-    res = PR_TRUE;
-  }
-  
-  return res;
-}
-
-// Moves aIter past the string, given by aString, directly following it.
-// Returns PR_TRUE and updates aIter if the string was there,
-//         PR_FALSE otherwise
-static PRBool
-EatString(const char*& aIter, const char* aEnd, const char* aString)
-{
-  const char* local = aIter;
-  while (*aString && local < aEnd && *local == *aString) {
-    ++local;
-    ++aString;
-  }
-  if (*aString) {
-    return PR_FALSE;
-  }
-
-  aIter = local;
-  
-  return PR_TRUE;
-}
-
-// Moves aIter to the first aChar following it.
-// Returns The string between the aIters initial position and the
-// found character if one was found.
-// Returns an empty string otherwise.
-static nsDependentCSubstring
-EatToChar(const char*& aIter, const char* aEnd, char aChar)
-{
-  const char* start = aIter;
-  while (aIter < aEnd) {
-    if (*aIter == aChar) {
-      return Substring(start, aIter);
-    }
-    ++aIter;
-  }
-
-  static char emptyStatic[] = { '\0' };
-
-  aIter = start;
-  return Substring(emptyStatic, emptyStatic);
-}
-
-PRBool
-nsCrossSiteListenerProxy::MatchPatternList(const char*& aIter, const char* aEnd)
-{
-  PRBool matchesList = PR_FALSE;
-  PRBool hasItems = PR_FALSE;
-
-  for (;;) {
-    const char* start = aIter;
-    if (!EatLWS(aIter, aEnd)) {
-      break;
-    }
-
-    if (!EatString(aIter, aEnd, "<")) {
-      // restore iterator to before LWS since it wasn't part of the list
-      aIter = start;
-      break;
-    }
-
-    const nsACString& accessItem = EatToChar(aIter, aEnd, '>');
-    if (!EatString(aIter, aEnd, ">")) {
-      mAcceptState = eDeny;
-      break;
-    }
-
-    hasItems = PR_TRUE;
-
-    // Order is important here since we always want to call the function
-    matchesList = VerifyAndMatchDomainPattern(accessItem) || matchesList;
-  }
-
-  if (!hasItems) {
-    mAcceptState = eDeny;
-  }
-
-  return matchesList;
-}
-
-#define DENY_AND_RETURN \
-      mAcceptState = eDeny; \
-      return
-
-void
-nsCrossSiteListenerProxy::CheckHeader(const nsCString& aHeader)
-{
-  const char* iter = aHeader.BeginReading();
-  const char* end = aHeader.EndReading();
-
-  // ruleset        ::= LWS? rule LWS? ("," LWS? rule LWS?)*
-  while (iter < end) {
-    // eat LWS?
-    EatLWS(iter, end);
-
-    // rule ::= rule-type (LWS pattern)+ (LWS "exclude" (LWS pattern)+)?
-    // eat rule-type
-    PRBool ruleIsAllow;
-    if (EatString(iter, end, "deny")) {
-      ruleIsAllow = PR_FALSE;
-    }
-    else if (EatString(iter, end, "allow")) {
-      ruleIsAllow = PR_TRUE;
-    }
-    else {
-      DENY_AND_RETURN;
-    }
-
-    // eat (LWS pattern)+
-    PRBool matchesRule = MatchPatternList(iter, end);
-
-    PRBool ateLWS = EatLWS(iter, end);
-
-    // eat (LWS "exclude" (LWS pattern)+)?
-    if (ateLWS && EatString(iter, end, "exclude")) {
-      ateLWS = PR_FALSE;
-
-      // Order is important here since we always want to call the function
-      matchesRule = !MatchPatternList(iter, end) && matchesRule;
-    }
-    
-    if (matchesRule && mAcceptState != eDeny) {
-      mAcceptState = ruleIsAllow ? eAccept : eDeny;
-    }
-
-    // eat LWS?
-    if (!ateLWS) {
-      EatLWS(iter, end);
-    }
-    
-    if (iter != end) {
-      if (!EatString(iter, end, ",")) {
-        DENY_AND_RETURN;
-      }
-    }
-  }
-}
-
-// Moves aIter forward one character if the character at aIter is in [a-zA-Z]
-// Returns PR_TRUE and updates aIter if such a character was found.
-//         PR_FALSE otherwise.
-static PRBool
-EatAlpha(nsACString::const_iterator& aIter, nsACString::const_iterator& aEnd)
-{
-  if (aIter != aEnd && ((*aIter >= 'A' && *aIter <= 'Z') ||
-                        (*aIter >= 'a' && *aIter <= 'z'))) {
-    ++aIter;
-
-    return PR_TRUE;
-  }
-
-  return PR_FALSE;
-}
-
-// Moves aIter forward one character if the character at aIter is in [0-9]
-// Returns PR_TRUE and updates aIter if such a character was found.
-//         PR_FALSE otherwise.
-static PRBool
-EatDigit(nsACString::const_iterator& aIter, nsACString::const_iterator& aEnd)
-{
-  if (aIter != aEnd && *aIter >= '0' && *aIter <= '9') {
-    ++aIter;
-
-    return PR_TRUE;
-  }
-
-  return PR_FALSE;
-}
-
-// Moves aIter forward one character if the character at aIter is aChar
-// Returns PR_TRUE and updates aIter if aChar was found.
-//         PR_FALSE otherwise.
-static PRBool
-EatChar(nsACString::const_iterator& aIter, nsACString::const_iterator& aEnd,
-        char aChar)
-{
-  if (aIter != aEnd && *aIter == aChar) {
-    ++aIter;
-
-    return PR_TRUE;
-  }
-
-  return PR_FALSE;
-}
-
-// Moves aIter forward until it hits a subdomain terminator (* : or whitespace)
-// or reaches the end
-//     access-item ::= (scheme "://")? domain-pattern (":" port)? | "*"
-//     domain-pattern ::= subdomain | "*." subdomain
-// Returns PR_TRUE and updates aIter if a terminator is found.
-//         PR_FALSE otherwise.
-static void
-EatSubdomainChars(nsACString::const_iterator& aIter,
-                  nsACString::const_iterator& aEnd)
-{
-  NS_ASSERTION(aIter.get() <= aEnd.get(), "EatSubdomainChars failed");
-
-  // Make sure to not allow initial hyphens
-  if (*aIter == '-') {
-    return;
-  }
-
-  while (aIter != aEnd) {
-    unsigned char c = *aIter;
-    if (c <= 0x2c || 
-        0x2e <= c && c <= 0x2f ||
-        0x3a <= c && c <= 0x40 ||
-        0x5b <= c && c <= 0x60 ||
-        0x7b <= c && c <= 0x7f) {
-      return;
-    }
-    ++aIter;
-  }
-}
-
-static PRBool
-ACEEquals(const nsACString &aPattern, const nsCString &domain)
-{
-  if (aPattern.LowerCaseEqualsASCII(domain.get(), domain.Length()))
-    return PR_TRUE;
-
-  // Convert subdomain patern to ACE
-  nsCString acePattern;
-  if (!NS_StringToACE(aPattern, acePattern))
-    return PR_FALSE;
-  return acePattern.LowerCaseEqualsASCII(domain.get(), domain.Length());
-}
-
-PRBool
-nsCrossSiteListenerProxy::VerifyAndMatchDomainPattern(const nsACString& aPattern)
-{
-  if (aPattern.EqualsLiteral("*")) {
-    return PR_TRUE;
-  }
-
-  // access-item ::= (scheme "://")? domain-pattern (":" port)? | "*"
-
-  nsACString::const_iterator start, iter, end;
-  aPattern.BeginReading(start);
-  aPattern.EndReading(end);
-
-  // (scheme "://")?
-  nsCString patternScheme;
-  nsACString::const_iterator schemeStart = start, schemeEnd = end;
-  if (FindInReadable(NS_LITERAL_CSTRING("://"), schemeStart, schemeEnd)) {
-    // There is a '://' in the string which means that it must start with
-    // a scheme.
-    
-    iter = start;
-    
-    if (!EatAlpha(iter, end)) {
-      DENY_AND_RETURN PR_FALSE;
-    }
-    
-    while(EatAlpha(iter, end) ||
-          EatDigit(iter, end) ||
-          EatChar(iter, end, '+') ||
-          EatChar(iter, end, '-') ||
-          EatChar(iter, end, '.')) {}
-    
-    if (iter != schemeStart) {
-      DENY_AND_RETURN PR_FALSE;
-    }
-
-    // Set the scheme
-    patternScheme = Substring(start, iter);
-
-    start = iter.advance(3);
-  }
-
-  // domain-pattern ::= subdomain | "*." subdomain
-  PRBool patternHasWild = PR_FALSE;
-  if (EatChar(start, end, '*')) {
-    if (!EatChar(start, end, '.')) {
-      DENY_AND_RETURN PR_FALSE;
-    }
-    patternHasWild = PR_TRUE;
-  }
-
-  nsTArray<nsCString> patternSubdomains;
-
-  // subdomain ::= label | subdomain "." label
-  do {
-    iter = start;
-
-    EatSubdomainChars(iter, end);
-    
-    const nsDependentCSubstring& label = Substring(start, iter);
-    if (label.Last() == '-') {
-      DENY_AND_RETURN PR_FALSE;
-    }
-
-    start = iter;
-
-    // Save the label
-    patternSubdomains.AppendElement(label);
-  } while (EatChar(start, end, '.'));
-
-  // (":" port)?
-  PRInt32 patternPort = -1;
-  if (EatChar(start, end, ':')) {
-    iter = start;
-    while (EatDigit(iter, end)) {}
-    
-    if (iter != start) {
-      PRInt32 ec;
-      patternPort = PromiseFlatCString(Substring(start, iter)).ToInteger(&ec);
-      NS_ASSERTION(NS_SUCCEEDED(ec), "ToInteger failed");
-    }
-    
-    start = iter;
-  }
-
-  // Did we consume the whole pattern?
-  if (start != end) {
-    DENY_AND_RETURN PR_FALSE;
-  }
-
-  // Do checks at the end so that we make sure that the whole pattern is
-  // checked for syntax correctness first.
-
-  // Check scheme
-  PRBool res;
-  if (!patternScheme.IsEmpty() &&
-      (NS_FAILED(mRequestingURI->SchemeIs(patternScheme.get(), &res)) ||
-       !res)) {
-    return PR_FALSE;
-  }
-
-  // Check port
-  if (patternPort == -1 && !patternScheme.IsEmpty())
-    patternPort = NS_GetDefaultPort(patternScheme.get());
-  if (patternPort != -1 && patternPort != NS_GetRealPort(mRequestingURI)) {
-    return PR_FALSE;
-  }
-
-  // Check subdomain
-  PRUint32 patternPos = patternSubdomains.Length();
-  PRUint32 reqPos = mReqSubdomains.Length();
-  do {
-    --patternPos;
-    --reqPos;
-    if (!ACEEquals(patternSubdomains[patternPos], mReqSubdomains[reqPos])) {
-      return PR_FALSE;
-    }
-  } while (patternPos > 0 && reqPos > 0);
-
-  // Only matches if we've matched all of pattern and, if there is a wildcard, there
-  // is at least one more entry in mReqSubdomains.
-  
-  return patternPos == 0 &&
-         (!patternHasWild || reqPos >= 1);
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::GetInterface(const nsIID & aIID, void **aResult)
-{
-  if (aIID.Equals(NS_GET_IID(nsIChannelEventSink))) {
-    *aResult = static_cast<nsIChannelEventSink*>(this);
-    NS_ADDREF_THIS();
-
-    return NS_OK;
-  }
-
-  return mOuterNotificationCallbacks ?
-    mOuterNotificationCallbacks->GetInterface(aIID, aResult) :
-    NS_ERROR_NO_INTERFACE;
-}
-
-NS_IMETHODIMP
-nsCrossSiteListenerProxy::OnChannelRedirect(nsIChannel *aOldChannel,
-                                            nsIChannel *aNewChannel,
-                                            PRUint32    aFlags)
-{
-  nsresult rv;
-  nsCOMPtr<nsIChannelEventSink> outer =
-    do_GetInterface(mOuterNotificationCallbacks);
-  if (outer) {
-    rv = outer->OnChannelRedirect(aOldChannel, aNewChannel, aFlags);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  return UpdateChannel(aNewChannel);
-}
-
-nsresult
-nsCrossSiteListenerProxy::UpdateChannel(nsIChannel* aChannel)
-{
-  nsCOMPtr<nsIURI> uri;
-  nsresult rv = aChannel->GetURI(getter_AddRefs(uri));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Check that the uri is ok to load
-  rv = nsContentUtils::GetSecurityManager()->
-    CheckLoadURIWithPrincipal(mRequestingPrincipal, uri,
-                              nsIScriptSecurityManager::STANDARD);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  if (!mHasBeenCrossSite &&
-      NS_SUCCEEDED(mRequestingPrincipal->CheckMayLoad(uri, PR_FALSE))) {
-    return NS_OK;
-  }
-
-  nsCString userpass;
-  uri->GetUserPass(userpass);
-  NS_ENSURE_TRUE(userpass.IsEmpty(), NS_ERROR_DOM_BAD_URI);
-
-  // It's a cross site load
-  mHasBeenCrossSite = PR_TRUE;
-
-  // Work out the Referer-Root header
-  nsCString root, host;
-  rv = mRequestingURI->GetAsciiHost(host);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  if (!host.IsEmpty()) {
-    nsCString scheme;
-    rv = mRequestingURI->GetScheme(scheme);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    root = scheme + NS_LITERAL_CSTRING("://") + host;
-
-    // If needed, append the port
-    PRInt32 port;
-    mRequestingURI->GetPort(&port);
-    if (port != -1) {
-      PRInt32 defaultPort = NS_GetDefaultPort(scheme.get());
-      if (port != defaultPort) {
-        root.Append(":");
-        root.AppendInt(port);
-      }
-    }
-  }
-  else {
-    root.AssignLiteral("null");
-  }
-
-  // Now add the access-control-origin header
-  nsCOMPtr<nsIHttpChannel> http = do_QueryInterface(aChannel);
-  NS_ENSURE_TRUE(http, NS_ERROR_FAILURE);
-
-  return http->SetRequestHeader(NS_LITERAL_CSTRING("Access-Control-Origin"),
-    root, PR_FALSE);
-}
deleted file mode 100644
--- a/content/base/src/nsCrossSiteListenerProxy.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is Mozilla Foundation.
- * Portions created by the Initial Developer are Copyright (C) 2007
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Jonas Sicking <jonas@sicking.cc> (Original Author)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either of the GNU General Public License Version 2 or later (the "GPL"),
- * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsIStreamListener.h"
-#include "nsIInterfaceRequestor.h"
-#include "nsCOMPtr.h"
-#include "nsString.h"
-#include "nsIURI.h"
-#include "nsTArray.h"
-#include "nsIContentSink.h"
-#include "nsIXMLContentSink.h"
-#include "nsIExpatSink.h"
-#include "nsIInterfaceRequestor.h"
-#include "nsIChannelEventSink.h"
-
-class nsIURI;
-class nsIParser;
-class nsIPrincipal;
-
-class nsCrossSiteListenerProxy : public nsIStreamListener,
-                                 public nsIXMLContentSink,
-                                 public nsIExpatSink,
-                                 public nsIInterfaceRequestor,
-                                 public nsIChannelEventSink
-{
-public:
-  nsCrossSiteListenerProxy(nsIStreamListener* aOuter,
-                           nsIPrincipal* aRequestingPrincipal,
-                           nsIChannel* aChannel,
-                           nsresult* aResult);
-
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIREQUESTOBSERVER
-  NS_DECL_NSISTREAMLISTENER
-  NS_DECL_NSIEXPATSINK
-  NS_DECL_NSIINTERFACEREQUESTOR
-  NS_DECL_NSICHANNELEVENTSINK
-
-  // nsIContentSink
-  NS_IMETHOD WillTokenize(void) { return NS_OK; }
-  NS_IMETHOD WillBuildModel(void);
-  NS_IMETHOD DidBuildModel()  { return NS_OK; }
-  NS_IMETHOD WillInterrupt(void) { return NS_OK; }
-  NS_IMETHOD WillResume(void) { return NS_OK; }
-  NS_IMETHOD SetParser(nsIParser* aParser) { return NS_OK; }
-  virtual void FlushPendingNotifications(mozFlushType aType) { }
-  NS_IMETHOD SetDocumentCharset(nsACString& aCharset) { return NS_OK; }
-  virtual nsISupports *GetTarget() { return nsnull; }
-
-private:
-  nsresult UpdateChannel(nsIChannel* aChannel);
-
-  nsresult ForwardRequest(PRBool aCallStop);
-  PRBool MatchPatternList(const char*& aIter, const char* aEnd);
-  void CheckHeader(const nsCString& aHeader);
-  PRBool VerifyAndMatchDomainPattern(const nsACString& aDomainPattern);
-
-  nsCOMPtr<nsIStreamListener> mOuterListener;
-  nsCOMPtr<nsIRequest> mOuterRequest;
-  nsCOMPtr<nsISupports> mOuterContext;
-  nsCOMPtr<nsIStreamListener> mParserListener;
-  nsCOMPtr<nsIParser> mParser;
-  nsCOMPtr<nsIURI> mRequestingURI;
-  nsCOMPtr<nsIPrincipal> mRequestingPrincipal;
-  nsCOMPtr<nsIInterfaceRequestor> mOuterNotificationCallbacks;
-  nsTArray<nsCString> mReqSubdomains;
-  nsCString mStoredData;
-  enum {
-    eAccept,
-    eDeny,
-    eNotSet
-  } mAcceptState;
-  PRBool mHasForwardedRequest;
-  PRBool mHasBeenCrossSite;
-};
--- a/content/base/src/nsSyncLoadService.cpp
+++ b/content/base/src/nsSyncLoadService.cpp
@@ -54,17 +54,16 @@
 #include "nsIPrivateDOMImplementation.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsContentUtils.h"
 #include "nsThreadUtils.h"
 #include "nsNetUtil.h"
 #include "nsAutoPtr.h"
 #include "nsLoadListenerProxy.h"
 #include "nsStreamUtils.h"
-#include "nsCrossSiteListenerProxy.h"
 
