Use the principal doing the load to decide on the URI to pass to content policies. This will help do the right thing for data:/javascript:/about:blank, as well as allow us to skip content policies altogether if the caller is system. Bug 388597, r+sr=sicking
authorbzbarsky@mit.edu
Tue, 07 Aug 2007 18:16:09 -0700
changeset 4367 45c61f5bc283e2492bbf1206e9216cbbf3083093
parent 4366 d98e61bcd3a128d3b51cf4f2b4f9aea0cc04a17c
child 4368 007c0b27ae0406b993d6388613a93fe683f0cd59
push id1
push userroot
push dateTue, 26 Apr 2011 22:38:44 +0000
treeherdermozilla-beta@bfdb6e623a36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs388597
milestone1.9a8pre
Use the principal doing the load to decide on the URI to pass to content policies. This will help do the right thing for data:/javascript:/about:blank, as well as allow us to skip content policies altogether if the caller is system. Bug 388597, r+sr=sicking
content/base/public/nsContentPolicyUtils.h
content/base/src/nsContentUtils.cpp
content/base/src/nsObjectLoadingContent.cpp
content/base/src/nsScriptLoader.cpp
content/base/src/nsXMLHttpRequest.cpp
content/html/document/src/nsImageDocument.cpp
content/xbl/src/nsXBLResourceLoader.cpp
content/xml/document/src/nsXMLContentSink.cpp
content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
content/xul/document/src/nsXULDocument.cpp
docshell/base/nsDocShell.cpp
docshell/base/nsWebShell.cpp
editor/libeditor/html/nsHTMLEditor.cpp
embedding/browser/webBrowser/Makefile.in
extensions/permissions/Makefile.in
layout/style/nsCSSLoader.cpp
layout/style/nsCSSLoader.h
layout/style/nsICSSLoader.h
modules/plugin/base/src/nsPluginHostImpl.cpp
--- a/content/base/public/nsContentPolicyUtils.h
+++ b/content/base/public/nsContentPolicyUtils.h
@@ -34,27 +34,32 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Utility routines for checking content load/process policy settings,
  * and routines helpful for content policy implementors.
+ *
+ * XXXbz it would be nice if some of this stuff could be out-of-lined in
+ * nsContentUtils.  That would work for almost all the callers...
  */
 
 #ifndef __nsContentPolicyUtils_h__
 #define __nsContentPolicyUtils_h__
 
 // for PR_LOGGING
 #include "prlog.h"
 
 #include "nsIContentPolicy.h"
 #include "nsIServiceManager.h"
 #include "nsIContent.h"
+#include "nsIScriptSecurityManager.h"
+#include "nsIPrincipal.h"
 
 //XXXtw sadly, this makes consumers of nsContentPolicyUtils depend on widget
 #include "nsIDocument.h"
 #include "nsPIDOMWindow.h"
 
 class nsACString;
 
 #define NS_CONTENTPOLICY_CONTRACTID   "@mozilla.org/layout/content-policy;1"
@@ -158,51 +163,94 @@ NS_CP_ContentTypeName(PRUint32 contentTy
 /* Passes on parameters from its "caller"'s context. */
 #define CHECK_CONTENT_POLICY_WITH_SERVICE(action, _policy)                    \
   PR_BEGIN_MACRO                                                              \
     return _policy-> action (contentType, contentLocation, requestOrigin,     \
                              context, mimeType, extra, decision);             \
   PR_END_MACRO
 
 /**
- * Alias for calling ShouldLoad on the content policy service.
- * Parameters are the same as nsIContentPolicy::shouldLoad, except for
- * the last parameter, which can be used to pass in a pointer to the
- * service if the caller already has one.
+ * Check whether we can short-circuit this check and bail out.  If not, get the
+ * origin URI to use.
+ *
+ * Note: requestOrigin is scoped outside the PR_BEGIN_MACRO/PR_END_MACRO on
+ * purpose */
+#define CHECK_PRINCIPAL                                                       \
+  nsCOMPtr<nsIURI> requestOrigin;                                             \
+  PR_BEGIN_MACRO                                                              \
+  if (originPrincipal) {                                                      \
+      nsCOMPtr<nsIScriptSecurityManager> secMan = aSecMan;                    \
+      if (!secMan) {                                                          \
+          secMan = do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);        \
+      }                                                                       \
+      if (secMan) {                                                           \
+          PRBool isSystem;                                                    \
+          nsresult rv = secMan->IsSystemPrincipal(originPrincipal,            \
+                                                  &isSystem);                 \
+          NS_ENSURE_SUCCESS(rv, rv);                                          \
+          if (isSystem) {                                                     \
+              *decision = nsIContentPolicy::ACCEPT;                           \
+              return NS_OK;                                                   \
+          }                                                                   \
+      }                                                                       \
+      nsresult rv = originPrincipal->GetURI(getter_AddRefs(requestOrigin));   \
+      NS_ENSURE_SUCCESS(rv, rv);                                              \
+  } else {                                                                    \
+    requestOrigin = originURI;                                                \
+  }                                                                           \
+  PR_END_MACRO
+
+/**
+ * Alias for calling ShouldLoad on the content policy service.  Parameters are
+ * the same as nsIContentPolicy::shouldLoad, except for the originPrincipal
+ * parameter, which should be non-null if possible, and the last two
+ * parameters, which can be used to pass in pointer to some useful services if
+ * the caller already has them.  |originURI| is only used if |originPrincipal|
+ * is null.
  */
 inline nsresult
 NS_CheckContentLoadPolicy(PRUint32          contentType,
                           nsIURI           *contentLocation,
-                          nsIURI           *requestOrigin,
+                          nsIURI           *originURI,
+                          nsIPrincipal     *originPrincipal,
                           nsISupports      *context,
                           const nsACString &mimeType,
                           nsISupports      *extra,
                           PRInt16          *decision,
-                          nsIContentPolicy *policyService = nsnull)
+                          nsIContentPolicy *policyService = nsnull,
+                          nsIScriptSecurityManager* aSecMan = nsnull)
 {
+    CHECK_PRINCIPAL;
     if (policyService) {
         CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldLoad, policyService);
     }
     CHECK_CONTENT_POLICY(ShouldLoad);
 }
 
