backout due to orange
authorjonas@sicking.cc
Thu, 26 Jul 2007 16:34:22 -0700
changeset 4054 ff24e969a342dd8c7cbe8a5e5e87bb11c9858370
parent 4053 16b575f2bc46c2069f6c2c4c6eea82eed3826a0c
child 4055 e7cdfb773e47aa3400533670dbc95141d4f666e5
push id1
push userroot
push dateTue, 26 Apr 2011 22:38:44 +0000
treeherdermozilla-beta@bfdb6e623a36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone1.9a7pre
backout due to orange
content/base/public/nsIDocument.h
content/base/src/Makefile.in
content/base/src/nsDocument.cpp
content/base/src/nsGenericElement.cpp
content/base/src/nsObjectLoadingContent.cpp
content/base/src/nsParserUtils.cpp
content/base/src/nsParserUtils.h
content/base/src/nsXMLHttpRequest.cpp
content/base/src/nsXMLHttpRequest.h
content/base/test/Makefile.in
content/html/document/src/nsHTMLDocument.cpp
content/html/document/src/nsHTMLDocument.h
content/html/document/src/nsIHTMLDocument.h
content/xml/document/src/nsXMLDocument.cpp
content/xml/document/src/nsXMLDocument.h
modules/libpref/src/init/all.js
--- a/content/base/public/nsIDocument.h
+++ b/content/base/public/nsIDocument.h
@@ -659,16 +659,21 @@ public:
   {
     return PR_TRUE;
   }
 
   virtual PRBool IsScriptEnabled() = 0;
 
   virtual nsresult AddXMLEventsContent(nsIContent * aXMLEventsElement) = 0;
 
+  virtual PRBool IsLoadedAsData()
+  {
+    return PR_FALSE;
+  }
+
   /**
    * Create an element with the specified name, prefix and namespace ID.
    * If aDocumentDefaultType is true we create an element of the default type
    * for that document (currently XHTML in HTML documents and XUL in XUL
    * documents), otherwise we use the type specified by the namespace ID.
    */
   virtual nsresult CreateElem(nsIAtom *aName, nsIAtom *aPrefix,
                               PRInt32 aNamespaceID,
@@ -866,21 +871,17 @@ public:
 
   /**
    * Gets the cycle collector generation this document is marked for.
    */
   PRUint32 GetMarkedCCGeneration()
   {
     return mMarkedCCGeneration;
   }
-
-  PRBool IsLoadedAsData()
-  {
-    return mLoadedAsData;
-  }
+  
 
 protected:
   ~nsIDocument()
   {
     // XXX The cleanup of mNodeInfoManager (calling DropDocumentReference and
     //     releasing it) happens in the nsDocument destructor. We'd prefer to
     //     do it here but nsNodeInfoManager is a concrete class that we don't
     //     want to expose to users of the nsIDocument API outside of Gecko.
@@ -934,20 +935,16 @@ protected:
   // True if this document is the initial document for a window.  This should
   // basically be true only for documents that exist in newly-opened windows or
   // documents created to satisfy a GetDocument() on a window when there's no
   // document in it.
   PRPackedBool mIsInitialDocumentInWindow;
 
   PRPackedBool mShellsAreHidden;
 
-  // True if we're loaded as data and therefor has any dangerous stuff, such
-  // as scripts and plugins, disabled.
-  PRPackedBool mLoadedAsData;
-
   // The bidi options for this document.  What this bitfield means is
   // defined in nsBidiUtils.h
   PRUint32 mBidiOptions;
 
   nsCString mContentLanguage;
   nsCString mContentType;
 
   // The document's security info
--- a/content/base/src/Makefile.in
+++ b/content/base/src/Makefile.in
@@ -108,17 +108,16 @@ CPPSRCS		= \
 		nsCommentNode.cpp \
 		nsContentAreaDragDrop.cpp \
 		nsContentIterator.cpp \
 		nsContentList.cpp \
 		nsContentPolicy.cpp \
 		nsContentSink.cpp \
 		nsContentUtils.cpp \
 		nsCopySupport.cpp \
-		nsCrossSiteListenerProxy.cpp \
 		nsDataDocumentContentPolicy.cpp \
 		nsDOMAttribute.cpp \
 		nsDOMAttributeMap.cpp \
 		nsDOMDocumentType.cpp \
 		nsDOMFile.cpp \
 		nsDOMLists.cpp \
 		nsDOMParser.cpp \
 		nsDOMSerializer.cpp \
--- a/content/base/src/nsDocument.cpp
+++ b/content/base/src/nsDocument.cpp
@@ -1423,29 +1423,16 @@ nsDocument::StartDocumentLoad(const char
     aChannel->GetURI(getter_AddRefs(uri));
     nsCAutoString spec;
     if (uri)
       uri->GetSpec(spec);
     PR_LogPrint("DOCUMENT %p StartDocumentLoad %s", this, spec.get());
   }
 #endif
 
-  if (nsCRT::strcmp(kLoadAsData, aCommand) == 0) {
-    mLoadedAsData = PR_TRUE;
-    // We need to disable script & style loading in this case.
-    // We leave them disabled even in EndLoad(), and let anyone
-    // who puts the document on display to worry about enabling.
-
-    // Do not load/process scripts when loading as data
-    ScriptLoader()->SetEnabled(PR_FALSE);
-
-    // styles
-    CSSLoader()->SetEnabled(PR_FALSE); // Do not load/process styles when loading as data
-  }
-
   if (aReset) {
     Reset(aChannel, aLoadGroup);
   }
 
   nsCAutoString contentType;
   if (NS_SUCCEEDED(aChannel->GetContentType(contentType))) {
     // XXX this is only necessary for viewsource:
     nsACString::const_iterator start, end, semicolon;
--- a/content/base/src/nsGenericElement.cpp
+++ b/content/base/src/nsGenericElement.cpp
@@ -3421,34 +3421,29 @@ nsGenericElement::LeaveLink(nsPresContex
   return handler->OnLeaveLink();
 }
 
 nsresult
 nsGenericElement::AddScriptEventListener(nsIAtom* aEventName,
                                          const nsAString& aValue,
                                          PRBool aDefer)
 {
-  nsIDocument *ownerDoc = GetOwnerDoc();
-  if (!ownerDoc || ownerDoc->IsLoadedAsData()) {
-    // Make this a no-op rather than throwing an error to avoid
-    // the error causing problems setting the attribute.
-    return NS_OK;
-  }
-
   NS_PRECONDITION(aEventName, "Must have event name!");
   nsCOMPtr<nsISupports> target;
   PRBool defer = PR_TRUE;
   nsCOMPtr<nsIEventListenerManager> manager;
 
   nsresult rv = GetEventListenerManagerForAttr(getter_AddRefs(manager),
                                                getter_AddRefs(target),
                                                &defer);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (manager) {
+    nsIDocument *ownerDoc = GetOwnerDoc();
+
     defer = defer && aDefer; // only defer if everyone agrees...
 