 /**
  * This class manages loading a single XML document
  */
 
 class nsSyncLoader : public nsIDOMLoadListener,
                      public nsIChannelEventSink,
                      public nsIInterfaceRequestor,
@@ -214,20 +213,22 @@ nsSyncLoader::LoadDocument(nsIChannel* a
 
     if (aForceToXML) {
         nsCOMPtr<nsIStreamListener> forceListener =
             new nsForceXMLListener(listener);
         listener.swap(forceListener);
     }
 
     if (aLoaderPrincipal) {
-        listener = new nsCrossSiteListenerProxy(listener, aLoaderPrincipal,
-                                                mChannel, &rv);
-        NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-        NS_ENSURE_SUCCESS(rv, rv);
+      nsCOMPtr<nsIURI> docURI;
+      rv = aChannel->GetOriginalURI(getter_AddRefs(docURI));
+      NS_ENSURE_SUCCESS(rv, rv);
+
+      rv = aLoaderPrincipal->CheckMayLoad(docURI, PR_TRUE);
+      NS_ENSURE_SUCCESS(rv, rv);
     }
 
     // Register as a load listener on the document
     nsCOMPtr<nsPIDOMEventTarget> target = do_QueryInterface(document);
     NS_ENSURE_TRUE(target, NS_ERROR_FAILURE);
 
     nsWeakPtr requestWeak = do_GetWeakReference(static_cast<nsIDOMLoadListener*>(this));
     nsLoadListenerProxy* proxy = new nsLoadListenerProxy(requestWeak);
@@ -363,16 +364,28 @@ NS_IMETHODIMP
 nsSyncLoader::OnChannelRedirect(nsIChannel *aOldChannel,
                                 nsIChannel *aNewChannel,
                                 PRUint32    aFlags)
 {
     NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
 
     mChannel = aNewChannel;
 
+    nsCOMPtr<nsIURI> oldURI;
+    nsresult rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIURI> newURI;
+    rv = aNewChannel->GetURI(getter_AddRefs(newURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = nsContentUtils::GetSecurityManager()->
+        CheckSameOriginURI(oldURI, newURI, PR_TRUE);
+    NS_ENSURE_SUCCESS(rv, rv);
+
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSyncLoader::GetInterface(const nsIID & aIID,
                            void **aResult)
 {
     return QueryInterface(aIID, aResult);
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -77,17 +77,16 @@
 #include "nsCOMArray.h"
 #include "nsDOMClassInfo.h"
 #include "nsIScriptableUConv.h"
 #include "nsCycleCollectionParticipant.h"
 #include "nsIContentPolicy.h"
 #include "nsContentPolicyUtils.h"
 #include "nsContentErrors.h"
 #include "nsLayoutStatics.h"
-#include "nsCrossSiteListenerProxy.h"
 #include "nsDOMError.h"
 #include "nsIHTMLDocument.h"
 #include "nsWhitespaceTokenizer.h"
 #include "nsIMultiPartChannel.h"
 #include "nsIScriptObjectPrincipal.h"
 #include "nsIStorageStream.h"
 