 /**
- * Alias for calling ShouldProcess on the content policy service.
- * Parameters are the same as nsIContentPolicy::shouldProcess.
+ * Alias for calling ShouldProcess on the content policy service.  Parameters
+ * are the same as nsIContentPolicy::shouldLoad, except for the originPrincipal
+ * parameter, which should be non-null if possible, and the last two
+ * parameters, which can be used to pass in pointer to some useful services if
+ * the caller already has them.  |originURI| is only used if |originPrincipal|
+ * is null.
  */
 inline nsresult
 NS_CheckContentProcessPolicy(PRUint32          contentType,
                              nsIURI           *contentLocation,
-                             nsIURI           *requestOrigin,
+                             nsIURI           *originURI,
+                             nsIPrincipal     *originPrincipal,
                              nsISupports      *context,
                              const nsACString &mimeType,
                              nsISupports      *extra,
                              PRInt16          *decision,
-                             nsIContentPolicy *policyService = nsnull)
+                             nsIContentPolicy *policyService = nsnull,
+                             nsIScriptSecurityManager* aSecMan = nsnull)
 {
+    CHECK_PRINCIPAL;
     if (policyService) {
         CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldProcess, policyService);
     }
     CHECK_CONTENT_POLICY(ShouldProcess);
 }
 
 #undef CHECK_CONTENT_POLICY
 #undef CHECK_CONTENT_POLICY_WITH_SERVICE
--- a/content/base/src/nsContentUtils.cpp
+++ b/content/base/src/nsContentUtils.cpp
@@ -2111,30 +2111,28 @@ nsContentUtils::CanLoadImage(nsIURI* aUR
         // Reject the request itself, not all requests to the relevant
         // server...
         *aImageBlockingStatus = nsIContentPolicy::REJECT_REQUEST;
       }
       return PR_FALSE;
     }
   }
 
-  nsCOMPtr<nsIURI> loadingURI;
-  rv = aLoadingPrincipal->GetURI(getter_AddRefs(loadingURI));
-  NS_ENSURE_SUCCESS(rv, PR_FALSE);
-
   PRInt16 decision = nsIContentPolicy::ACCEPT;
 
   rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_IMAGE,
                                  aURI,
-                                 loadingURI,
+                                 nsnull,
+                                 aLoadingPrincipal,
                                  aContext,
                                  EmptyCString(), //mime guess
                                  nsnull,         //extra
                                  &decision,
-                                 GetContentPolicy());
+                                 GetContentPolicy(),
+                                 sSecurityManager);
 
   if (aImageBlockingStatus) {
     *aImageBlockingStatus =
       NS_FAILED(rv) ? nsIContentPolicy::REJECT_REQUEST : decision;
   }
   return NS_FAILED(rv) ? PR_FALSE : NS_CP_ACCEPTED(decision);
 }
 
@@ -3606,47 +3604,51 @@ nsContentUtils::CheckSecurityBeforeLoad(
                                         nsIPrincipal* aLoadingPrincipal,
                                         PRUint32 aCheckLoadFlags,
                                         PRBool aAllowData,
                                         PRUint32 aContentPolicyType,
                                         nsISupports* aContext,
                                         const nsACString& aMimeGuess,
                                         nsISupports* aExtra)
 {
+  NS_PRECONDITION(aLoadingPrincipal, "Must have a loading principal here");
+  
   // XXXbz do we want to fast-path skin stylesheets loading XBL here somehow?
-  nsCOMPtr<nsIURI> loadingURI;
-  nsresult rv = aLoadingPrincipal->GetURI(getter_AddRefs(loadingURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
   // CheckLoadURIWithPrincipal
-  rv = sSecurityManager->
+  nsresult rv = sSecurityManager->
     CheckLoadURIWithPrincipal(aLoadingPrincipal, aURIToLoad, aCheckLoadFlags);
   NS_ENSURE_SUCCESS(rv, rv);
 
   // Content Policy
   PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(aContentPolicyType,
                                  aURIToLoad,
-                                 loadingURI,
+                                 nsnull,
+                                 aLoadingPrincipal,
                                  aContext,
                                  aMimeGuess,
                                  aExtra,
                                  &shouldLoad,
-                                 GetContentPolicy());
+                                 GetContentPolicy(),
+                                 sSecurityManager);
   NS_ENSURE_SUCCESS(rv, rv);
   if (NS_CP_REJECTED(shouldLoad)) {
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   // Same Origin
   if ((aAllowData && SchemeIs(aURIToLoad, "data")) ||
       ((aCheckLoadFlags & nsIScriptSecurityManager::ALLOW_CHROME) &&
        SchemeIs(aURIToLoad, "chrome"))) {
     return NS_OK;
   }
+
+  nsCOMPtr<nsIURI> loadingURI;
+  rv = aLoadingPrincipal->GetURI(getter_AddRefs(loadingURI));
+  NS_ENSURE_SUCCESS(rv, rv);
   return sSecurityManager->CheckSameOriginURI(loadingURI, aURIToLoad);
 }
 