     PRUint32 lang = GetScriptTypeID();
     rv =
       manager->AddScriptEventListener(target, aEventName, aValue, lang, defer,
                                       !nsContentUtils::IsChromeDoc(ownerDoc));
   }
 
--- a/content/base/src/nsObjectLoadingContent.cpp
+++ b/content/base/src/nsObjectLoadingContent.cpp
@@ -842,21 +842,16 @@ nsObjectLoadingContent::LoadObject(nsIUR
       // non-null here if onStartRequest was already called.
       mFinalListener->OnStopRequest(mChannel, nsnull, NS_BINDING_ABORTED);
       mFinalListener = nsnull;
     }
     mChannel = nsnull;
   }
 
   // Security checks
-  if (doc->IsLoadedAsData()) {
-    Fallback(PR_FALSE);
-    return NS_OK;
-  }
-
   // Can't do security checks without a URI - hopefully the plugin will take
   // care of that
   // Null URIs happen when the URL to load is specified via other means than the
   // data/src attribute, for example via custom <param> elements.
   if (aURI) {
     nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
     NS_ASSERTION(secMan, "No security manager!?");
     nsresult rv =
--- a/content/base/src/nsParserUtils.cpp
+++ b/content/base/src/nsParserUtils.cpp
@@ -42,80 +42,77 @@
 #include "nsParserUtils.h"
 #include "nsIParser.h" // for kQuote et. al.
 #include "jsapi.h"
 #include "nsReadableUtils.h"
 #include "nsCRT.h"
 #include "nsContentUtils.h"
 #include "nsIParserService.h"
 
-#define SKIP_WHITESPACE(iter, end_iter, end_res)                 \
+#define SKIP_WHITESPACE(iter, end_iter)                          \
   while ((iter) != (end_iter) && nsCRT::IsAsciiSpace(*(iter))) { \
     ++(iter);                                                    \
   }                                                              \
-  if ((iter) == (end_iter)) {                                    \
-    return (end_res);                                            \
-  }
+  if ((iter) == (end_iter))                                      \
+    break
 
 #define SKIP_ATTR_NAME(iter, end_iter)                            \
   while ((iter) != (end_iter) && !nsCRT::IsAsciiSpace(*(iter)) && \
          *(iter) != '=') {                                        \
     ++(iter);                                                     \
-  }
+  }                                                               \
+  if ((iter) == (end_iter))                                       \
+    break
 
 PRBool
 nsParserUtils::GetQuotedAttributeValue(const nsString& aSource, nsIAtom *aName,
                                        nsAString& aValue)
 {
   aValue.Truncate();
 
   const PRUnichar *start = aSource.get();
   const PRUnichar *end = start + aSource.Length();
   const PRUnichar *iter;
   
   while (start != end) {
-    SKIP_WHITESPACE(start, end, PR_FALSE)
+    SKIP_WHITESPACE(start, end);
     iter = start;
-    SKIP_ATTR_NAME(iter, end)
-
-    if (start == iter) {
-      return PR_FALSE;
-    }
+    SKIP_ATTR_NAME(iter, end);
 
     // Remember the attr name.
     const nsDependentSubstring & attrName = Substring(start, iter);
 
     // Now check whether this is a valid name="value" pair.
     start = iter;
-    SKIP_WHITESPACE(start, end, PR_FALSE)
+    SKIP_WHITESPACE(start, end);
     if (*start != '=') {
       // No '=', so this is not a name="value" pair.  We don't know
       // what it is, and we have no way to handle it.
-      return PR_FALSE;
+      break;
     }
     
     // Have to skip the value.
     ++start;
-    SKIP_WHITESPACE(start, end, PR_FALSE)
+    SKIP_WHITESPACE(start, end);
     PRUnichar q = *start;
     if (q != kQuote && q != kApostrophe) {
       // Not a valid quoted value, so bail.
-      return PR_FALSE;
+      break;
     }
     
     ++start;  // Point to the first char of the value.
     iter = start;
 
     while (iter != end && *iter != q) {
       ++iter;
     }
 
     if (iter == end) {
       // Oops, unterminated quoted string.
-      return PR_FALSE;
+      break;
     }
 
     // At this point attrName holds the name of the "attribute" and
     // the value is between start and iter.
     
     if (aName->Equals(attrName)) {
       nsIParserService* parserService = nsContentUtils::GetParserService();
       NS_ENSURE_TRUE(parserService, PR_FALSE);
@@ -166,84 +163,16 @@ nsParserUtils::GetQuotedAttributeValue(c
     // Resume scanning after the end of the attribute value (past the quote
     // char).
     start = iter + 1;
   }
 
   return PR_FALSE;
 }
 
-PRBool
-nsParserUtils::GetQuotedAttrNameAt(const nsString& aSource, PRUint32 aIndex,
-                                   nsAString& aName)
-{
-  aName.Truncate();
-
-  const PRUnichar *start = aSource.get();
-  const PRUnichar *end = start + aSource.Length();
-  const PRUnichar *iter;
-  PRUint32 currIndex = 0;
-  
-  for (;;) {
-    SKIP_WHITESPACE(start, end, PR_TRUE)
-
-    iter = start;
-    SKIP_ATTR_NAME(iter, end)
-
-    if (start == iter) {
-      return PR_FALSE;
-    }
-
-    // Remember the attr name.
-    const nsDependentSubstring & attrName = Substring(start, iter);
-
-    // Now check whether this is a valid name="value" pair.
-    start = iter;
-    SKIP_WHITESPACE(start, end, PR_FALSE);
-    if (*start != '=') {
-      // No '=', so this is not a name="value" pair.  We don't know
-      // what it is, and we have no way to handle it.
-      return PR_FALSE;
-    }
-    
-    // Have to skip the value.
-    ++start;
-    SKIP_WHITESPACE(start, end, PR_FALSE);
-    PRUnichar q = *start;
-    if (q != kQuote && q != kApostrophe) {
-      // Not a valid quoted value, so bail.
-      return PR_FALSE;
-    }
-    
-    // Scan to the end of the value.
-    do {
-      ++start;
-    } while (start != end && *start != q);
-
-    if (start == end) {
-      // Oops, unterminated quoted string.
-      return PR_FALSE;
-    }
-
-    // At this point attrName holds the name of the "attribute"
-    
-    if (aIndex == currIndex) {
-      aName = attrName;
-
-      return PR_TRUE;
-    }
-
-    // Resume scanning after the end of the attribute value (past the quote
-    // char).
-    ++start;
-    ++currIndex;
-  }
-
-  return PR_TRUE;
-}
 