 #define LOAD_STR "load"
@@ -111,32 +110,28 @@
 #define XML_HTTP_REQUEST_ABORTED        (1 << 7)  // Internal
 #define XML_HTTP_REQUEST_ASYNC          (1 << 8)  // Internal
 #define XML_HTTP_REQUEST_PARSEBODY      (1 << 9)  // Internal
 #define XML_HTTP_REQUEST_XSITEENABLED   (1 << 10) // Internal, Is any cross-site request allowed?
                                                   //           Even if this is false the
                                                   //           access-control spec is supported
 #define XML_HTTP_REQUEST_SYNCLOOPING    (1 << 11) // Internal
 #define XML_HTTP_REQUEST_MULTIPART      (1 << 12) // Internal
-#define XML_HTTP_REQUEST_USE_XSITE_AC   (1 << 13) // Internal
-#define XML_HTTP_REQUEST_NON_GET        (1 << 14) // Internal
-#define XML_HTTP_REQUEST_GOT_FINAL_STOP (1 << 15) // Internal
-#define XML_HTTP_REQUEST_BACKGROUND     (1 << 16) // Internal
+#define XML_HTTP_REQUEST_GOT_FINAL_STOP (1 << 13) // Internal
+#define XML_HTTP_REQUEST_BACKGROUND     (1 << 14) // Internal
 
 #define XML_HTTP_REQUEST_LOADSTATES         \
   (XML_HTTP_REQUEST_UNINITIALIZED |         \
    XML_HTTP_REQUEST_OPENED |                \
    XML_HTTP_REQUEST_LOADED |                \
    XML_HTTP_REQUEST_INTERACTIVE |           \
    XML_HTTP_REQUEST_COMPLETED |             \
    XML_HTTP_REQUEST_SENT |                  \
    XML_HTTP_REQUEST_STOPPED)
 
-#define ACCESS_CONTROL_CACHE_SIZE 100
-
 #define NS_BADCERTHANDLER_CONTRACTID \
   "@mozilla.org/content/xmlhttprequest-bad-cert-handler;1"
 
 // This helper function adds the given load flags to the request's existing
 // load flags.
 static void AddLoadFlags(nsIRequest *request, nsLoadFlags newFlags)
 {
   nsLoadFlags flags;
@@ -240,144 +235,16 @@ nsMultipartProxyListener::OnDataAvailabl
                                           nsIInputStream *inStr,
                                           PRUint32 sourceOffset,
                                           PRUint32 count)
 {
   return mDestListener->OnDataAvailable(aRequest, ctxt, inStr, sourceOffset,
                                         count);
 }
 
-// Class used as streamlistener and notification callback when
-// doing the initial GET request for an access-control check
-class nsACProxyListener : public nsIStreamListener,
-                          public nsIInterfaceRequestor,
-                          public nsIChannelEventSink
-{
-public:
-  nsACProxyListener(nsIChannel* aOuterChannel,
-                    nsIStreamListener* aOuterListener,
-                    nsISupports* aOuterContext,
-                    nsIPrincipal* aReferrerPrincipal,
-                    const nsACString& aRequestMethod)
-   : mOuterChannel(aOuterChannel), mOuterListener(aOuterListener),
-     mOuterContext(aOuterContext), mReferrerPrincipal(aReferrerPrincipal),
-     mRequestMethod(aRequestMethod)
-  { }
-
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSISTREAMLISTENER
-  NS_DECL_NSIREQUESTOBSERVER
-  NS_DECL_NSIINTERFACEREQUESTOR
-  NS_DECL_NSICHANNELEVENTSINK
-
-private:
-  nsCOMPtr<nsIChannel> mOuterChannel;
-  nsCOMPtr<nsIStreamListener> mOuterListener;
-  nsCOMPtr<nsISupports> mOuterContext;
-  nsCOMPtr<nsIPrincipal> mReferrerPrincipal;
-  nsCString mRequestMethod;
-};
-
-NS_IMPL_ISUPPORTS4(nsACProxyListener, nsIStreamListener, nsIRequestObserver,
-                   nsIInterfaceRequestor, nsIChannelEventSink)
-
-NS_IMETHODIMP
-nsACProxyListener::OnStartRequest(nsIRequest *aRequest, nsISupports *aContext)
-{
-  nsresult status;
-  nsresult rv = aRequest->GetStatus(&status);
-
-  if (NS_SUCCEEDED(rv)) {
-    rv = status;
-  }
-
-  if (NS_SUCCEEDED(rv)) {
-    // Everything worked, check to see if there is an expiration time set on
-    // this access control list. If so go ahead and cache it.
-
-    nsCOMPtr<nsIHttpChannel> http = do_QueryInterface(aRequest, &rv);
-
-    // The "Access-Control-Max-Age" header should return an age in seconds.
-    nsCAutoString ageString;
-    http->GetResponseHeader(NS_LITERAL_CSTRING("Access-Control-Max-Age"),
-                            ageString);
-
-    // Sanitize the string. We only allow 'delta-seconds' as specified by
-    // http://dev.w3.org/2006/waf/access-control (digits 0-9 with no leading or
-    // trailing non-whitespace characters). We don't allow a + or - character
-    // but PR_sscanf does so we ensure that the first character is actually a
-    // digit.
-    ageString.StripWhitespace();
-    if (ageString.CharAt(0) >= '0' || ageString.CharAt(0) <= '9') {
-      PRUint64 age;
-      PRInt32 convertedChars = PR_sscanf(ageString.get(), "%llu", &age);
-      if ((PRInt32)ageString.Length() == convertedChars &&
-          nsXMLHttpRequest::EnsureACCache()) {
-
-        // String seems fine, go ahead and cache.
-        nsCOMPtr<nsIURI> uri;
-        http->GetURI(getter_AddRefs(uri));
-
-        // PR_Now gives microseconds
-        PRTime expirationTime = PR_Now() + age * PR_USEC_PER_SEC;
-        nsXMLHttpRequest::sAccessControlCache->PutEntry(uri, mReferrerPrincipal,
-                                                        expirationTime);
-      }
-    }
-  }
-
-  if (NS_SUCCEEDED(rv)) {
-    rv = mOuterChannel->AsyncOpen(mOuterListener, mOuterContext);
-  }
-
-  if (NS_FAILED(rv)) {
-    mOuterChannel->Cancel(rv);
-    mOuterListener->OnStartRequest(mOuterChannel, mOuterContext);
-    mOuterListener->OnStopRequest(mOuterChannel, mOuterContext, rv);
-    
-    return rv;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::OnStopRequest(nsIRequest *aRequest, nsISupports *aContext,
-                                 nsresult aStatus)
-{
-  return NS_OK;
-}
-
-/** nsIStreamListener methods **/
-
-NS_IMETHODIMP
-nsACProxyListener::OnDataAvailable(nsIRequest *aRequest,
-                                   nsISupports *ctxt,
-                                   nsIInputStream *inStr,
-                                   PRUint32 sourceOffset,
-                                   PRUint32 count)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::OnChannelRedirect(nsIChannel *aOldChannel,
-                                     nsIChannel *aNewChannel,
-                                     PRUint32 aFlags)
-{
-  // No redirects allowed for now.
-  return NS_ERROR_DOM_BAD_URI;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::GetInterface(const nsIID & aIID, void **aResult)
-{
-  return QueryInterface(aIID, aResult);
-}
-
 /**
  * Gets the nsIDocument given the script context. Will return nsnull on failure.
  *
  * @param aScriptContext the script context to get the document for; can be null
  *
  * @return the document associated with the script context
  */
 static already_AddRefed<nsIDocument>
@@ -394,165 +261,21 @@ GetDocumentFromScriptContext(nsIScriptCo
     window->GetDocument(getter_AddRefs(domdoc));
     if (domdoc) {
       CallQueryInterface(domdoc, &doc);
     }
   }
   return doc;
 }
 
-void
-nsAccessControlLRUCache::GetEntry(nsIURI* aURI,
-                                  nsIPrincipal* aPrincipal,
-                                  PRTime* _retval)
-{
-  nsCAutoString key;
-  if (GetCacheKey(aURI, aPrincipal, key)) {
-    CacheEntry* entry;
-    if (GetEntryInternal(key, &entry)) {
-      *_retval = entry->value;
-      return;
-    }
-  }
-  *_retval = 0;
-}
-
-void
-nsAccessControlLRUCache::PutEntry(nsIURI* aURI,
-                                  nsIPrincipal* aPrincipal,
-                                  PRTime aValue)
-{
-  nsCString key;
-  if (!GetCacheKey(aURI, aPrincipal, key)) {
-    NS_WARNING("Invalid cache key!");
-    return;
-  }
-
-  CacheEntry* entry;
-  if (GetEntryInternal(key, &entry)) {
-    // Entry already existed, just update the expiration time and bail. The LRU
-    // list is updated as a result of the call to GetEntryInternal.
-    entry->value = aValue;
-    return;
-  }
-
-  // This is a new entry, allocate and insert into the table now so that any
-  // failures don't cause items to be removed from a full cache.
-  entry = new CacheEntry(key, aValue);
-  if (!entry) {
-    NS_WARNING("Failed to allocate new cache entry!");
-    return;
-  }
-
-  if (!mTable.Put(key, entry)) {
-    // Failed, clean up the new entry.
-    delete entry;
-
-    NS_WARNING("Failed to add entry to the access control cache!");
-    return;
-  }
-
-  PR_INSERT_LINK(entry, &mList);
-
-  NS_ASSERTION(mTable.Count() <= ACCESS_CONTROL_CACHE_SIZE + 1,
-               "Something is borked, too many entries in the cache!");
-
-  // Now enforce the max count.
-  if (mTable.Count() > ACCESS_CONTROL_CACHE_SIZE) {
-    // Try to kick out all the expired entries.
-    PRTime now = PR_Now();
-    mTable.Enumerate(RemoveExpiredEntries, &now);
-
-    // If that didn't remove anything then kick out the least recently used
-    // entry.
-    if (mTable.Count() > ACCESS_CONTROL_CACHE_SIZE) {
-      CacheEntry* lruEntry = static_cast<CacheEntry*>(PR_LIST_TAIL(&mList));
-      PR_REMOVE_LINK(lruEntry);
-
-      // This will delete 'lruEntry'.
-      mTable.Remove(lruEntry->key);
-
-      NS_ASSERTION(mTable.Count() >= ACCESS_CONTROL_CACHE_SIZE,
-                   "Somehow tried to remove an entry that was never added!");
-    }
-  }
-}
-
-void
-nsAccessControlLRUCache::Clear()
-{
-  PR_INIT_CLIST(&mList);
-  mTable.Clear();
-}
-
-PRBool
-nsAccessControlLRUCache::GetEntryInternal(const nsACString& aKey,
-                                          CacheEntry** _retval)
-{
-  if (!mTable.Get(aKey, _retval))
-    return PR_FALSE;
-
-  // Move to the head of the list.
-  PR_REMOVE_LINK(*_retval);
-  PR_INSERT_LINK(*_retval, &mList);
-
-  return PR_TRUE;
-}
-
-/* static */ PR_CALLBACK PLDHashOperator
-nsAccessControlLRUCache::RemoveExpiredEntries(const nsACString& aKey,
-                                              nsAutoPtr<CacheEntry>& aValue,
-                                              void* aUserData)
-{
-  PRTime* now = static_cast<PRTime*>(aUserData);
-  if (*now >= aValue->value) {
-    // Expired, remove from the list as well as the hash table.
-    PR_REMOVE_LINK(aValue);
-    return PL_DHASH_REMOVE;
-  }
-  // Keep going.
-  return PL_DHASH_NEXT;
-}
-
-/* static */ PRBool
-nsAccessControlLRUCache::GetCacheKey(nsIURI* aURI,
-                                     nsIPrincipal* aPrincipal,
-                                     nsACString& _retval)
-{
-  NS_ASSERTION(aURI, "Null uri!");
-  NS_ASSERTION(aPrincipal, "Null principal!");
-  
-  NS_NAMED_LITERAL_CSTRING(space, " ");
-
-  nsCOMPtr<nsIURI> uri;
-  nsresult rv = aPrincipal->GetURI(getter_AddRefs(uri));
-  NS_ENSURE_SUCCESS(rv, PR_FALSE);
-  
-  nsCAutoString host;
-  if (uri) {
-    uri->GetHost(host);
-  }
-
-  nsCAutoString spec;
-  rv = aURI->GetSpec(spec);
-  NS_ENSURE_SUCCESS(rv, PR_FALSE);
-
-  _retval.Assign(host + space + spec);
-
-  return PR_TRUE;
-}
-
 /////////////////////////////////////////////
 //
 //
 /////////////////////////////////////////////
 