 /* static */
 void
 nsContentUtils::TriggerLink(nsIContent *aContent, nsPresContext *aPresContext,
                             nsIURI *aLinkURI, const nsString &aTargetSpec,
                             PRBool aClick, PRBool aIsUserTriggered)
--- a/content/base/src/nsObjectLoadingContent.cpp
+++ b/content/base/src/nsObjectLoadingContent.cpp
@@ -886,22 +886,24 @@ nsObjectLoadingContent::LoadObject(nsIUR
       Fallback(PR_FALSE);
       return NS_OK;
     }
 
     PRInt16 shouldLoad = nsIContentPolicy::ACCEPT; // default permit
     rv =
       NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OBJECT,
                                 aURI,
-                                doc->GetDocumentURI(),
+                                nsnull,
+                                doc->NodePrincipal(),
                                 static_cast<nsIImageLoadingContent*>(this),
                                 aTypeHint,
                                 nsnull, //extra
                                 &shouldLoad,
-                                nsContentUtils::GetContentPolicy());
+                                nsContentUtils::GetContentPolicy(),
+                                nsContentUtils::GetSecurityManager());
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
       // Must call UnloadContent first, as it overwrites
       // mSuppressed/mUserDisabled. It also takes care of setting the type to
       // eType_Null.
       UnloadContent();
       if (NS_SUCCEEDED(rv)) {
         if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
           mUserDisabled = PR_TRUE;
--- a/content/base/src/nsScriptLoader.cpp
+++ b/content/base/src/nsScriptLoader.cpp
@@ -420,25 +420,26 @@ nsScriptLoader::ProcessScriptElement(nsI
     rv = nsContentUtils::GetSecurityManager()->
       CheckLoadURIWithPrincipal(mDocument->NodePrincipal(), scriptURI,
                                 nsIScriptSecurityManager::ALLOW_CHROME);
 
     NS_ENSURE_SUCCESS(rv, rv);
 
     // After the security manager, the content-policy stuff gets a veto
     PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
-    nsIURI *docURI = mDocument->GetDocumentURI();
     rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_SCRIPT,
                                    scriptURI,
-                                   docURI,
+                                   nsnull,
+                                   mDocument->NodePrincipal(),
                                    aElement,
                                    NS_LossyConvertUTF16toASCII(type),
                                    nsnull,    //extra
                                    &shouldLoad,
-                                   nsContentUtils::GetContentPolicy());
+                                   nsContentUtils::GetContentPolicy(),
+                                   nsContentUtils::GetSecurityManager());
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
       if (NS_FAILED(rv) || shouldLoad != nsIContentPolicy::REJECT_TYPE) {
         return NS_ERROR_CONTENT_BLOCKED;
       }
       return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
     }
 
     request->mURI = scriptURI;
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -1259,21 +1259,24 @@ nsXMLHttpRequest::OpenRequest(const nsAC
   if (NS_FAILED(rv)) return rv;
 
   // mScriptContext should be initialized because of GetBaseURI() above.
   // Still need to consider the case that doc is nsnull however.
   doc = GetDocumentFromScriptContext(mScriptContext);
   PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_XMLHTTPREQUEST,
                                  uri,
-                                 (doc ? doc->GetDocumentURI() : nsnull),
+                                 nsnull,
+                                 (doc ? doc->NodePrincipal() : nsnull),
                                  doc,
                                  EmptyCString(), //mime guess
                                  nsnull,         //extra
-                                 &shouldLoad);
+                                 &shouldLoad,
+                                 nsContentUtils::GetContentPolicy(),
+                                 nsContentUtils::GetSecurityManager());
   if (NS_FAILED(rv)) return rv;
   if (NS_CP_REJECTED(shouldLoad)) {
     // Disallowed by content policy
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   if (!user.IsEmpty()) {
     nsCAutoString userpass;
--- a/content/html/document/src/nsImageDocument.cpp
+++ b/content/html/document/src/nsImageDocument.cpp
@@ -180,26 +180,34 @@ ImageListener::OnStartRequest(nsIRequest
   NS_ENSURE_TRUE(domWindow, NS_ERROR_UNEXPECTED);
 
   // Do a ShouldProcess check to see whether to keep loading the image.
   nsCOMPtr<nsIURI> channelURI;
   channel->GetURI(getter_AddRefs(channelURI));
 
   nsCAutoString mimeType;
   channel->GetContentType(mimeType);
-    
+
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  nsCOMPtr<nsIPrincipal> channelPrincipal;
+  if (secMan) {
+    secMan->GetChannelPrincipal(channel, getter_AddRefs(channelPrincipal));
+  }
+  
   PRInt16 decision = nsIContentPolicy::ACCEPT;
   nsresult rv = NS_CheckContentProcessPolicy(nsIContentPolicy::TYPE_IMAGE,
                                              channelURI,
                                              nsnull,
+                                             channelPrincipal,
                                              domWindow->GetFrameElementInternal(),
                                              mimeType,
                                              nsnull,
                                              &decision,
-                                             nsContentUtils::GetContentPolicy());
+                                             nsContentUtils::GetContentPolicy(),
+                                             secMan);
                                                
   if (NS_FAILED(rv) || NS_CP_REJECTED(decision)) {
     request->Cancel(NS_ERROR_CONTENT_BLOCKED);
     return NS_OK;
   }
 
   nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(imgDoc->mImageContent);
   NS_ENSURE_TRUE(imageLoader, NS_ERROR_UNEXPECTED);
--- a/content/xbl/src/nsXBLResourceLoader.cpp
+++ b/content/xbl/src/nsXBLResourceLoader.cpp
@@ -105,38 +105,39 @@ nsXBLResourceLoader::LoadResources(PRBoo
   *aResult = PR_TRUE;
 