 // Returns PR_TRUE if the language name is a version of JavaScript and
 // PR_FALSE otherwise
 PRBool
 nsParserUtils::IsJavaScriptLanguage(const nsString& aName, PRUint32 *aFlags)
 {
   JSVersion version = JSVERSION_UNKNOWN;
 
--- a/content/base/src/nsParserUtils.h
+++ b/content/base/src/nsParserUtils.h
@@ -52,42 +52,21 @@ public:
    * with the name specified in aName. See
    * http://www.w3.org/TR/xml-stylesheet/#NT-StyleSheetPI for the specification
    * which is used to parse aSource.
    *
    * @param aSource the string to parse
    * @param aName the name of the attribute to get the value for
    * @param aValue [out] the value for the attribute with name specified in
    *                     aAttribute. Empty if the attribute isn't present.
-   * @return PR_TRUE  if the attribute exists and was successfully parsed.
-   *         PR_FALSE if the attribute doesn't exist, or has a malformed
-   *                  value, such as an unknown or unterminated entity.
    */
   static PRBool
   GetQuotedAttributeValue(const nsString& aSource, nsIAtom *aName,
                           nsAString& aValue);
 
-  /**
-   * This will parse aSource, to extract the name of the pseudo attribute
-   * at the specified index. See
-   * http://www.w3.org/TR/xml-stylesheet/#NT-StyleSheetPI for the specification
-   * which is used to parse aSource.
-   *
-   * @param aSource the string to parse
-   * @param aIndex the index of the attribute to get the value for
-   * @param aName [out] the name for the attribute with specified index.
-   *                    Empty if there aren't enough attributes.
-   * @return PR_TRUE if parsing succeeded, even if there aren't enough
-   *                 attributes.
-   *         PR_FALSE if parsing failed.
-   */
-  static PRBool
-  GetQuotedAttrNameAt(const nsString& aSource, PRUint32 aIndex,
-                      nsAString& aName);
-
   static PRBool
   IsJavaScriptLanguage(const nsString& aName, PRUint32 *aVerFlags);
 
   static void
   SplitMimeType(const nsAString& aValue, nsString& aType,
                 nsString& aParams);
 };
 
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -78,20 +78,17 @@
 #include "nsCOMArray.h"
 #include "nsDOMClassInfo.h"
 #include "nsIScriptableUConv.h"
 #include "nsCycleCollectionParticipant.h"
 #include "nsIContentPolicy.h"
 #include "nsContentPolicyUtils.h"
 #include "nsContentErrors.h"
 #include "nsLayoutStatics.h"
-#include "nsCrossSiteListenerProxy.h"
 #include "nsDOMError.h"
-#include "nsIHTMLDocument.h"
-#include "nsWhitespaceTokenizer.h"
 
 #define LOAD_STR "load"
 #define ERROR_STR "error"
 #define PROGRESS_STR "progress"
 #define UPLOADPROGRESS_STR "uploadprogress"
 #define READYSTATE_STR "readystatechange"
 
 // CIDs
@@ -104,23 +101,19 @@
 #define XML_HTTP_REQUEST_COMPLETED      (1 << 4)  // 4
 #define XML_HTTP_REQUEST_SENT           (1 << 5)  // Internal, LOADING in IE and external view
 #define XML_HTTP_REQUEST_STOPPED        (1 << 6)  // Internal, INTERACTIVE in IE and external view
 // The above states are mutually exclusive, change with ChangeState() only.
 // The states below can be combined.
 #define XML_HTTP_REQUEST_ABORTED        (1 << 7)  // Internal
 #define XML_HTTP_REQUEST_ASYNC          (1 << 8)  // Internal
 #define XML_HTTP_REQUEST_PARSEBODY      (1 << 9)  // Internal
-#define XML_HTTP_REQUEST_XSITEENABLED   (1 << 10) // Internal, Is any cross-site request allowed?
-                                                  //           Even if this is false the
-                                                  //           access-control spec is supported
+#define XML_HTTP_REQUEST_XSITEENABLED   (1 << 10) // Internal
 #define XML_HTTP_REQUEST_SYNCLOOPING    (1 << 11) // Internal
 #define XML_HTTP_REQUEST_MULTIPART      (1 << 12) // Internal
-#define XML_HTTP_REQUEST_USE_XSITE_AC   (1 << 13) // Internal
-#define XML_HTTP_REQUEST_NON_GET        (1 << 14) // Internal
 
 #define XML_HTTP_REQUEST_LOADSTATES         \
   (XML_HTTP_REQUEST_UNINITIALIZED |         \
    XML_HTTP_REQUEST_OPENED |                \
    XML_HTTP_REQUEST_LOADED |                \
    XML_HTTP_REQUEST_INTERACTIVE |           \
    XML_HTTP_REQUEST_COMPLETED |             \
    XML_HTTP_REQUEST_SENT |                  \
@@ -222,124 +215,16 @@ nsMultipartProxyListener::OnDataAvailabl
                                           nsIInputStream *inStr,
                                           PRUint32 sourceOffset,
                                           PRUint32 count)
 {
   return mDestListener->OnDataAvailable(aRequest, ctxt, inStr, sourceOffset,
                                         count);
 }
 