-// Will be initialized in nsXMLHttpRequest::EnsureACCache.
-nsAccessControlLRUCache* nsXMLHttpRequest::sAccessControlCache = nsnull;
-
 nsXMLHttpRequest::nsXMLHttpRequest()
   : mState(XML_HTTP_REQUEST_UNINITIALIZED)
 {
   nsLayoutStatics::AddRef();
 }
 
 nsXMLHttpRequest::~nsXMLHttpRequest()
 {
@@ -1117,19 +840,16 @@ NS_IMETHODIMP
 nsXMLHttpRequest::Abort()
 {
   if (mReadRequest) {
     mReadRequest->Cancel(NS_BINDING_ABORTED);
   }
   if (mChannel) {
     mChannel->Cancel(NS_BINDING_ABORTED);
   }
-  if (mACGetChannel) {
-    mACGetChannel->Cancel(NS_BINDING_ABORTED);
-  }
   mDocument = nsnull;
   mResponseBody.Truncate();
   mState |= XML_HTTP_REQUEST_ABORTED;
 
   if (!(mState & (XML_HTTP_REQUEST_UNINITIALIZED |
                   XML_HTTP_REQUEST_OPENED |
                   XML_HTTP_REQUEST_COMPLETED))) {
     ChangeState(XML_HTTP_REQUEST_COMPLETED, PR_TRUE, PR_TRUE);
@@ -1147,20 +867,16 @@ nsXMLHttpRequest::Abort()
 
 /* string getAllResponseHeaders (); */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetAllResponseHeaders(char **_retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nsnull;
 
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    return NS_OK;
-  }
-
   nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();
 
   if (httpChannel) {
     nsHeaderVisitor *visitor = nsnull;
     NS_NEWXPCOM(visitor, nsHeaderVisitor);
     if (!visitor)
       return NS_ERROR_OUT_OF_MEMORY;
     NS_ADDREF(visitor);
@@ -1179,47 +895,16 @@ nsXMLHttpRequest::GetAllResponseHeaders(
 /* ACString getResponseHeader (in AUTF8String header); */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
                                     nsACString& _retval)
 {
   nsresult rv = NS_OK;
   _retval.Truncate();
 
-  // Check for dangerous headers
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    
-    // Make sure we don't leak header information from denied cross-site
-    // requests.
-    if (mChannel) {
-      nsresult status;
-      mChannel->GetStatus(&status);
-      if (NS_FAILED(status)) {
-        return NS_OK;
-      }
-    }
-
-    const char *kCrossOriginSafeHeaders[] = {
-      "cache-control", "content-language", "content-type", "expires",
-      "last-modified", "pragma"
-    };
-    PRBool safeHeader = PR_FALSE;
-    PRUint32 i;
-    for (i = 0; i < NS_ARRAY_LENGTH(kCrossOriginSafeHeaders); ++i) {
-      if (header.LowerCaseEqualsASCII(kCrossOriginSafeHeaders[i])) {
-        safeHeader = PR_TRUE;
-        break;
-      }
-    }
-
-    if (!safeHeader) {
-      return NS_OK;
-    }
-  }
-
   nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();
 
   if (httpChannel) {
     rv = httpChannel->GetResponseHeader(header, _retval);
   }
 
   if (rv == NS_ERROR_NOT_AVAILABLE) {
     // Means no header
@@ -1411,44 +1096,16 @@ IsSameOrigin(nsIPrincipal* aPrincipal, n
   rv = aChannel->GetURI(getter_AddRefs(channelURI));
   NS_ENSURE_SUCCESS(rv, PR_FALSE);
 
   rv = nsContentUtils::GetSecurityManager()->
     CheckSameOriginURI(codebase, channelURI, PR_FALSE);
   return NS_SUCCEEDED(rv);
 }
 
-nsresult
-nsXMLHttpRequest::CheckChannelForCrossSiteRequest()
-{
-  // First check if this is a same-origin request, or if cross-site requests
-  // are enabled.
-  if ((mState & XML_HTTP_REQUEST_XSITEENABLED) ||
-      IsSameOrigin(mPrincipal, mChannel)) {
-    return NS_OK;
-  }
-
-  // This is a cross-site request
-
-  // The request is now cross-site, so update flag.
-  mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
-
-  // Remove dangerous headers
-  nsCOMPtr<nsIHttpChannel> http = do_QueryInterface(mChannel);
-  if (http) {
-    PRUint32 i;
-    for (i = 0; i < mExtraRequestHeaders.Length(); ++i) {
-      http->SetRequestHeader(mExtraRequestHeaders[i], EmptyCString(), PR_FALSE);
-    }
-    mExtraRequestHeaders.Clear();
-  }
-
-  return NS_OK;
-}
-
 /* noscript void openRequest (in AUTF8String method, in AUTF8String url, in boolean async, in AString user, in AString password); */
 NS_IMETHODIMP
 nsXMLHttpRequest::OpenRequest(const nsACString& method,
                               const nsACString& url,
                               PRBool async,
                               const nsAString& user,
                               const nsAString& password)
 {
@@ -1556,56 +1213,21 @@ nsXMLHttpRequest::OpenRequest(const nsAC
                      loadFlags);
   if (NS_FAILED(rv)) return rv;
 
   // Check if we're doing a cross-origin request.
   if (IsSystemPrincipal(mPrincipal)) {
     // Chrome callers are always allowed to read from different origins.
     mState |= XML_HTTP_REQUEST_XSITEENABLED;
   }
-  else if (!(mState & XML_HTTP_REQUEST_XSITEENABLED) &&
-           !IsSameOrigin(mPrincipal, mChannel)) {
-    mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
-  }
 
   nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
   if (httpChannel) {
     rv = httpChannel->SetRequestMethod(method);
     NS_ENSURE_SUCCESS(rv, rv);
-    
-    if (!method.LowerCaseEqualsLiteral("get")) {
-      mState |= XML_HTTP_REQUEST_NON_GET;
-    }
-  }
-
-  // Do we need to set up an initial OPTIONS request to make sure that it is
-  // safe to make the request?
-  if ((mState & XML_HTTP_REQUEST_USE_XSITE_AC) &&
-      (mState & XML_HTTP_REQUEST_NON_GET)) {
-
-    // Check to see if this initial OPTIONS request has already been cached in
-    // our special Access Control Cache.
-    PRTime expiration = 0;
-    if (sAccessControlCache) {
-      sAccessControlCache->GetEntry(uri, mPrincipal, &expiration);
-    }
-
-    if (expiration <= PR_Now()) {
-      // Either it wasn't cached or the cached result has expired. Build a
-      // channel for the OPTIONS request.
-      rv = NS_NewChannel(getter_AddRefs(mACGetChannel), uri, nsnull, loadGroup,
-                         nsnull, loadFlags);
-      NS_ENSURE_SUCCESS(rv, rv);
-
-      nsCOMPtr<nsIHttpChannel> acHttp = do_QueryInterface(mACGetChannel);
-      NS_ASSERTION(acHttp, "Failed to QI to nsIHttpChannel!");
-
-      rv = acHttp->SetRequestMethod(NS_LITERAL_CSTRING("OPTIONS"));
-      NS_ENSURE_SUCCESS(rv, rv);
-    }
   }
 
   ChangeState(XML_HTTP_REQUEST_OPENED);
 
   return rv;
 }
 
 /* void open (in AUTF8String method, in AUTF8String url); */
@@ -1639,17 +1261,17 @@ nsXMLHttpRequest::Open(const nsACString&
     rv = NS_NewURI(getter_AddRefs(targetURI), url, nsnull, GetBaseURI());
     if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 
     nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
     if (!secMan) {
       return NS_ERROR_FAILURE;
     }
 
-    rv = secMan->CheckConnect(cx, targetURI, "XMLHttpRequest", "open-uri");
+    rv = secMan->CheckConnect(cx, targetURI, "XMLHttpRequest", "open");
     if (NS_FAILED(rv))
     {
       // Security check failed.
       return NS_OK;
     }
 
     // Find out if UniversalBrowserRead privileges are enabled
     // we will need this in case of a redirect
@@ -1811,23 +1433,16 @@ nsXMLHttpRequest::OnStartRequest(nsIRequ
   // Create an empty document from it 
   const nsAString& emptyStr = EmptyString();
   nsCOMPtr<nsIScriptGlobalObject> global = do_QueryInterface(mOwner);
   nsresult rv = nsContentUtils::CreateDocument(emptyStr, emptyStr, nsnull, uri,
                                                uri, mPrincipal, global,
                                                getter_AddRefs(mDocument));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(mDocument);
-    if (htmlDoc) {
-      htmlDoc->DisableCookieAccess();
-    }
-  }
-
   // Reset responseBody
   mResponseBody.Truncate();
 
   // Register as a load listener on the document
   nsCOMPtr<nsPIDOMEventTarget> target(do_QueryInterface(mDocument));
   if (target) {
     nsWeakPtr requestWeak =
       do_GetWeakReference(static_cast<nsIXMLHttpRequest*>(this));
@@ -2270,86 +1885,54 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
 