   // Declare our loaders.
   nsCOMPtr<nsIDocument> doc;
   mBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(doc));
 
   nsICSSLoader* cssLoader = doc->CSSLoader();
   nsIURI *docURL = doc->GetDocumentURI();
+  nsIPrincipal* docPrincipal = doc->NodePrincipal();
 
   nsCOMPtr<nsIURI> url;
 
   for (nsXBLResource* curr = mResourceList; curr; curr = curr->mNext) {
     if (curr->mSrc.IsEmpty())
       continue;
 
     if (NS_FAILED(NS_NewURI(getter_AddRefs(url), curr->mSrc,
                             doc->GetDocumentCharacterSet().get(), docURL)))
       continue;
 
     if (curr->mType == nsGkAtoms::image) {
-      if (!nsContentUtils::CanLoadImage(url, doc, doc, doc->NodePrincipal())) {
+      if (!nsContentUtils::CanLoadImage(url, doc, doc, docPrincipal)) {
         // We're not permitted to load this image, move on...
         continue;
       }
 
       // Now kick off the image load...
       // Passing NULL for pretty much everything -- cause we don't care!
       // XXX: initialDocumentURI is NULL! 
       nsCOMPtr<imgIRequest> req;
-      nsContentUtils::LoadImage(url, doc, doc->NodePrincipal(), docURL, nsnull,
+      nsContentUtils::LoadImage(url, doc, docPrincipal, docURL, nsnull,
                                 nsIRequest::LOAD_BACKGROUND,
                                 getter_AddRefs(req));
     }
     else if (curr->mType == nsGkAtoms::stylesheet) {
       // Kick off the load of the stylesheet.
 
       // Always load chrome synchronously
       // XXXbz should that still do a content policy check?
@@ -150,17 +151,17 @@ nsXBLResourceLoader::LoadResources(PRBoo
         if (NS_SUCCEEDED(rv))
         {
           rv = StyleSheetLoaded(sheet, PR_FALSE, NS_OK);
           NS_ASSERTION(NS_SUCCEEDED(rv), "Processing the style sheet failed!!!");
         }
       }
       else
       {
-        rv = cssLoader->LoadSheet(url, docURL, doc->NodePrincipal(), this);
+        rv = cssLoader->LoadSheet(url, docPrincipal, this);
         if (NS_SUCCEEDED(rv))
           ++mPendingSheets;
       }
     }
   }
 
   *aResult = (mPendingSheets == 0);
   mInLoadResourcesFunc = PR_FALSE;
--- a/content/xml/document/src/nsXMLContentSink.cpp
+++ b/content/xml/document/src/nsXMLContentSink.cpp
@@ -758,22 +758,24 @@ nsXMLContentSink::ProcessStyleLink(nsICo
 
     rv = secMan->CheckSameOriginURI(mDocumentURI, url);
     NS_ENSURE_SUCCESS(rv, NS_OK);
 
     // Do content policy check
     PRInt16 decision = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
                                    url,
-                                   mDocument->GetDocumentURI(),
+                                   nsnull,
+                                   mDocument->NodePrincipal(),
                                    aElement,
                                    type,
                                    nsnull,
                                    &decision,
-                                   nsContentUtils::GetContentPolicy());
+                                   nsContentUtils::GetContentPolicy(),
+                                   nsContentUtils::GetSecurityManager());
 
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (NS_CP_REJECTED(decision)) {
       return NS_OK;
     }
 
     return LoadXSLStyleSheet(url);
--- a/content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
+++ b/content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp
@@ -443,19 +443,21 @@ CheckLoadURI(nsIURI *aUri, nsIURI *aRefe
     NS_ENSURE_SUCCESS(rv, NS_ERROR_XSLT_LOAD_BLOCKED_ERROR);
 
     rv = securityManager->CheckSameOriginURI(aReferrerUri, aUri);
     NS_ENSURE_SUCCESS(rv, NS_ERROR_XSLT_LOAD_BLOCKED_ERROR);
 
     // Then do a content policy check.
     PRInt16 decision = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
-                                   aUri, aReferrerUri, aContext,
+                                   aUri, nsnull, aReferrerPrincipal, aContext,
                                    NS_LITERAL_CSTRING("application/xml"), nsnull,
-                                   &decision);
+                                   &decision,
+                                   nsContentUtils::GetContentPolicy(),
+                                   nsContentUtils::GetSecurityManager());
     NS_ENSURE_SUCCESS(rv, rv);
 
     return NS_CP_REJECTED(decision) ? NS_ERROR_XSLT_LOAD_BLOCKED_ERROR : NS_OK;
 }
 
 class txCompileObserver : public txACompileObserver
 {
 public:
@@ -468,19 +470,19 @@ public:
 
     nsresult startLoad(nsIURI* aUri, txStylesheetCompiler* aCompiler,
                        nsIURI* aReferrerURI);
 
 protected:
     nsAutoRefCnt mRefCnt;
 
 private:
-    nsCOMPtr<nsIPrincipal> mCallerPrincipal;
     nsRefPtr<txMozillaXSLTProcessor> mProcessor;
     nsCOMPtr<nsILoadGroup> mLoadGroup;
+    nsCOMPtr<nsIPrincipal> mCallerPrincipal;
 