-// Class used as streamlistener and notification callback when
-// doing the initial GET request for an access-control check
-class nsACProxyListener : public nsIStreamListener,
-                          public nsIInterfaceRequestor,
-                          public nsIChannelEventSink
-{
-public:
-  nsACProxyListener(nsIChannel* aOuterChannel,
-                    nsIStreamListener* aOuterListener,
-                    nsISupports* aOuterContext,
-                    const nsACString& aRequestMethod)
-   : mOuterChannel(aOuterChannel), mOuterListener(aOuterListener),
-     mOuterContext(aOuterContext), mRequestMethod(aRequestMethod)
-  { }
-
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSISTREAMLISTENER
-  NS_DECL_NSIREQUESTOBSERVER
-  NS_DECL_NSIINTERFACEREQUESTOR
-  NS_DECL_NSICHANNELEVENTSINK
-
-private:
-  nsCOMPtr<nsIChannel> mOuterChannel;
-  nsCOMPtr<nsIStreamListener> mOuterListener;
-  nsCOMPtr<nsISupports> mOuterContext;
-  nsCString mRequestMethod;
-};
-
-NS_IMPL_ISUPPORTS4(nsACProxyListener, nsIStreamListener, nsIRequestObserver,
-                   nsIInterfaceRequestor, nsIChannelEventSink)
-
-NS_IMETHODIMP
-nsACProxyListener::OnStartRequest(nsIRequest *aRequest, nsISupports *aContext)
-{
-  nsresult status;
-  nsresult rv = aRequest->GetStatus(&status);
-
-  if (NS_SUCCEEDED(rv)) {
-    rv = status;
-  }
-
-  nsCOMPtr<nsIHttpChannel> http;
-  if (NS_SUCCEEDED(rv)) {
-    http = do_QueryInterface(aRequest, &rv);
-  }
-  if (NS_SUCCEEDED(rv)) {
-    rv = NS_ERROR_DOM_BAD_URI;
-    nsCString allow;
-    http->GetResponseHeader(NS_LITERAL_CSTRING("Allow"), allow);
-    nsCWhitespaceTokenizer tok(allow);
-    while (tok.hasMoreTokens()) {
-      if (mRequestMethod.Equals(tok.nextToken(),
-                                nsCaseInsensitiveCStringComparator())) {
-        rv = NS_OK;
-        break;
-      }
-    }
-  }
-
-  if (NS_SUCCEEDED(rv)) {
-    rv = mOuterChannel->AsyncOpen(mOuterListener, mOuterContext);
-  }
-
-  if (NS_FAILED(rv)) {
-    mOuterChannel->Cancel(rv);
-    mOuterListener->OnStartRequest(mOuterChannel, mOuterContext);
-    mOuterListener->OnStopRequest(mOuterChannel, mOuterContext, rv);
-    
-    return rv;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::OnStopRequest(nsIRequest *aRequest, nsISupports *aContext,
-                                 nsresult aStatus)
-{
-  return NS_OK;
-}
-
-/** nsIStreamListener methods **/
-
-NS_IMETHODIMP
-nsACProxyListener::OnDataAvailable(nsIRequest *aRequest,
-                                   nsISupports *ctxt,
-                                   nsIInputStream *inStr,
-                                   PRUint32 sourceOffset,
-                                   PRUint32 count)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::OnChannelRedirect(nsIChannel *aOldChannel,
-                                     nsIChannel *aNewChannel,
-                                     PRUint32 aFlags)
-{
-  // No redirects allowed for now.
-  return NS_ERROR_DOM_BAD_URI;
-}
-
-NS_IMETHODIMP
-nsACProxyListener::GetInterface(const nsIID & aIID, void **aResult)
-{
-  return QueryInterface(aIID, aResult);
-}
-
 
 static nsIScriptContext *
 GetCurrentContext()
 {
   // Get JSContext from stack.
   nsCOMPtr<nsIJSContextStack> stack =
     do_GetService("@mozilla.org/js/xpc/ContextStack;1");
 
@@ -877,19 +762,16 @@ NS_IMETHODIMP
 nsXMLHttpRequest::Abort()
 {
   if (mReadRequest) {
     mReadRequest->Cancel(NS_BINDING_ABORTED);
   }
   if (mChannel) {
     mChannel->Cancel(NS_BINDING_ABORTED);
   }
-  if (mACGetChannel) {
-    mACGetChannel->Cancel(NS_BINDING_ABORTED);
-  }
   mDocument = nsnull;
   mState |= XML_HTTP_REQUEST_ABORTED;
 
   ChangeState(XML_HTTP_REQUEST_COMPLETED, PR_TRUE, PR_TRUE);
 
   // The ChangeState call above calls onreadystatechange handlers which
   // if they load a new url will cause nsXMLHttpRequest::OpenRequest to clear
   // the abort state bit. If this occurs we're not uninitialized (bug 361773).
@@ -902,20 +784,16 @@ nsXMLHttpRequest::Abort()
 
 /* string getAllResponseHeaders (); */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetAllResponseHeaders(char **_retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nsnull;
 
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    return NS_OK;
-  }
-
   nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();
 
   if (httpChannel) {
     nsHeaderVisitor *visitor = nsnull;
     NS_NEWXPCOM(visitor, nsHeaderVisitor);
     if (!visitor)
       return NS_ERROR_OUT_OF_MEMORY;
     NS_ADDREF(visitor);
@@ -934,36 +812,16 @@ nsXMLHttpRequest::GetAllResponseHeaders(
 /* ACString getResponseHeader (in AUTF8String header); */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
                                     nsACString& _retval)
 {
   nsresult rv = NS_OK;
   _retval.Truncate();
 
-  // Check for dangerous headers
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    const char *kCrossOriginSafeHeaders[] = {
-      "Cache-Control", "Content-Language", "Content-Type", "Expires",
-      "Last-Modified", "Pragma"
-    };
-    PRBool safeHeader = PR_FALSE;
-    PRUint32 i;
-    for (i = 0; i < NS_ARRAY_LENGTH(kCrossOriginSafeHeaders); ++i) {
-      if (header.LowerCaseEqualsASCII(kCrossOriginSafeHeaders[i])) {
-        safeHeader = PR_TRUE;
-        break;
-      }
-    }
-
-    if (!safeHeader) {
-      return NS_OK;
-    }
-  }
-
   nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();
 
   if (httpChannel) {
     rv = httpChannel->GetResponseHeader(header, _retval);
   }
 
   if (rv == NS_ERROR_NOT_AVAILABLE) {
     // Means no header
@@ -1125,99 +983,35 @@ nsXMLHttpRequest::GetCurrentHttpChannel(
 