   // Reset responseXML
   mDocument = nsnull;
 
   if (!(mState & XML_HTTP_REQUEST_ASYNC)) {
     mState |= XML_HTTP_REQUEST_SYNCLOOPING;
   }
 
-  rv = CheckChannelForCrossSiteRequest();
-  NS_ENSURE_SUCCESS(rv, rv);
-
   // Hook us up to listen to redirects and the like
   mChannel->GetNotificationCallbacks(getter_AddRefs(mNotificationCallbacks));
   mChannel->SetNotificationCallbacks(this);
 
   // Create our listener
   nsCOMPtr<nsIStreamListener> listener = this;
   if (mState & XML_HTTP_REQUEST_MULTIPART) {
     listener = new nsMultipartProxyListener(listener);
     if (!listener) {
       return NS_ERROR_OUT_OF_MEMORY;
     }
   }
 
-  if (!(mState & XML_HTTP_REQUEST_XSITEENABLED)) {
-    // Always create a nsCrossSiteListenerProxy here even if it's
-    // a same-origin request right now, since it could be redirected.
-    listener = new nsCrossSiteListenerProxy(listener, mPrincipal, mChannel,
-                                            &rv);
-    NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
   // Bypass the network cache in cases where it makes no sense:
   // 1) Multipart responses are very large and would likely be doomed by the
   //    cache once they grow too large, so they are not worth caching.
   // 2) POST responses are always unique, and we provide no API that would
   //    allow our consumers to specify a "cache key" to access old POST
   //    responses, so they are not worth caching.
   if ((mState & XML_HTTP_REQUEST_MULTIPART) || method.EqualsLiteral("POST")) {
     AddLoadFlags(mChannel,
         nsIRequest::LOAD_BYPASS_CACHE | nsIRequest::INHIBIT_CACHING);
   }
   // When we are sync loading, we need to bypass the local cache when it would
   // otherwise block us waiting for exclusive access to the cache.  If we don't
   // do this, then we could dead lock in some cases (see bug 309424).
   else if (mState & XML_HTTP_REQUEST_SYNCLOOPING) {
     AddLoadFlags(mChannel,
         nsICachingChannel::LOAD_BYPASS_LOCAL_CACHE_IF_BUSY);
-    if (mACGetChannel) {
-      AddLoadFlags(mACGetChannel,
-          nsICachingChannel::LOAD_BYPASS_LOCAL_CACHE_IF_BUSY);
-    }
   }
 
   // Since we expect XML data, set the type hint accordingly
   // This means that we always try to parse local files as XML
   // ignoring return value, as this is not critical
   mChannel->SetContentType(NS_LITERAL_CSTRING("application/xml"));
 
-  // If we're doing a cross-site non-GET request we need to first do
-  // a GET request to the same URI. Set that up if needed
-  if (mACGetChannel) {
-    nsCOMPtr<nsIStreamListener> acListener =
-      new nsACProxyListener(mChannel, listener, nsnull, mPrincipal, method);
-    NS_ENSURE_TRUE(acListener, NS_ERROR_OUT_OF_MEMORY);
-
-    listener = new nsCrossSiteListenerProxy(acListener, mPrincipal,
-                                            mACGetChannel, &rv);
-    NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    rv = mACGetChannel->AsyncOpen(listener, nsnull);
-  }
-  else {
-    // Start reading from the channel
-    rv = mChannel->AsyncOpen(listener, nsnull);
-  }
+  // Start reading from the channel
+  rv = mChannel->AsyncOpen(listener, nsnull);
 
   if (NS_FAILED(rv)) {
     // Drop our ref to the channel to avoid cycles
     mChannel = nsnull;
     return rv;
   }
 
   // Now that we've successfully opened the channel, we can change state.  Note
@@ -2378,29 +1961,16 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
 
 /* void setRequestHeader (in AUTF8String header, in AUTF8String value); */
 NS_IMETHODIMP
 nsXMLHttpRequest::SetRequestHeader(const nsACString& header,
                                    const nsACString& value)
 {
   nsresult rv;
 
-  // Check that we haven't already opened the channel. We can't rely on
-  // the channel throwing from mChannel->SetRequestHeader since we might
-  // still be waiting for mACGetChannel to actually open mChannel
-  if (mACGetChannel) {
-    PRBool pending;
-    rv = mACGetChannel->IsPending(&pending);
-    NS_ENSURE_SUCCESS(rv, rv);
-    
-    if (pending) {
-      return NS_ERROR_IN_PROGRESS;
-    }
-  }
-
   if (!mChannel)             // open() initializes mChannel, and open()
     return NS_ERROR_FAILURE; // must be called before first setRequestHeader()
 
   nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
   if (!httpChannel) {
     return NS_OK;
   }
 
@@ -2422,42 +1992,16 @@ nsXMLHttpRequest::SetRequestHeader(const
     };
     PRUint32 i;
     for (i = 0; i < NS_ARRAY_LENGTH(kInvalidHeaders); ++i) {
       if (header.LowerCaseEqualsASCII(kInvalidHeaders[i])) {
         NS_WARNING("refusing to set request header");
         return NS_OK;
       }
     }
-
-    // Check for dangerous cross-site headers
-    PRBool safeHeader = !!(mState & XML_HTTP_REQUEST_XSITEENABLED);
-    if (!safeHeader) {
-      const char *kCrossOriginSafeHeaders[] = {
-        "accept", "accept-language"
-      };
-      for (i = 0; i < NS_ARRAY_LENGTH(kCrossOriginSafeHeaders); ++i) {
-        if (header.LowerCaseEqualsASCII(kCrossOriginSafeHeaders[i])) {
-          safeHeader = PR_TRUE;
-          break;
-        }
-      }
-    }
-
-    if (!safeHeader) {
-      // The header is unsafe for cross-site requests. If this is a cross-site
-      // request throw an exception...
-      if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-        return NS_ERROR_FAILURE;
-      }
-
-      // ...otherwise just add it to mExtraRequestHeaders so that we can
-      // remove it in case we're redirected to another site
-      mExtraRequestHeaders.AppendElement(header);
-    }
   }
 
   // We need to set, not add to, the header.
   return httpChannel->SetRequestHeader(header, value, PR_FALSE);
 }
 
 /* readonly attribute long readyState; */
 NS_IMETHODIMP
@@ -2688,28 +2232,29 @@ nsXMLHttpRequest::OnChannelRedirect(nsIC
 
   nsresult rv;
   if (mChannelEventSink) {
     rv =
       mChannelEventSink->OnChannelRedirect(aOldChannel, aNewChannel, aFlags);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  mChannel = aNewChannel;
-
-  rv = CheckChannelForCrossSiteRequest();
+  nsCOMPtr<nsIURI> oldURI;
+  rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  // Disable redirects for non-get cross-site requests entirely for now
-  // Note, do this after the call to CheckChannelForCrossSiteRequest
-  // to make sure that XML_HTTP_REQUEST_USE_XSITE_AC is up-to-date
-  if ((mState & XML_HTTP_REQUEST_NON_GET) &&
-      (mState & XML_HTTP_REQUEST_USE_XSITE_AC)) {
-    return NS_ERROR_DOM_BAD_URI;
-  }
+  nsCOMPtr<nsIURI> newURI;
+  rv = aNewChannel->GetURI(getter_AddRefs(newURI));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = nsContentUtils::GetSecurityManager()->
+    CheckSameOriginURI(oldURI, newURI, PR_TRUE);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  mChannel = aNewChannel;
 
   return NS_OK;
 }
 
 /////////////////////////////////////////////////////
 // nsIProgressEventSink methods:
 //
 
--- a/content/base/src/nsXMLHttpRequest.h
+++ b/content/base/src/nsXMLHttpRequest.h
@@ -65,75 +65,16 @@
 #include "nsIDOMLSProgressEvent.h"
 #include "nsClassHashtable.h"
 #include "nsHashKeys.h"
 #include "prclist.h"
 #include "prtime.h"
 
 class nsILoadGroup;
 
-class nsAccessControlLRUCache
-{
-  struct CacheEntry : public PRCList
-  {
-    CacheEntry(const nsACString& aKey, PRTime aValue)
-    : key(aKey), value(aValue)
-    {
-      MOZ_COUNT_CTOR(nsAccessControlLRUCache::CacheEntry);
-    }
-    
-    ~CacheEntry()
-    {
-      MOZ_COUNT_DTOR(nsAccessControlLRUCache::CacheEntry);
-    }
-    
-    nsCString key;
-    PRTime value;
-  };
-
-public:
-  nsAccessControlLRUCache()
-  {
-    MOZ_COUNT_CTOR(nsAccessControlLRUCache);
-    PR_INIT_CLIST(&mList);
-  }
-
-  ~nsAccessControlLRUCache()
-  {
-    Clear();
-    MOZ_COUNT_DTOR(nsAccessControlLRUCache);
-  }
-
-  PRBool Initialize()
-  {
-    return mTable.Init();
-  }
-
-  void GetEntry(nsIURI* aURI, nsIPrincipal* aPrincipal,
-                PRTime* _retval);
-
-  void PutEntry(nsIURI* aURI, nsIPrincipal* aPrincipal,
-                PRTime aValue);
-
-  void Clear();
-
-private:
-  PRBool GetEntryInternal(const nsACString& aKey, CacheEntry** _retval);
-
-  PR_STATIC_CALLBACK(PLDHashOperator)
-    RemoveExpiredEntries(const nsACString& aKey, nsAutoPtr<CacheEntry>& aValue,
-                         void* aUserData);
-
-  static PRBool GetCacheKey(nsIURI* aURI, nsIPrincipal* aPrincipal,
-                            nsACString& _retval);
-
-  nsClassHashtable<nsCStringHashKey, CacheEntry> mTable;
-  PRCList mList;
-};
-
 class nsXMLHttpRequest : public nsIXMLHttpRequest,
                          public nsIJSXMLHttpRequest,
                          public nsIDOMLoadListener,
                          public nsIDOMEventTarget,
                          public nsIStreamListener,
                          public nsIChannelEventSink,
                          public nsIProgressEventSink,
                          public nsIInterfaceRequestor,
@@ -184,42 +125,16 @@ public:
   NS_IMETHOD Initialize(nsISupports* aOwner, JSContext* cx, JSObject* obj,
                        PRUint32 argc, jsval* argv);
 
   // This is called by the factory constructor.
   nsresult Init();
 
   NS_DECL_CYCLE_COLLECTION_CLASS_AMBIGUOUS(nsXMLHttpRequest, nsIXMLHttpRequest)
 