 protected:
     // This exists solely to suppress a warning from nsDerivedSafe
     txCompileObserver();
 };
 
 txCompileObserver::txCompileObserver(txMozillaXSLTProcessor* aProcessor,
                                      nsILoadGroup* aLoadGroup,
--- a/content/xul/document/src/nsXULDocument.cpp
+++ b/content/xul/document/src/nsXULDocument.cpp
@@ -3695,17 +3695,17 @@ nsXULDocument::AddPrototypeSheets()
     nsresult rv;
 
     const nsCOMArray<nsIURI>& sheets = mCurrentPrototype->GetStyleSheetReferences();
 
     for (PRInt32 i = 0; i < sheets.Count(); i++) {
         nsCOMPtr<nsIURI> uri = sheets[i];
 
         nsCOMPtr<nsICSSStyleSheet> incompleteSheet;
-        rv = CSSLoader()->LoadSheet(uri, mCurrentPrototype->GetURI(),
+        rv = CSSLoader()->LoadSheet(uri,
                                     mCurrentPrototype->DocumentPrincipal(),
                                     this, getter_AddRefs(incompleteSheet));
 
         // XXXldb We need to prevent bogus sheets from being held in the
         // prototype's list, but until then, don't propagate the failure
         // from LoadSheet (and thus exit the loop).
         if (NS_SUCCEEDED(rv)) {
             ++mPendingSheets;
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -6375,19 +6375,21 @@ nsDocShell::InternalLoad(nsIURI * aURI,
     } else {
         contentType = nsIContentPolicy::TYPE_DOCUMENT;
     }
 
     nsISupports* context = requestingElement;
     if (!context) {
         context =  mScriptGlobal;
     }
+    // XXXbz would be nice to know the loading principal here... but we don't
     rv = NS_CheckContentLoadPolicy(contentType,
                                    aURI,
                                    aReferrer,
+                                   nsnull,
                                    context,
                                    EmptyCString(), //mime guess
                                    nsnull,         //extra
                                    &shouldLoad);
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
         if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
             return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
--- a/docshell/base/nsWebShell.cpp
+++ b/docshell/base/nsWebShell.cpp
@@ -215,24 +215,20 @@ CheckPingURI(nsIURI* uri, nsIContent* co
   PRBool match;
   if ((NS_FAILED(uri->SchemeIs("http", &match)) || !match) &&
       (NS_FAILED(uri->SchemeIs("https", &match)) || !match)) {
     return PR_FALSE;
   }
 
   // Check with contentpolicy
   PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
-  nsIURI* docURI = nsnull;
-  nsIDocument* doc = content->GetOwnerDoc();
-  if (doc) {
-    docURI = doc->GetDocumentURI();
-  }
   rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_PING,
                                  uri,
-                                 docURI,
+                                 nsnull,
+                                 content->NodePrincipal(),
                                  content,
                                  EmptyCString(), // mime hint
                                  nsnull, //extra
                                  &shouldLoad);
   return NS_SUCCEEDED(rv) && NS_CP_ACCEPTED(shouldLoad);
 }
 
 typedef void (* ForEachPingCallback)(void *closure, nsIContent *content,
--- a/editor/libeditor/html/nsHTMLEditor.cpp
+++ b/editor/libeditor/html/nsHTMLEditor.cpp
@@ -3547,17 +3547,17 @@ nsHTMLEditor::ReplaceStyleSheet(const ns
   if (!ps) return NS_ERROR_NOT_INITIALIZED;
   nsIDocument *document = ps->GetDocument();
   if (!document)     return NS_ERROR_NULL_POINTER;
 
   nsCOMPtr<nsIURI> uaURI;
   rv = NS_NewURI(getter_AddRefs(uaURI), aURL);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  rv = cssLoader->LoadSheet(uaURI, nsnull, nsnull, this);
+  rv = cssLoader->LoadSheet(uaURI, nsnull, this);
   NS_ENSURE_SUCCESS(rv, rv);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHTMLEditor::RemoveStyleSheet(const nsAString &aURL)
 {
--- a/embedding/browser/webBrowser/Makefile.in
+++ b/embedding/browser/webBrowser/Makefile.in
@@ -64,16 +64,18 @@ REQUIRES	= xpcom \
 		  webshell \
 		  windowwatcher \
 		  webbrowserpersist \
 		  unicharutil \
 		  imglib2 \
 		  locale \
 		  embed_base \
 		  view \
+		  caps \
+		  xpconnect \
 		  $(NULL)
 
 ifdef MOZ_PHOENIX
 REQUIRES	+= toolkitcomps
 endif
 
 EXPORTS         = \
                 nsCTooltipTextProvider.h \
--- a/extensions/permissions/Makefile.in
+++ b/extensions/permissions/Makefile.in
@@ -55,16 +55,19 @@ REQUIRES	= xpcom \
 		  string \
 		  necko \
 		  dom \
 		  widget \
 		  content \
 		  layout \
 		  pref \
 		  docshell \
+		  caps \
+		  xpconnect \
+		  js \
 		  $(NULL)
 
 CPPSRCS		= \
 		  nsModuleFactory.cpp \
 		  nsContentBlocker.cpp \
 		  $(NULL)
 