   if (!httpChannel && mChannel) {
     CallQueryInterface(mChannel, &httpChannel);
   }
 
   return httpChannel;
 }
 
-static PRBool
-IsSameOrigin(nsIPrincipal* aPrincipal, nsIChannel* aChannel)
-{
-  nsCOMPtr<nsIURI> codebase;
-  nsresult rv = aPrincipal->GetURI(getter_AddRefs(codebase));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIURI> channelURI;
-  rv = aChannel->GetURI(getter_AddRefs(channelURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = nsContentUtils::GetSecurityManager()->CheckSameOriginURI(codebase, channelURI);
-  return NS_SUCCEEDED(rv);
-}
-
-nsresult
-nsXMLHttpRequest::CheckChannelForCrossSiteRequest()
-{
-  // First check if this is a same-origin request, or if cross-site requests
-  // are enabled.
-  if ((mState & XML_HTTP_REQUEST_XSITEENABLED) ||
-      IsSameOrigin(mPrincipal, mChannel)) {
-    return NS_OK;
-  }
-
-  // This is a cross-site request
-
-  // The request is now cross-site, so update flag.
-  mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
-
-  // Remove dangerous headers and set XMLHttpRequest-Security-Check
-  nsCOMPtr<nsIHttpChannel> http = do_QueryInterface(mChannel);
-  if (http) {
-    PRUint32 i;
-    for (i = 0; i < mExtraRequestHeaders.Length(); ++i) {
-      http->SetRequestHeader(mExtraRequestHeaders[i], EmptyCString(), PR_FALSE);
-    }
-    mExtraRequestHeaders.Clear();
-  }
-
-  // Cancel if username/password is supplied to avoid brute-force password
-  // hacking
-  nsCOMPtr<nsIURI> channelURI;
-  nsresult rv = mChannel->GetURI(getter_AddRefs(channelURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCString userpass;
-  channelURI->GetUserPass(userpass);
-  return userpass.IsEmpty() ? NS_OK : NS_ERROR_DOM_BAD_URI;
-}
 
 /* noscript void openRequest (in AUTF8String method, in AUTF8String url, in boolean async, in AString user, in AString password); */
 NS_IMETHODIMP
 nsXMLHttpRequest::OpenRequest(const nsACString& method,
                               const nsACString& url,
                               PRBool async,
                               const nsAString& user,
                               const nsAString& password)
 {
   NS_ENSURE_ARG(!method.IsEmpty());
   NS_ENSURE_ARG(!url.IsEmpty());
 
   // Disallow HTTP/1.1 TRACE method (see bug 302489)
   // and MS IIS equivalent TRACK (see bug 381264)
-  if (method.LowerCaseEqualsLiteral("trace") ||
-      method.LowerCaseEqualsLiteral("track")) {
+  if (method.LowerCaseEqualsASCII("trace") ||
+      method.LowerCaseEqualsASCII("track")) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  // Get the principal.
-  // XXX This should be done at construction time.
-  nsCOMPtr<nsIDocument> doc =
-    do_QueryInterface(nsContentUtils::GetDocumentFromCaller());
-  if (doc) {
-    mPrincipal = doc->NodePrincipal();
-  }
-  else {
-    nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
-    if (secMan) {
-      secMan->GetSubjectPrincipal(getter_AddRefs(mPrincipal));
-    }
-  }
-
   nsresult rv;
   nsCOMPtr<nsIURI> uri;
   PRBool authp = PR_FALSE;
 
   if (mState & XML_HTTP_REQUEST_ABORTED) {
     // Something caused this request to abort (e.g the current request
     // was caceled, channels closed etc), most likely the abort()
     // function was called by script. Unset our aborted state, and
@@ -1247,17 +1041,17 @@ nsXMLHttpRequest::OpenRequest(const nsAC
     mState &= ~XML_HTTP_REQUEST_ASYNC;
   }
 
   rv = NS_NewURI(getter_AddRefs(uri), url, nsnull, GetBaseURI());
   if (NS_FAILED(rv)) return rv;
 
   // mScriptContext should be initialized because of GetBaseURI() above.
   // Still need to consider the case that doc is nsnull however.
-  doc = GetDocumentFromScriptContext(mScriptContext);
+  nsCOMPtr<nsIDocument> doc = GetDocumentFromScriptContext(mScriptContext);
   PRInt16 shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_XMLHTTPREQUEST,
                                  uri,
                                  (doc ? doc->GetDocumentURI() : nsnull),
                                  doc,
                                  EmptyCString(), //mime guess
                                  nsnull,         //extra
                                  &shouldLoad);
@@ -1296,46 +1090,21 @@ nsXMLHttpRequest::OpenRequest(const nsAC
     loadFlags = nsIRequest::LOAD_NORMAL;
   } else {
     loadFlags = nsIRequest::LOAD_BACKGROUND;
   }
   rv = NS_NewChannel(getter_AddRefs(mChannel), uri, nsnull, loadGroup, nsnull,
                      loadFlags);
   if (NS_FAILED(rv)) return rv;
 
-  // Check if we're doing a cross-origin request.
-  if (!(mState & XML_HTTP_REQUEST_XSITEENABLED) &&
-      !IsSameOrigin(mPrincipal, mChannel)) {
-    mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
-  }
-
   //mChannel->SetAuthTriedWithPrehost(authp);
 
   nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
   if (httpChannel) {
     rv = httpChannel->SetRequestMethod(method);
-    NS_ENSURE_SUCCESS(rv, rv);
-    
-    if (!method.LowerCaseEqualsLiteral("get")) {
-      mState |= XML_HTTP_REQUEST_NON_GET;
-    }
-  }
-
-  // Do we need to set up an initial GET request to make sure that it is safe
-  // to make the request?
-  if ((mState & XML_HTTP_REQUEST_USE_XSITE_AC) &&
-      (mState & XML_HTTP_REQUEST_NON_GET)) {
-    rv = NS_NewChannel(getter_AddRefs(mACGetChannel), uri, nsnull, loadGroup, nsnull,
-                       loadFlags);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    nsCOMPtr<nsIHttpChannel> acHttp = do_QueryInterface(mACGetChannel);
-    rv = acHttp->SetRequestHeader(
-      NS_LITERAL_CSTRING("XMLHttpRequest-Security-Check"), method, PR_FALSE);
-    NS_ENSURE_SUCCESS(rv, rv);
   }
 