-  static PRBool EnsureACCache()
-  {
-    if (sAccessControlCache)
-      return PR_TRUE;
-
-    nsAutoPtr<nsAccessControlLRUCache> newCache(new nsAccessControlLRUCache());
-    NS_ENSURE_TRUE(newCache, PR_FALSE);
-
-    if (newCache->Initialize()) {
-      sAccessControlCache = newCache.forget();
-      return PR_TRUE;
-    }
-
-    return PR_FALSE;
-  }
-
-  static void ShutdownACCache()
-  {
-    if (sAccessControlCache) {
-      delete sAccessControlCache;
-      sAccessControlCache = nsnull;
-    }
-  }
-
-  static nsAccessControlLRUCache* sAccessControlCache;
-
 protected:
 
   nsresult DetectCharset(nsACString& aCharset);
   nsresult ConvertBodyToText(nsAString& aOutBuffer);
   static NS_METHOD StreamReaderFunc(nsIInputStream* in,
                 void* closure,
                 const char* fromRawSegment,
                 PRUint32 toOffset,
@@ -276,17 +191,16 @@ protected:
   }
 
   nsCOMPtr<nsISupports> mContext;
   nsCOMPtr<nsIPrincipal> mPrincipal;
   nsCOMPtr<nsIChannel> mChannel;
   // mReadRequest is different from mChannel for multipart requests
   nsCOMPtr<nsIRequest> mReadRequest;
   nsCOMPtr<nsIDOMDocument> mDocument;
-  nsCOMPtr<nsIChannel> mACGetChannel;
 
   nsCOMArray<nsIDOMEventListener> mLoadEventListeners;
   nsCOMArray<nsIDOMEventListener> mErrorEventListeners;
   nsCOMArray<nsIDOMEventListener> mProgressEventListeners;
   nsCOMArray<nsIDOMEventListener> mUploadProgressEventListeners;
   nsCOMArray<nsIDOMEventListener> mReadystatechangeEventListeners;
 
   // These may be null (native callers or xpcshell).
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@@ -126,41 +126,16 @@ include $(topsrcdir)/config/rules.mk
 		test_bug392318.html \
 		test_bug392511.html \
 		test_bug393968.html \
 		test_bug395915.html \
 		test_bug397234.html \
 		test_bug398243.html \
 		formReset.html \
 		bug382113_object.html \
-		test_CrossSiteXHR.html \
-		file_CrossSiteXHR_fail1.xml \
-		file_CrossSiteXHR_fail2.xml \
-		file_CrossSiteXHR_fail2.xml^headers^ \
-		file_CrossSiteXHR_fail3.xml \
-		file_CrossSiteXHR_fail4.xml \
-		file_CrossSiteXHR_pass1.xml \
-		file_CrossSiteXHR_pass1.xml^headers^ \
-		file_CrossSiteXHR_pass2.xml \
-		file_CrossSiteXHR_pass3.xml \
-		test_CrossSiteXHR2.html \
-		file_CrossSiteXHR2_inner.html \
-		file_CrossSiteXHR2_fail1.xml \
-		file_CrossSiteXHR2_fail1.xml^headers^ \
-		file_CrossSiteXHR2_fail2.xml \
-		file_CrossSiteXHR2_pass1.xml \
-		file_CrossSiteXHR2_pass1.xml^headers^ \
-		file_CrossSiteXHR2_pass2.xml \
-		file_CrossSiteXHR2_pass3.xml \
-		file_CrossSiteXHR2_pass3.xml^headers^ \
-		file_CrossSiteXHR2_pass3_redirect.xml \
-		test_CrossSiteXHR3.html \
-		file_CrossSiteXHR3_inner.html \
-		file_CrossSiteXHR3_pass1.xml^headers^ \
-		file_CrossSiteXHR3_pass1.xml \
 		test_bug326337.html \
 		file_bug326337_inner.html \
 		file_bug326337_outer.html \
 		file_bug326337.xml \
 		file_bug326337_multipart.txt \
 		file_bug326337_multipart.txt^headers^ \
 		test_bug402150.html \
 		test_bug402150.html^headers^ \
@@ -180,16 +155,23 @@ include $(topsrcdir)/config/rules.mk
 		test_bug417384.html \
 		test_bug418214.html \
 		test_bug419527.xhtml \
 		test_bug420609.xhtml \
 		test_bug420700.html \
 		test_bug421602.html \
 		test_bug422537.html \
 		test_bug424212.html \
+    test_XHR.html \
+    file_XHR_pass1.xml \
+    file_XHR_pass2.txt \
+    file_XHR_pass3.txt \
+    file_XHR_pass3.txt^headers^ \
+    file_XHR_fail1.txt \
+    file_XHR_fail1.txt^headers^ \
 		$(NULL)
 