 EXTRA_DSO_LDOPTS = \
--- a/layout/style/nsCSSLoader.cpp
+++ b/layout/style/nsCSSLoader.cpp
@@ -915,58 +915,56 @@ CSSLoaderImpl::IsAlternate(const nsAStri
 
   return !aTitle.Equals(mPreferredSheet);
 }
 
 /**
  * CheckLoadAllowed will return success if the load is allowed,
  * failure otherwise. 
  *
- * @param aSourceURI the uri of the document or parent sheet loading the sheet
  * @param aSourcePrincipal the principal of the node or document or parent
  *                         sheet loading the sheet
  * @param aTargetURI the uri of the sheet to be loaded
  * @param aContext the node owning the sheet.  This is the element or document
  *                 owning the stylesheet (possibly indirectly, for child sheets)
  */
 nsresult
-CSSLoaderImpl::CheckLoadAllowed(nsIURI* aSourceURI,
-                                nsIPrincipal* aSourcePrincipal,
+CSSLoaderImpl::CheckLoadAllowed(nsIPrincipal* aSourcePrincipal,
                                 nsIURI* aTargetURI,
                                 nsISupports* aContext)
 {
   LOG(("CSSLoaderImpl::CheckLoadAllowed"));
 
   nsresult rv;
   
   if (aSourcePrincipal) {
     // Check with the security manager
     nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
     rv =
       secMan->CheckLoadURIWithPrincipal(aSourcePrincipal, aTargetURI,
                                         nsIScriptSecurityManager::ALLOW_CHROME);
     if (NS_FAILED(rv)) { // failure is normal here; don't warn
       return rv;
     }
-  }
 
-  LOG(("  Passed security check"));
+    LOG(("  Passed security check"));
 
-  if (aSourceURI) {
     // Check with content policy
 
     PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_STYLESHEET,
                                    aTargetURI,
-                                   aSourceURI,
+                                   nsnull,
+                                   aSourcePrincipal,
                                    aContext,
                                    NS_LITERAL_CSTRING("text/css"),
                                    nsnull,                     //extra param
                                    &shouldLoad,
-                                   nsContentUtils::GetContentPolicy());
+                                   nsContentUtils::GetContentPolicy(),
+                                   nsContentUtils::GetSecurityManager());
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
       LOG(("  Load blocked by content policy"));
       return NS_ERROR_CONTENT_BLOCKED;
     }
   }
 
   return NS_OK;
@@ -1767,28 +1765,24 @@ CSSLoaderImpl::LoadStyleLink(nsIContent*
 
   if (!mEnabled) {
     LOG_WARN(("  Not enabled"));
     return NS_ERROR_NOT_AVAILABLE;
   }
   
   NS_ENSURE_TRUE(mDocument, NS_ERROR_NOT_INITIALIZED);
 
-  // Check whether we should even load
-  nsIURI *docURI = mDocument->GetDocumentURI();
-  if (!docURI) return NS_ERROR_FAILURE;
-
   nsIPrincipal* principal =
     aElement ? aElement->NodePrincipal() : mDocument->NodePrincipal();
 
   nsISupports* context = aElement;
   if (!context) {
     context = mDocument;
   }
-  nsresult rv = CheckLoadAllowed(docURI, principal, aURL, context);
+  nsresult rv = CheckLoadAllowed(principal, aURL, context);
   if (NS_FAILED(rv)) return rv;
 
   LOG(("  Passed load check"));
   
   StyleSheetState state;
   nsCOMPtr<nsICSSStyleSheet> sheet;
   rv = CreateSheet(aURL, aElement, principal, PR_FALSE, state,
                    getter_AddRefs(sheet));
@@ -1860,27 +1854,22 @@ CSSLoaderImpl::LoadChildSheet(nsICSSStyl
 
   if (!mEnabled) {
     LOG_WARN(("  Not enabled"));
     return NS_ERROR_NOT_AVAILABLE;
   }
   
   LOG_URI("  Child uri: '%s'", aURL);
 
-  // Check whether we should even load
-  nsCOMPtr<nsIURI> sheetURI;
-  nsresult rv = aParentSheet->GetSheetURI(getter_AddRefs(sheetURI));
-  if (NS_FAILED(rv) || !sheetURI) return NS_ERROR_FAILURE;
-
   nsCOMPtr<nsIDOMNode> owningNode;
 
   // check for an owning document: if none, don't bother walking up the parent
   // sheets
   nsCOMPtr<nsIDocument> owningDoc;
-  rv = aParentSheet->GetOwningDocument(*getter_AddRefs(owningDoc));
+  nsresult rv = aParentSheet->GetOwningDocument(*getter_AddRefs(owningDoc));
   if (NS_SUCCEEDED(rv) && owningDoc) {
     nsCOMPtr<nsIDOMStyleSheet> nextParentSheet(do_QueryInterface(aParentSheet));
     NS_ENSURE_TRUE(nextParentSheet, NS_ERROR_FAILURE); //Not a stylesheet!?
 
     nsCOMPtr<nsIDOMStyleSheet> topSheet;
     //traverse our way to the top-most sheet
     do {
       topSheet.swap(nextParentSheet);
@@ -1891,17 +1880,17 @@ CSSLoaderImpl::LoadChildSheet(nsICSSStyl
   }
 
   nsISupports* context = owningNode;
   if (!context) {
     context = mDocument;
   }
 
   nsIPrincipal* principal = aParentSheet->Principal();
-  rv = CheckLoadAllowed(sheetURI, principal, aURL, context);
+  rv = CheckLoadAllowed(principal, aURL, context);
   if (NS_FAILED(rv)) return rv;
 
   LOG(("  Passed load check"));
   
   SheetLoadData* parentData = nsnull;
   nsCOMPtr<nsICSSLoaderObserver> observer;
 
   PRInt32 count = mParsingDatas.Count();
@@ -1979,47 +1968,44 @@ CSSLoaderImpl::LoadChildSheet(nsICSSStyl
 }
 