   ChangeState(XML_HTTP_REQUEST_OPENED);
 
   return rv;
 }
 
 /* void open (in AUTF8String method, in AUTF8String url); */
@@ -1369,17 +1138,17 @@ nsXMLHttpRequest::Open(const nsACString&
     rv = NS_NewURI(getter_AddRefs(targetURI), url, nsnull, GetBaseURI());
     if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 
     nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
     if (!secMan) {
       return NS_ERROR_FAILURE;
     }
 
-    rv = secMan->CheckConnect(cx, targetURI, "XMLHttpRequest", "open-uri");
+    rv = secMan->CheckConnect(cx, targetURI, "XMLHttpRequest","open");
     if (NS_FAILED(rv))
     {
       // Security check failed.
       return NS_OK;
     }
 
     // Find out if UniversalBrowserRead privileges are enabled
     // we will need this in case of a redirect
@@ -1521,23 +1290,16 @@ nsXMLHttpRequest::OnStartRequest(nsIRequ
 
   // Create an empty document from it 
   const nsAString& emptyStr = EmptyString();
   nsresult rv = nsContentUtils::CreateDocument(emptyStr, emptyStr, nsnull, uri,
                                                uri, mPrincipal,
                                                getter_AddRefs(mDocument));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-    nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(mDocument);
-    if (htmlDoc) {
-      htmlDoc->DisableCookieAccess();
-    }
-  }
-
   // Reset responseBody
   mResponseBody.Truncate();
 
   // Register as a load listener on the document
   nsCOMPtr<nsPIDOMEventTarget> target(do_QueryInterface(mDocument));
   if (target) {
     nsWeakPtr requestWeak =
       do_GetWeakReference(static_cast<nsIXMLHttpRequest*>(this));
@@ -1784,16 +1546,28 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
   if (!mChannel || !(XML_HTTP_REQUEST_OPENED & mState)) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   // XXX We should probably send a warning to the JS console
   //     if there are no event listeners set and we are doing
   //     an asynchronous call.
 
+  nsCOMPtr<nsIDocument> doc =
+    do_QueryInterface(nsContentUtils::GetDocumentFromCaller());
+  if (doc) {
+    mPrincipal = doc->NodePrincipal();
+  }
+  else {
+    nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
+    if (secMan) {
+      secMan->GetSubjectPrincipal(getter_AddRefs(mPrincipal));
+    }
+  }
+
   // Ignore argument if method is GET, there is no point in trying to
   // upload anything
   nsCAutoString method;
   nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
 
   if (httpChannel) {
     httpChannel->GetRequestMethod(method); // If GET, method name will be uppercase
 
@@ -1944,37 +1718,28 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
     mState |= XML_HTTP_REQUEST_SYNCLOOPING;
   }
 
   if (!mScriptContext) {
     // We need a context to check if redirect (if any) is allowed
     mScriptContext = GetCurrentContext();
   }
 
-  rv = CheckChannelForCrossSiteRequest();
-  NS_ENSURE_SUCCESS(rv, rv);
-
   // Hook us up to listen to redirects and the like
   mChannel->GetNotificationCallbacks(getter_AddRefs(mNotificationCallbacks));
   mChannel->SetNotificationCallbacks(this);
 
-  // Create our listener
-  nsCOMPtr<nsIStreamListener> listener = this;
-  if (!(mState & XML_HTTP_REQUEST_XSITEENABLED)) {
-    // Always create a nsCrossSiteListenerProxy here even if it's
-    // a same-origin request right now, since it could be redirected.
-    listener = new nsCrossSiteListenerProxy(listener, mPrincipal);
-    NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-  }
-
+  nsCOMPtr<nsIStreamListener> listener;
   if (mState & XML_HTTP_REQUEST_MULTIPART) {
-    listener = new nsMultipartProxyListener(listener);
+    listener = new nsMultipartProxyListener(this);
     if (!listener) {
       return NS_ERROR_OUT_OF_MEMORY;
     }
+  } else {
+    listener = this;
   }
 
   // Bypass the network cache in cases where it makes no sense:
   // 1) Multipart responses are very large and would likely be doomed by the
   //    cache once they grow too large, so they are not worth caching.
   // 2) POST responses are always unique, and we provide no API that would
   //    allow our consumers to specify a "cache key" to access old POST
   //    responses, so they are not worth caching.
@@ -1983,43 +1748,25 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
         nsIRequest::LOAD_BYPASS_CACHE | nsIRequest::INHIBIT_CACHING);
   }
   // When we are sync loading, we need to bypass the local cache when it would
   // otherwise block us waiting for exclusive access to the cache.  If we don't
   // do this, then we could dead lock in some cases (see bug 309424).
   else if (mState & XML_HTTP_REQUEST_SYNCLOOPING) {
     AddLoadFlags(mChannel,
         nsICachingChannel::LOAD_BYPASS_LOCAL_CACHE_IF_BUSY);
-    if (mACGetChannel) {
-      AddLoadFlags(mACGetChannel,
-          nsICachingChannel::LOAD_BYPASS_LOCAL_CACHE_IF_BUSY);
-    }
   }
 
   // Since we expect XML data, set the type hint accordingly
   // This means that we always try to parse local files as XML
   // ignoring return value, as this is not critical
   mChannel->SetContentType(NS_LITERAL_CSTRING("application/xml"));
 
-  // If we're doing a cross-site non-GET request we need to first do
-  // a GET request to the same URI. Set that up if needed
-  if (mACGetChannel) {
-    nsCOMPtr<nsIStreamListener> acListener =
-      new nsACProxyListener(mChannel, listener, nsnull, method);
-    NS_ENSURE_TRUE(acListener, NS_ERROR_OUT_OF_MEMORY);
-
-    listener = new nsCrossSiteListenerProxy(acListener, mPrincipal);
-    NS_ENSURE_TRUE(listener, NS_ERROR_OUT_OF_MEMORY);
-
-    rv = mACGetChannel->AsyncOpen(acListener, nsnull);
-  }
-  else {
-    // Start reading from the channel
-    rv = mChannel->AsyncOpen(listener, nsnull);
-  }
+  // Start reading from the channel
+  rv = mChannel->AsyncOpen(listener, nsnull);
 
   if (NS_FAILED(rv)) {
     // Drop our ref to the channel to avoid cycles
     mChannel = nsnull;
     return rv;
   }
 