 libs:: $(_TEST_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
 
 check::
 	@$(EXIT_ON_ERROR) \
 	for f in $(subst .cpp,,$(CPP_UNIT_TESTS)); do \
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_fail1.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_fail1.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 200 OK
-Access-Control: allow <http://sub1.xn--lt-uia.example.org.example.org>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_fail2.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?access-control allow="http://ält.example.org"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_inner.html
+++ /dev/null
@@ -1,104 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-</head>
-<body>
-
-<script class="testbody" type="text/javascript">
-
-function doFail(msg)
-{
-  document.write(msg + "<p>");
-  parent.location.hash = "#fail";
-  throw 1;
-}
-
-var local = "http://example.com/tests/content/base/test/";
-
-var passFiles = [[local + 'file_CrossSiteXHR2_pass1.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR2_pass2.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR2_pass3.xml', 'GET']
-                 ];
-
-var failFiles = [[local + 'file_CrossSiteXHR2_fail1.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR2_fail2.xml', 'GET']
-                 ];
-
-netscape.security.PrivilegeManager.enablePrivilege(
-    "UniversalXPConnect UniversalBrowserWrite");
-
-for (i = 0; i < passFiles.length; ++i)
-{
-  xhr = new XMLHttpRequest();
-  if (!xhr)
-    doFail("Couldn't open request : " + passFiles[i][0]);
-  try {
-    xhr.open(passFiles[i][1], passFiles[i][0], false);
-  }
-  catch(e) {
-    doFail("Open failed : " + passFiles[i][0]);
-  }
-  
-  // Do the send
-  try {
-    xhr.send(null);
-  }
-  catch(e) {
-    doFail("Sending failed : " + passFiles[i][0]);
-  }
-  
-  // Check the Access-Control-Origin
-  var channel =
-    xhr.channel.QueryInterface(Components.interfaces.nsIHttpChannel);
-  var value = null;
-  try {
-    value = channel.getRequestHeader("Access-Control-Origin");
-  }
-  catch(e) {
-    doFail("Getting request header failed : " + passFiles[i][0]);
-  }
-  if (value != "http://sub1.xn--lt-uia.example.org:8000")
-   doFail("Referer-root incorrect : " + value);
-  
-  // Check the response
-  if (xhr.status != "200") {
-    doFail("Status incorrect : " + passFiles[i][0]);
-  }
-  if (xhr.responseXML) {
-    responseString = (new XMLSerializer()).serializeToString(
-      xhr.responseXML.documentElement);
-    if (responseString != "<res>hello</res>") {
-      doFail("Response incorrect : " + passFiles[i][0]);
-    }
-  }
-  else  {
-    doFail("No response : " + passFiles[i][0]);
-  }
-}
-
-for (i = 0; i < failFiles.length; ++i)
-{
-  xhr = new XMLHttpRequest();
-  if (!xhr)
-    doFail("Couldn't open request : " + passFiles[i][0]);
-  
-  success = false;
-  try {
-    xhr.open(failFiles[i][1], failFiles[i][0], false);
-    xhr.send(null);
-  }
-  catch (e) {
-    success = true;
-  }
-  if (!success) {
-    doFail("Test did not fail : " + failFiles[i][0]);
-  }
-}
-
-document.write("Success!");
-parent.location.hash = "#done";
-
-</script>
-
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass1.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass1.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 200 OK
-Access-Control: allow <http://sub1.xn--lt-uia.example.org:8000>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass2.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?access-control allow="http://sub1.ält.example.org:8000"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass3.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>wrong, should redirect</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass3.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 301 Moved Permanently
-Location: http://test1.example.org/tests/content/base/test/file_CrossSiteXHR2_pass3_redirect.xml
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR2_pass3_redirect.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?access-control allow="http://sub1.ält.example.org:8000"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR3_inner.html
+++ /dev/null
@@ -1,98 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-</head>
-<body>
-
-<script class="testbody" type="text/javascript">
-
-function doFail(msg)
-{
-  document.write(msg + "<p>");
-  parent.location.hash = "#fail";
-  throw 1;
-}
-
-var local = "http://example.com/tests/content/base/test/";
-
-var passFiles = [[local + 'file_CrossSiteXHR3_pass1.xml', 'GET']];
-
-var failFiles = [];
-
-netscape.security.PrivilegeManager.enablePrivilege(
-    "UniversalXPConnect UniversalBrowserWrite");
-
-for (i = 0; i < passFiles.length; ++i)
-{
-  xhr = new XMLHttpRequest();
-  if (!xhr)
-    doFail("Couldn't open request : " + passFiles[i][0]);
-  try {
-    xhr.open(passFiles[i][1], passFiles[i][0], false);
-  }
-  catch(e) {
-    doFail("Open failed : " + passFiles[i][0]);
-  }
-  
-  // Do the send
-  try {
-    xhr.send(null);
-  }
-  catch(e) {
-    doFail("Sending failed : " + passFiles[i][0]);
-  }
-  
-  // Check the Access-Control-Origin
-  var channel =
-    xhr.channel.QueryInterface(Components.interfaces.nsIHttpChannel);
-  var value = null;
-  try {
-    value = channel.getRequestHeader("Access-Control-Origin");
-  }
-  catch(e) {
-    doFail("Getting request header failed : " + passFiles[i][0]);
-  }
-  if (value != "http://sub2.xn--lt-uia.example.org")
-   doFail("Referer-root incorrect : " + value);
-  
-  // Check the response
-  if (xhr.status != "200") {
-    doFail("Status incorrect : " + passFiles[i][0]);
-  }
-  if (xhr.responseXML) {
-    responseString = (new XMLSerializer()).serializeToString(xhr.responseXML.documentElement);
-    if (responseString != "<res>hello</res>") {
-      doFail("Response incorrect : " + passFiles[i][0]);
-    }
-  }
-  else  {
-    doFail("No response : " + passFiles[i][0]);
-  }
-}
-
-for (i = 0; i < failFiles.length; ++i)
-{
-  xhr = new XMLHttpRequest();
-  if (!xhr)
-    doFail("Couldn't open request : " + passFiles[i][0]);
-    
-  success = false;
-  try {
-    xhr.open(failFiles[i][1], failFiles[i][0], false);
-    xhr.send(null);
-  }
-  catch (e) {
-    success = true;
-  }
-  if (!success) {
-    doFail("Test did not fail : " + failFiles[i][0]);
-  }
-}
-
-document.write("Success!");
-parent.location.hash = "#done";
-
-</script>
-
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR3_pass1.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR3_pass1.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 200 OK
-Access-Control: allow <http://sub2.xn--lt-uia.example.org>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_fail1.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_fail2.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?access-control allow="*"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_fail2.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 200 OK
-Access-Control: allow <*>, deny <*>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_fail3.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<?access-control allow="http://localhost:8889"?>
-<?access-control deny="*" exclude="localhost:8888"?>
-<?access-control deny="ftp://localhost:8888"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_fail4.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<?access-control allow="*"?>
->
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_pass1.xml
+++ /dev/null
@@ -1,1 +0,0 @@
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_pass1.xml^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-HTTP 200 OK
-Access-Control: allow <localhost:8888> exclude <localhost.bar> <bar.localhost>, deny <*> exclude <localhost:8888>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_pass2.xml
+++ /dev/null
@@ -1,2 +0,0 @@
-<?access-control allow="*"?>
-<res>hello</res>
deleted file mode 100644
--- a/content/base/test/file_CrossSiteXHR_pass3.xml
+++ /dev/null
@@ -1,5 +0,0 @@
-<?access-control allow="foo.com"?>
-<?access-control deny="*" exclude="localhost:8888"?>
-<?access-control deny="ftp://localhost:8888"?>
-<?access-control allow="http://localhost:8888"?>
-<res>hello</res>
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_fail1.txt
@@ -0,0 +1,1 @@
+redirect file
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_fail1.txt^headers^
@@ -0,0 +1,2 @@
+HTTP 301 Moved Permanently
+Location: http://example.com/tests/content/base/test/file_XHR_pass2.txt
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_fail1b.txt
@@ -0,0 +1,1 @@
+hello pass
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_pass1.xml
@@ -0,0 +1,1 @@
+<res>hello</res>
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_pass2.txt
@@ -0,0 +1,1 @@
+hello pass
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_pass3.txt
@@ -0,0 +1,1 @@
+redirect file
new file mode 100644
--- /dev/null
+++ b/content/base/test/file_XHR_pass3.txt^headers^
@@ -0,0 +1,2 @@
+HTTP 301 Moved Permanently
+Location: file_XHR_pass2.txt
deleted file mode 100644
--- a/content/base/test/test_CrossSiteXHR.html
+++ /dev/null
@@ -1,60 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Cross Site XMLHttpRequest</title>
-  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-  
-</div>
-<pre id="test">
-<script class="testbody" type="text/javascript">
-
-var local = "http://example.com/tests/content/base/test/";
-
-var passFiles = [[local + 'file_CrossSiteXHR_pass1.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR_pass2.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR_pass3.xml', 'GET'],
-                 ];
-
-var failFiles = [[local + 'file_CrossSiteXHR_fail1.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR_fail2.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR_fail3.xml', 'GET'],
-                 [local + 'file_CrossSiteXHR_fail4.xml', 'GET'],
-                 ];
-
-for (i = 0; i < passFiles.length; ++i) {
-  xhr = new XMLHttpRequest();
-  xhr.open(passFiles[i][1], passFiles[i][0], false); 
-  xhr.send(null);
-  is(xhr.status, 200, "wrong status");
-  if (xhr.responseXML) {
-    is((new XMLSerializer()).serializeToString(xhr.responseXML.documentElement),
-       "<res>hello</res>",
-       "wrong response");
-  }
-  else {
-    is(xhr.responseText, "hello pass\n", "wrong response");
-  }
-}
-
-for (i = 0; i < failFiles.length; ++i) {
-  xhr = new XMLHttpRequest();
-  success = false;
-  try {
-    xhr.open(failFiles[i][1], failFiles[i][0], false); 
-    xhr.send(null);
-  }
-  catch (e) {
-    success = true;
-  }
-  ok(success, "should have thrown");
-}
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/test_CrossSiteXHR2.html
+++ /dev/null
@@ -1,37 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Cross Site XMLHttpRequest with IDN</title>
-  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
-  <script type="text/javascript"
-    src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-  
-</div>
-
-<iframe id="inner" src="http://sub1.xn--lt-uia.example.org:8000/tests/content/base/test/file_CrossSiteXHR2_inner.html">
-</iframe>
-
-<pre id="test">
-<script class="testbody" type="text/javascript">
-
-SimpleTest.waitForExplicitFinish();
-
-var t = setInterval(doCheck, 300);
-function doCheck()
-{
-  if (location.hash) {
-    clearInterval(t);
-    is(location.hash, "#done", "failed to run");
-    SimpleTest.finish();
-  }
-}
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/test_CrossSiteXHR3.html
+++ /dev/null
@@ -1,37 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Cross Site XMLHttpRequest with Referer-Root</title>
-  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
-  <script type="text/javascript"
-    src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-  
-</div>
-
-<iframe id="inner" src="http://sub2.xn--lt-uia.example.org:80/tests/content/base/test/file_CrossSiteXHR3_inner.html">
-</iframe>
-
-<pre id="test">
-<script class="testbody" type="text/javascript">
-
-SimpleTest.waitForExplicitFinish();
-
-var t = setInterval(doCheck, 300);
-function doCheck()
-{
-  if (location.hash) {
-    clearInterval(t);
-    is(location.hash, "#done", "failed to run");
-    SimpleTest.finish();
-  }
-}
-
-</script>
-</pre>
-</body>
-</html>
new file mode 100644
--- /dev/null
+++ b/content/base/test/test_XHR.html
@@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for XMLHttpRequest</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/";
+
+var passFiles = [['file_XHR_pass1.xml', 'GET'],
+                 ['file_XHR_pass2.txt', 'GET'],
+                 ['file_XHR_pass3.txt', 'GET'],
+                 ];
+
+var failFiles = [['//example.com' + path + 'file_XHR_pass1.xml', 'GET'],
+                 ['ftp://localhost' + path + 'file_XHR_pass1.xml', 'GET'],
+                 ['file_XHR_fail1.txt', 'GET'],
+                 ];
+
+for (i = 0; i < passFiles.length; ++i) {
+  xhr = new XMLHttpRequest();
+  xhr.open(passFiles[i][1], passFiles[i][0], false); 
+  xhr.send(null);
+  is(xhr.status, 200, "wrong status");
+  if (xhr.responseXML) {
+    is((new XMLSerializer()).serializeToString(xhr.responseXML.documentElement),
+       "<res>hello</res>",
+       "wrong response");
+  }
+  else {
+    is(xhr.responseText, "hello pass\n", "wrong response");
+  }
+}
+
+for (i = 0; i < failFiles.length; ++i) {
+  xhr = new XMLHttpRequest();
+  didthrow = false;
+  try {
+    xhr.open(failFiles[i][1], failFiles[i][0], false); 
+    xhr.send(null);
+  }
+  catch (e) {
+    didthrow = true;
+  }
+  if (!didthrow) {
+    is(xhr.status, 301, "wrong status");
+    is(xhr.responseText, "redirect file\n", "wrong response");
+  }
+  else {
+    ok(1, "should have thrown or given incorrect result");
+  }
+}
+</script>
+</pre>
+</body>
+</html>
--- a/content/html/document/src/nsHTMLDocument.cpp
+++ b/content/html/document/src/nsHTMLDocument.cpp
@@ -1982,20 +1982,16 @@ nsHTMLDocument::GetAnchors(nsIDOMHTMLCol
 }
 
 NS_IMETHODIMP
 nsHTMLDocument::GetCookie(nsAString& aCookie)
 {
   aCookie.Truncate(); // clear current cookie in case service fails;
                       // no cookie isn't an error condition.
 
-  if (mDisableCookieAccess) {
-    return NS_OK;
-  }
-
   // not having a cookie service isn't an error
   nsCOMPtr<nsICookieService> service = do_GetService(NS_COOKIESERVICE_CONTRACTID);
   if (service) {
     // Get a URI from the document principal. We use the original
     // codebase in case the codebase was changed by SetDomain
     nsCOMPtr<nsIURI> codebaseURI;
     NodePrincipal()->GetURI(getter_AddRefs(codebaseURI));
 
@@ -2012,20 +2008,16 @@ nsHTMLDocument::GetCookie(nsAString& aCo
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHTMLDocument::SetCookie(const nsAString& aCookie)
 {
-  if (mDisableCookieAccess) {
-    return NS_OK;
-  }
-
   // not having a cookie service isn't an error
   nsCOMPtr<nsICookieService> service = do_GetService(NS_COOKIESERVICE_CONTRACTID);
   if (service && mDocumentURI) {
     nsCOMPtr<nsIPrompt> prompt;
     nsCOMPtr<nsPIDOMWindow> window = GetWindow();
     if (window) {
       window->GetPrompter(getter_AddRefs(prompt));
     }
--- a/content/html/document/src/nsHTMLDocument.h
+++ b/content/html/document/src/nsHTMLDocument.h
@@ -203,21 +203,16 @@ public:
 
   nsresult ChangeContentEditableCount(nsIContent *aElement, PRInt32 aChange);
 
   virtual EditingState GetEditingState()
   {
     return mEditingState;
   }
 
-  virtual void DisableCookieAccess()
-  {
-    mDisableCookieAccess = PR_TRUE;
-  }
-
   virtual nsIContent* GetBodyContentExternal();
 
   void EndUpdate(nsUpdateType aUpdateType);
 
   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED_NO_UNLINK(nsHTMLDocument, nsDocument)
 
   virtual already_AddRefed<nsIParser> GetFragmentParser() {
     return mFragmentParser.forget();
@@ -386,15 +381,13 @@ protected:
   static jsval       sPasteInternal_id;
 
   // kNameSpaceID_None for good ol' HTML documents, and
   // kNameSpaceID_XHTML for spiffy new XHTML documents.
   // XXXbz should this be reset if someone manually calls
   // SetContentType() on this document?
   PRInt32 mDefaultNamespaceID;
 
-  PRBool mDisableCookieAccess;
-
   // Parser used for constructing document fragments.
   nsCOMPtr<nsIParser> mFragmentParser;
 };
 
 #endif /* nsHTMLDocument_h___ */
--- a/content/html/document/src/nsIHTMLDocument.h
+++ b/content/html/document/src/nsIHTMLDocument.h
@@ -169,21 +169,16 @@ public:
    * Returns the result of document.all[aID] which can either be a node
    * or a nodelist depending on if there are multiple nodes with the same
    * id.
    */
   virtual nsresult GetDocumentAllResult(const nsAString& aID,
                                         nsISupports** aResult) = 0;
 