 NS_IMETHODIMP
 CSSLoaderImpl::LoadSheetSync(nsIURI* aURL, PRBool aAllowUnsafeRules,
                              nsICSSStyleSheet** aSheet)
 {
   LOG(("CSSLoaderImpl::LoadSheetSync"));
   return InternalLoadNonDocumentSheet(aURL, aAllowUnsafeRules, nsnull,
-                                      nsnull, aSheet, nsnull);
+                                      aSheet, nsnull);
 }
 
 NS_IMETHODIMP
 CSSLoaderImpl::LoadSheet(nsIURI* aURL,
-                         nsIURI* aOriginURI,
                          nsIPrincipal* aOriginPrincipal,
                          nsICSSLoaderObserver* aObserver,
                          nsICSSStyleSheet** aSheet)
 {
   LOG(("CSSLoaderImpl::LoadSheet(aURL, aObserver, aSheet) api call"));
   NS_PRECONDITION(aSheet, "aSheet is null");
-  return InternalLoadNonDocumentSheet(aURL, PR_FALSE, aOriginURI,
-                                      aOriginPrincipal, aSheet, aObserver);
+  return InternalLoadNonDocumentSheet(aURL, PR_FALSE, aOriginPrincipal,
+                                      aSheet, aObserver);
 }
 
 NS_IMETHODIMP
 CSSLoaderImpl::LoadSheet(nsIURI* aURL,
-                         nsIURI* aOriginURI,
                          nsIPrincipal* aOriginPrincipal,
                          nsICSSLoaderObserver* aObserver)
 {
   LOG(("CSSLoaderImpl::LoadSheet(aURL, aObserver) api call"));
-  return InternalLoadNonDocumentSheet(aURL, PR_FALSE, aOriginURI,
-                                      aOriginPrincipal, nsnull, aObserver);
+  return InternalLoadNonDocumentSheet(aURL, PR_FALSE, aOriginPrincipal,
+                                      nsnull, aObserver);
 }
 
 nsresult
 CSSLoaderImpl::InternalLoadNonDocumentSheet(nsIURI* aURL, 
                                             PRBool aAllowUnsafeRules,
-                                            nsIURI* aOriginURI,
                                             nsIPrincipal* aOriginPrincipal,
                                             nsICSSStyleSheet** aSheet,
                                             nsICSSLoaderObserver* aObserver)
 {
   NS_PRECONDITION(aURL, "Must have a URI to load");
   NS_PRECONDITION(aSheet || aObserver, "Sheet and observer can't both be null");
   NS_ASSERTION(mParsingDatas.Count() == 0, "We're in the middle of a parse?");
 
@@ -2029,17 +2015,17 @@ CSSLoaderImpl::InternalLoadNonDocumentSh
     *aSheet = nsnull;
   }
   
   if (!mEnabled) {
     LOG_WARN(("  Not enabled"));
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  nsresult rv = CheckLoadAllowed(aOriginURI, aOriginPrincipal, aURL, mDocument);
+  nsresult rv = CheckLoadAllowed(aOriginPrincipal, aURL, mDocument);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   StyleSheetState state;
   nsCOMPtr<nsICSSStyleSheet> sheet;
   PRBool syncLoad = (aObserver == nsnull);
   
--- a/layout/style/nsCSSLoader.h
+++ b/layout/style/nsCSSLoader.h
@@ -337,23 +337,21 @@ public:
                             nsIURI* aURL, 
                             nsMediaList* aMedia,
                             nsICSSImportRule* aRule);
 
   NS_IMETHOD LoadSheetSync(nsIURI* aURL, PRBool aAllowUnsafeRules,
                            nsICSSStyleSheet** aSheet);
 
   NS_IMETHOD LoadSheet(nsIURI* aURL,
-                       nsIURI* aOriginURI,
                        nsIPrincipal* aOriginPrincipal,
                        nsICSSLoaderObserver* aObserver,
                        nsICSSStyleSheet** aSheet);
 
   NS_IMETHOD LoadSheet(nsIURI* aURL,
-                       nsIURI* aOriginURI,
                        nsIPrincipal* aOriginPrincipal,
                        nsICSSLoaderObserver* aObserver);
 
   // stop loading all sheets
   NS_IMETHOD Stop(void);
 
   // stop loading one sheet
   NS_IMETHOD StopLoadingSheet(nsIURI* aURL);
@@ -374,20 +372,19 @@ public:
 
   // local helper methods (some are public for access from statics)
 
   // IsAlternate can change our currently selected style set if none
   // is selected and aHasAlternateRel is false.
   PRBool IsAlternate(const nsAString& aTitle, PRBool aHasAlternateRel);
 
 private:
-  // Note: null aSourceURI or aSourcePrincipal indicates that the content
-  // policy or CheckLoadURI checks (respectively) should be skipped.
-  nsresult CheckLoadAllowed(nsIURI* aSourceURI,
-                            nsIPrincipal* aSourcePrincipal,
+  // Note: null aSourcePrincipal indicates that the content policy and
+  // CheckLoadURI checks should be skipped.
+  nsresult CheckLoadAllowed(nsIPrincipal* aSourcePrincipal,
                             nsIURI* aTargetURI,
                             nsISupports* aContext);
 