   // Now that we've successfully opened the channel, we can change state.  Note
@@ -2046,93 +1793,53 @@ nsXMLHttpRequest::Send(nsIVariant *aBody
   return rv;
 }
 
 /* void setRequestHeader (in AUTF8String header, in AUTF8String value); */
 NS_IMETHODIMP
 nsXMLHttpRequest::SetRequestHeader(const nsACString& header,
                                    const nsACString& value)
 {
-  nsresult rv;
-
-  // Check that we haven't already opened the channel. We can't rely on
-  // the channel throwing from mChannel->SetRequestHeader since we might
-  // still be waiting for mACGetChannel to actually open mChannel
-  if (mACGetChannel) {
-    PRBool pending;
-    rv = mACGetChannel->IsPending(&pending);
-    NS_ENSURE_SUCCESS(rv, rv);
-    
-    if (pending) {
-      return NS_ERROR_IN_PROGRESS;
-    }
-  }
-
-  nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
-  if (!httpChannel)          // open() initializes mChannel, and open()
+  if (!mChannel)             // open() initializes mChannel, and open()
     return NS_ERROR_FAILURE; // must be called before first setRequestHeader()
 
   // Prevent modification to certain HTTP headers (see bug 302263), unless
   // the executing script has UniversalBrowserWrite permission.
 
   nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
   if (!secMan) {
     return NS_ERROR_FAILURE;
   }
 
   PRBool privileged;
-  rv = secMan->IsCapabilityEnabled("UniversalBrowserWrite", &privileged);
+  nsresult rv = secMan->IsCapabilityEnabled("UniversalBrowserWrite",
+                                            &privileged);
   if (NS_FAILED(rv))
     return NS_ERROR_FAILURE;
 
   if (!privileged) {
-    // Check for dangerous headers
     const char *kInvalidHeaders[] = {
-      "accept-charset", "accept-encoding", "connection", "content-length",
-      "content-transfer-encoding", "date", "expect", "host", "keep-alive",
-      "proxy-connection", "referer", "referer-root", "te", "trailer",
-      "transfer-encoding", "upgrade", "via", "xmlhttprequest-security-check"
+      "host", "content-length", "transfer-encoding", "via", "upgrade"
     };
-    PRUint32 i;
-    for (i = 0; i < NS_ARRAY_LENGTH(kInvalidHeaders); ++i) {
+    for (size_t i = 0; i < NS_ARRAY_LENGTH(kInvalidHeaders); ++i) {
       if (header.LowerCaseEqualsASCII(kInvalidHeaders[i])) {
         NS_WARNING("refusing to set request header");
         return NS_OK;
       }
     }
-
-    // Check for dangerous cross-site headers
-    PRBool safeHeader = !!(mState & XML_HTTP_REQUEST_XSITEENABLED);
-    if (!safeHeader) {
-      const char *kCrossOriginSafeHeaders[] = {
-        "accept", "accept-language"
-      };
-      for (i = 0; i < NS_ARRAY_LENGTH(kCrossOriginSafeHeaders); ++i) {
-        if (header.LowerCaseEqualsASCII(kCrossOriginSafeHeaders[i])) {
-          safeHeader = PR_TRUE;
-          break;
-        }
-      }
-    }
-
-    if (!safeHeader) {
-      // The header is unsafe for cross-site requests. If this is a cross-site
-      // request throw an exception...
-      if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
-        return NS_ERROR_FAILURE;
-      }
-
-      // ...otherwise just add it to mExtraRequestHeaders so that we can
-      // remove it in case we're redirected to another site
-      mExtraRequestHeaders.AppendElement(header);
-    }
   }
 
-  // We need to set, not add to, the header.
-  return httpChannel->SetRequestHeader(header, value, PR_FALSE);
+  nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
+
+  if (httpChannel) {
+    // We need to set, not add to, the header.
+    return httpChannel->SetRequestHeader(header, value, PR_FALSE);
+  }
+
+  return NS_OK;
 }
 
 /* readonly attribute long readyState; */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetReadyState(PRInt32 *aState)
 {
   NS_ENSURE_ARG_POINTER(aState);
   // Translate some of our internal states for external consumers
@@ -2313,36 +2020,61 @@ nsXMLHttpRequest::ChangeState(PRUint32 a
 //
 NS_IMETHODIMP
 nsXMLHttpRequest::OnChannelRedirect(nsIChannel *aOldChannel,
                                     nsIChannel *aNewChannel,
                                     PRUint32    aFlags)
 {
   NS_PRECONDITION(aNewChannel, "Redirect without a channel?");
 
-  nsresult rv;
+  if (mScriptContext && !(mState & XML_HTTP_REQUEST_XSITEENABLED)) {
+    nsresult rv = NS_ERROR_FAILURE;
+
+    nsCOMPtr<nsIJSContextStack> stack(do_GetService("@mozilla.org/js/xpc/ContextStack;1", & rv));
+    if (NS_FAILED(rv))
+      return rv;
+
+    JSContext *cx = (JSContext *)mScriptContext->GetNativeContext();
+    if (!cx)
+      return NS_ERROR_UNEXPECTED;
+
+    nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
+    if (!secMan) {
+      return NS_ERROR_FAILURE;
+    }
+
+    nsCOMPtr<nsIURI> newURI;
+    rv = aNewChannel->GetURI(getter_AddRefs(newURI)); // The redirected URI
+    if (NS_FAILED(rv))
+      return rv;
+
+    stack->Push(cx);
+
+    rv = secMan->CheckSameOrigin(cx, newURI);
+
+    stack->Pop(&cx);
+
+    if (NS_FAILED(rv)) {
+      // The security manager set a pending exception.  Since we're
+      // running under the event loop, we need to report it.
+      ::JS_ReportPendingException(cx);
+      return rv;
+    }
+  }
+
   if (mChannelEventSink) {
-    rv =
+    nsresult rv =
       mChannelEventSink->OnChannelRedirect(aOldChannel, aNewChannel, aFlags);
-    NS_ENSURE_SUCCESS(rv, rv);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
   }
 
   mChannel = aNewChannel;
 