   /**
-   * Disables getting and setting cookies
-   */
-  virtual void DisableCookieAccess() = 0;
-
-  /**
    * Get the first <body> child of the root <html>, but don't do
    * anything <frameset>-related (like nsIDOMHTMLDocument::GetBody).
    */
   virtual nsIContent* GetBodyContentExternal() = 0;
 
   /**
    * Called when this nsIHTMLDocument's editor is destroyed.
    */
--- a/content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
+++ b/content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
@@ -65,17 +65,16 @@
 #include "txAtoms.h"
 #include "txLog.h"
 #include "txMozillaXSLTProcessor.h"
 #include "txStylesheetCompiler.h"
 #include "txXMLUtils.h"
 #include "nsAttrName.h"
 #include "nsIScriptError.h"
 #include "nsIURL.h"
-#include "nsCrossSiteListenerProxy.h"
 #include "nsDOMError.h"
 
 static NS_DEFINE_CID(kCParserCID, NS_PARSER_CID);
 
 static void
 getSpec(nsIChannel* aChannel, nsAString& aSpec)
 {
     if (!aChannel) {
@@ -91,25 +90,27 @@ getSpec(nsIChannel* aChannel, nsAString&
     nsCAutoString spec;
     uri->GetSpec(spec);
     AppendUTF8toUTF16(spec, aSpec);
 }
 
 class txStylesheetSink : public nsIXMLContentSink,
                          public nsIExpatSink,
                          public nsIStreamListener,
+                         public nsIChannelEventSink,
                          public nsIInterfaceRequestor
 {
 public:
     txStylesheetSink(txStylesheetCompiler* aCompiler, nsIParser* aParser);
 
     NS_DECL_ISUPPORTS
     NS_DECL_NSIEXPATSINK
     NS_DECL_NSISTREAMLISTENER
     NS_DECL_NSIREQUESTOBSERVER
+    NS_DECL_NSICHANNELEVENTSINK
     NS_DECL_NSIINTERFACEREQUESTOR
 
     // nsIContentSink
     NS_IMETHOD WillTokenize(void) { return NS_OK; }
     NS_IMETHOD WillBuildModel(void) { return NS_OK; }
     NS_IMETHOD DidBuildModel();
     NS_IMETHOD WillInterrupt(void) { return NS_OK; }
     NS_IMETHOD WillResume(void) { return NS_OK; }
@@ -131,22 +132,23 @@ protected:
 txStylesheetSink::txStylesheetSink(txStylesheetCompiler* aCompiler,
                                    nsIParser* aParser)
     : mCompiler(aCompiler),
       mCheckedForXML(PR_FALSE)
 {
     mListener = do_QueryInterface(aParser);
 }
 
-NS_IMPL_ISUPPORTS6(txStylesheetSink,
+NS_IMPL_ISUPPORTS7(txStylesheetSink,
                    nsIXMLContentSink,
                    nsIContentSink,
                    nsIExpatSink,
                    nsIStreamListener,
                    nsIRequestObserver,
+                   nsIChannelEventSink,
                    nsIInterfaceRequestor)
 
 NS_IMETHODIMP
 txStylesheetSink::HandleStartElement(const PRUnichar *aName,
                                      const PRUnichar **aAtts,
                                      PRUint32 aAttsCount,
                                      PRInt32 aIndex,
                                      PRUint32 aLineNumber)
@@ -369,16 +371,39 @@ txStylesheetSink::OnStopRequest(nsIReque
     }
 
     nsresult rv = mListener->OnStopRequest(aRequest, aContext, aStatusCode);
     mListener = nsnull;
     return rv;
 }
 
 NS_IMETHODIMP
+txStylesheetSink::OnChannelRedirect(nsIChannel *aOldChannel,
+                                    nsIChannel *aNewChannel,
+                                    PRUint32    aFlags)
+{
+    NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
+
+    nsCOMPtr<nsIURI> oldURI;
+    nsresult rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIURI> newURI;
+    rv = aNewChannel->GetURI(getter_AddRefs(newURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = nsContentUtils::GetSecurityManager()->
+        CheckSameOriginURI(oldURI, newURI, PR_TRUE);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    return NS_OK;
+}
+
+
+NS_IMETHODIMP
 txStylesheetSink::GetInterface(const nsIID& aIID, void** aResult)
 {
     if (aIID.Equals(NS_GET_IID(nsIAuthPrompt))) {
         NS_ENSURE_ARG(aResult);
         *aResult = nsnull;
 
         nsresult rv;
         nsCOMPtr<nsIWindowWatcher> wwatcher =
@@ -391,17 +416,17 @@ txStylesheetSink::GetInterface(const nsI
 
         nsIAuthPrompt* rawPtr = nsnull;
         prompt.swap(rawPtr);
         *aResult = rawPtr;
 
         return NS_OK;
     }
 
-    return NS_ERROR_NO_INTERFACE;
+    return QueryInterface(aIID, aResult);
 }
 
 class txCompileObserver : public txACompileObserver
 {
 public:
     txCompileObserver(txMozillaXSLTProcessor* aProcessor,
                       nsILoadGroup* aLoadGroup);
 
@@ -464,29 +489,23 @@ txCompileObserver::loadURI(const nsAStri
     rv = NS_NewURI(getter_AddRefs(referrerUri), aReferrerUri);
     NS_ENSURE_SUCCESS(rv, rv);
 
     nsCOMPtr<nsIPrincipal> referrerPrincipal;
     rv = nsContentUtils::GetSecurityManager()->
       GetCodebasePrincipal(referrerUri, getter_AddRefs(referrerPrincipal));
     NS_ENSURE_SUCCESS(rv, rv);
 
-    // Content Policy
-    PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
-    rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
-                                   uri,
-                                   referrerPrincipal,
-                                   nsnull,
-                                   NS_LITERAL_CSTRING("application/xml"),
-                                   nsnull,
-                                   &shouldLoad);
+    // Do security check
+    rv = nsContentUtils::
+      CheckSecurityBeforeLoad(uri, referrerPrincipal,
+                              nsIScriptSecurityManager::STANDARD, PR_FALSE,
+                              nsIContentPolicy::TYPE_STYLESHEET,
+                              nsnull, NS_LITERAL_CSTRING("application/xml"));
     NS_ENSURE_SUCCESS(rv, rv);
-    if (NS_CP_REJECTED(shouldLoad)) {
-        return NS_ERROR_DOM_BAD_URI;
-    }
 
     return startLoad(uri, aCompiler, referrerPrincipal);
 }
 
 void
 txCompileObserver::onDoneCompiling(txStylesheetCompiler* aCompiler,
                                    nsresult aResult,
                                    const PRUnichar *aErrorText,
@@ -532,47 +551,35 @@ txCompileObserver::startLoad(nsIURI* aUr
     NS_ENSURE_TRUE(sink, NS_ERROR_OUT_OF_MEMORY);
 
     channel->SetNotificationCallbacks(sink);
 
     parser->SetCommand(kLoadAsData);
     parser->SetContentSink(sink);
     parser->Parse(aUri);
 
-    // Always install in case of redirects
-    nsCOMPtr<nsIStreamListener> listener =
-        new nsCrossSiteListenerProxy(sink, aReferrerPrincipal, channel, &rv);
-    NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    return channel->AsyncOpen(listener, parser);
+    return channel->AsyncOpen(sink, parser);
 }
 
 nsresult
 TX_LoadSheet(nsIURI* aUri, txMozillaXSLTProcessor* aProcessor,
              nsILoadGroup* aLoadGroup, nsIPrincipal* aCallerPrincipal)
 {
     nsCAutoString spec;
     aUri->GetSpec(spec);
     PR_LOG(txLog::xslt, PR_LOG_ALWAYS, ("TX_LoadSheet: %s\n", spec.get()));
 
-    // Content Policy
-    PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
-    nsresult rv =
-        NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
-                                  aUri,
-                                  aCallerPrincipal,
-                                  aProcessor->GetSourceContentModel(),
-                                  NS_LITERAL_CSTRING("application/xml"),
-                                  nsnull,
-                                  &shouldLoad);
+    // Pass source document as the context
+    nsresult rv = nsContentUtils::
+      CheckSecurityBeforeLoad(aUri, aCallerPrincipal,
+                              nsIScriptSecurityManager::STANDARD, PR_FALSE,
+                              nsIContentPolicy::TYPE_STYLESHEET,
+                              aProcessor->GetSourceContentModel(),
+                              NS_LITERAL_CSTRING("application/xml"));
     NS_ENSURE_SUCCESS(rv, rv);
-    if (NS_CP_REJECTED(shouldLoad)) {
-        return NS_ERROR_DOM_BAD_URI;
-    }
 
     nsRefPtr<txCompileObserver> observer =
         new txCompileObserver(aProcessor, aLoadGroup);
     NS_ENSURE_TRUE(observer, NS_ERROR_OUT_OF_MEMORY);
 
     nsRefPtr<txStylesheetCompiler> compiler =
         new txStylesheetCompiler(NS_ConvertUTF8toUTF16(spec), observer);
     NS_ENSURE_TRUE(compiler, NS_ERROR_OUT_OF_MEMORY);
@@ -704,29 +711,23 @@ txSyncCompileObserver::loadURI(const nsA
     rv = NS_NewURI(getter_AddRefs(referrerUri), aReferrerUri);
     NS_ENSURE_SUCCESS(rv, rv);
 
     nsCOMPtr<nsIPrincipal> referrerPrincipal;
     rv = nsContentUtils::GetSecurityManager()->
       GetCodebasePrincipal(referrerUri, getter_AddRefs(referrerPrincipal));
     NS_ENSURE_SUCCESS(rv, rv);
 
-    // Content Policy
-    PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
-    rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
-                                   uri,
-                                   referrerPrincipal,
-                                   nsnull,
-                                   NS_LITERAL_CSTRING("application/xml"),
-                                   nsnull,
-                                   &shouldLoad);
+    // Security checks
+    rv = nsContentUtils::
+      CheckSecurityBeforeLoad(uri, referrerPrincipal,
+                              nsIScriptSecurityManager::STANDARD,
+                              PR_FALSE, nsIContentPolicy::TYPE_STYLESHEET,
+                              nsnull, NS_LITERAL_CSTRING("application/xml"));
     NS_ENSURE_SUCCESS(rv, rv);
-    if (NS_CP_REJECTED(shouldLoad)) {
-        return NS_ERROR_DOM_BAD_URI;
-    }
 
     // This is probably called by js, a loadGroup for the channel doesn't
     // make sense.
     nsCOMPtr<nsIDOMDocument> document;
     rv = nsSyncLoadService::LoadDocument(uri, referrerPrincipal, nsnull,
                                          PR_FALSE, getter_AddRefs(document));
     NS_ENSURE_SUCCESS(rv, rv);