 
   // For inline style, the aURI param is null, but the aLinkingContent
   // must be non-null then.  The loader principal must never be null
   // if aURI is not null.
   nsresult CreateSheet(nsIURI* aURI,
@@ -413,17 +410,16 @@ private:
                             nsIDocument* aDocument);
 
   nsresult InsertChildSheet(nsICSSStyleSheet* aSheet,
                             nsICSSStyleSheet* aParentSheet,
                             nsICSSImportRule* aParentRule);
 
   nsresult InternalLoadNonDocumentSheet(nsIURI* aURL,
                                         PRBool aAllowUnsafeRules,
-                                        nsIURI* aOriginURI,
                                         nsIPrincipal* aOriginPrincipal,
                                         nsICSSStyleSheet** aSheet,
                                         nsICSSLoaderObserver* aObserver);
 
   // Post a load event for aObserver to be notified about aSheet.  The
   // notification will be sent with status NS_OK unless the load event is
   // canceled at some point (in which case it will be sent with
   // NS_BINDING_ABORTED).  aWasAlternate indicates the state when the load was
--- a/layout/style/nsICSSLoader.h
+++ b/layout/style/nsICSSLoader.h
@@ -53,20 +53,20 @@ class nsIContent;
 class nsIDocument;
 class nsIUnicharInputStream;
 class nsICSSLoaderObserver;
 class nsMediaList;
 class nsICSSImportRule;
 class nsIPrincipal;
 
 // IID for the nsICSSLoader interface
-// eed4ac28-0add-43a7-84bf-fb53109ae40c
+// 0c6d7e76-dddc-4727-b557-7ef531127e11
 #define NS_ICSS_LOADER_IID     \
-{ 0xeed4ac28, 0x0add, 0x43a7, \
- { 0x84, 0xbf, 0xfb, 0x53, 0x10, 0x9a, 0xe4, 0x0c } }
+{ 0x0c6d7e76, 0xdddc, 0x4727, \
+ { 0xb5, 0x57, 0x7e, 0xf5, 0x31, 0x12, 0x7e, 0x11 } }
 
 typedef void (*nsCSSLoaderCallbackFunc)(nsICSSStyleSheet* aSheet, void *aData, PRBool aDidNotify);
 
 class nsICSSLoader : public nsISupports {
 public:
   NS_DECLARE_STATIC_IID_ACCESSOR(NS_ICSS_LOADER_IID)
 
   NS_IMETHOD Init(nsIDocument* aDocument) = 0;
@@ -198,39 +198,34 @@ public:
 
   /**
    * Asynchronously load the stylesheet at aURL.  If a successful result is
    * returned, aObserver is guaranteed to be notified asynchronously once the
    * sheet is loaded and marked complete.  This method can be used to load
    * sheets not associated with a document.
    *
    * @param aURL the URL of the sheet to load
-   * @param aOriginURI the URI the load originated from, for content policy
-   *                   checks.  This can be null to indicate that these checks
-   *                   should be skipped.
    * @param aOriginPrincipal the principal to use for security checks.  This
    *                         can be null to indicate that these checks should
    *                         be skipped.
    * @param aObserver the observer to notify when the load completes.
    *                  Must not be null.
    * @param [out] aSheet the sheet to load. Note that the sheet may well
    *              not be loaded by the time this method returns.
    */
   NS_IMETHOD LoadSheet(nsIURI* aURL,
-                       nsIURI* aOriginURI,
                        nsIPrincipal* aOriginPrincipal,
                        nsICSSLoaderObserver* aObserver,
                        nsICSSStyleSheet** aSheet) = 0;
 
   /**
    * Same as above, to be used when the caller doesn't care about the
    * not-yet-loaded sheet.
    */
   NS_IMETHOD LoadSheet(nsIURI* aURL,
-                       nsIURI* aOriginURI,
                        nsIPrincipal* aOriginPrincipal,
                        nsICSSLoaderObserver* aObserver) = 0;
 
   /**
    * Stop loading all sheets.  All nsICSSLoaderObservers involved will be
    * notified with NS_BINDING_ABORTED as the status, possibly synchronously.
    */
   NS_IMETHOD Stop(void) = 0;
--- a/modules/plugin/base/src/nsPluginHostImpl.cpp
+++ b/modules/plugin/base/src/nsPluginHostImpl.cpp
@@ -3452,17 +3452,18 @@ NS_IMETHODIMP nsPluginHostImpl::Instanti
 
     nsCOMPtr<nsIDOMElement> elem;
     pti2->GetDOMElement(getter_AddRefs(elem));
 
     PRInt16 shouldLoad = nsIContentPolicy::ACCEPT; // default permit
     nsresult rv =
       NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OBJECT,
                                 aURL,
-                                doc->GetDocumentURI(),
+                                nsnull,
+                                doc->NodePrincipal(),
                                 elem,
                                 nsDependentCString(aMimeType ? aMimeType : ""),
                                 nsnull, //extra
                                 &shouldLoad);
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad))
       return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
   }
 
@@ -5904,17 +5905,18 @@ NS_IMETHODIMP nsPluginHostImpl::NewPlugi
     nsCOMPtr<nsIPluginTagInfo2> pti2 = do_QueryInterface(owner);
     nsCOMPtr<nsIDOMElement> element;
     if (pti2)
       pti2->GetDOMElement(getter_AddRefs(element));
 
     PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OBJECT_SUBREQUEST,
                                    url,
-                                   (doc ? doc->GetDocumentURI() : nsnull),
+                                   nsnull,
+                                   (doc ? doc->NodePrincipal() : nsnull),
                                    element,
                                    EmptyCString(), //mime guess
                                    nsnull,         //extra
                                    &shouldLoad);
     if (NS_FAILED(rv)) return rv;
     if (NS_CP_REJECTED(shouldLoad)) {
       // Disallowed by content policy
       return NS_ERROR_CONTENT_BLOCKED;