-  rv = CheckChannelForCrossSiteRequest();
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Disable redirects for non-get cross-site requests entirely for now
-  // Note, do this after the call to CheckChannelForCrossSiteRequest
-  // to make sure that XML_HTTP_REQUEST_USE_XSITE_AC is up-to-date
-  if ((mState & XML_HTTP_REQUEST_NON_GET) &&
-      (mState & XML_HTTP_REQUEST_USE_XSITE_AC)) {
-    return NS_ERROR_DOM_BAD_URI;
-  }
-
   return NS_OK;
 }
 
 /////////////////////////////////////////////////////
 // nsIProgressEventSink methods:
 //
 
 NS_IMETHODIMP
--- a/content/base/src/nsXMLHttpRequest.h
+++ b/content/base/src/nsXMLHttpRequest.h
@@ -152,30 +152,21 @@ protected:
   // aListeners must be a "non-live" list (i.e., addEventListener and
   // removeEventListener should not affect it).  It should be built from
   // member variables by calling CopyEventListeners.
   void NotifyEventListeners(const nsCOMArray<nsIDOMEventListener>& aListeners,
                             nsIDOMEvent* aEvent);
   void ClearEventListeners();
   already_AddRefed<nsIHttpChannel> GetCurrentHttpChannel();
 
-  /**
-   * Check if mChannel is ok for a cross-site request by making sure no
-   * inappropriate headers are set, and no username/password is set.
-   *
-   * Also updates the XML_HTTP_REQUEST_USE_XSITE_AC bit.
-   */
-  nsresult CheckChannelForCrossSiteRequest();
-
   nsCOMPtr<nsISupports> mContext;
   nsCOMPtr<nsIPrincipal> mPrincipal;
   nsCOMPtr<nsIChannel> mChannel;
   nsCOMPtr<nsIRequest> mReadRequest;
   nsCOMPtr<nsIDOMDocument> mDocument;
-  nsCOMPtr<nsIChannel> mACGetChannel;
 
   nsCOMArray<nsIDOMEventListener> mLoadEventListeners;
   nsCOMArray<nsIDOMEventListener> mErrorEventListeners;
   nsCOMArray<nsIDOMEventListener> mProgressEventListeners;
   nsCOMArray<nsIDOMEventListener> mUploadProgressEventListeners;
   nsCOMArray<nsIDOMEventListener> mReadystatechangeEventListeners;
   
   nsCOMPtr<nsIScriptContext> mScriptContext;
@@ -213,20 +204,16 @@ protected:
    * Sink interfaces that we implement that mNotificationCallbacks may
    * want to also be notified for.  These are inited lazily if we're
    * asked for the relevant interface.
    */
   nsCOMPtr<nsIChannelEventSink> mChannelEventSink;
   nsCOMPtr<nsIProgressEventSink> mProgressEventSink;
 
   PRUint32 mState;
-
-  // List of potentially dangerous headers explicitly set using
-  // SetRequestHeader.
-  nsTArray<nsCString> mExtraRequestHeaders;
 };
 
 
 // helper class to expose a progress DOM Event
 
 class nsXMLHttpProgressEvent : public nsIDOMLSProgressEvent
 {
 public:
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@@ -80,22 +80,12 @@ include $(topsrcdir)/config/rules.mk
 		test_bug371576-3.html \
 		test_bug371576-4.html \
 		test_bug371576-5.html \
 		test_bug372086.html \
 		test_bug373181.xhtml \
 		test_bug375314.html \
 		test_bug382113.html \
 		bug382113_object.html \
-		test_CrossSiteXHR.html \
-		file_CrossSiteXHR_fail1.xml \
-		file_CrossSiteXHR_fail2.xml \
-		file_CrossSiteXHR_fail2.xml^headers^ \
-		file_CrossSiteXHR_fail3.xml \
-		file_CrossSiteXHR_fail4.xml \
-		file_CrossSiteXHR_pass1.xml \
-		file_CrossSiteXHR_pass1.xml^headers^ \
-		file_CrossSiteXHR_pass2.xml \
-		file_CrossSiteXHR_pass3.xml \
 		$(NULL)
 
 libs:: $(_TEST_FILES)
 	$(INSTALL) $^ $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
--- a/content/html/document/src/nsHTMLDocument.cpp
+++ b/content/html/document/src/nsHTMLDocument.cpp
@@ -1959,20 +1959,16 @@ nsHTMLDocument::GetAnchors(nsIDOMHTMLCol
 }
 
 NS_IMETHODIMP
 nsHTMLDocument::GetCookie(nsAString& aCookie)
 {
   aCookie.Truncate(); // clear current cookie in case service fails;
                       // no cookie isn't an error condition.
 
-  if (mDisableCookieAccess) {
-    return NS_OK;
-  }
-
   // not having a cookie service isn't an error
   nsCOMPtr<nsICookieService> service = do_GetService(NS_COOKIESERVICE_CONTRACTID);
   if (service) {
     // Get a URI from the document principal. We use the original
     // codebase in case the codebase was changed by SetDomain
     nsCOMPtr<nsIURI> codebaseURI;
     NodePrincipal()->GetURI(getter_AddRefs(codebaseURI));
 
@@ -1989,20 +1985,16 @@ nsHTMLDocument::GetCookie(nsAString& aCo
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHTMLDocument::SetCookie(const nsAString& aCookie)
 {
-  if (mDisableCookieAccess) {
-    return NS_OK;
-  }
-
   // not having a cookie service isn't an error
   nsCOMPtr<nsICookieService> service = do_GetService(NS_COOKIESERVICE_CONTRACTID);
   if (service && mDocumentURI) {
     nsCOMPtr<nsIPrompt> prompt;
     nsCOMPtr<nsPIDOMWindow> window = GetWindow();
     if (window) {
       window->GetPrompter(getter_AddRefs(prompt));
     }
--- a/content/html/document/src/nsHTMLDocument.h
+++ b/content/html/document/src/nsHTMLDocument.h
@@ -202,21 +202,16 @@ public:
 
   nsresult ChangeContentEditableCount(nsIContent *aElement, PRInt32 aChange);
 
   virtual PRBool IsEditingOn()
   {
     return mEditingState != eOff;
   }
 
-  virtual void DisableCookieAccess()
-  {
-    mDisableCookieAccess = PR_TRUE;
-  }
-
   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED_NO_UNLINK(nsHTMLDocument, nsDocument)
 
 protected:
   nsresult GetBodySize(PRInt32* aWidth,
                        PRInt32* aHeight);
 
   nsresult RegisterNamedItems(nsIContent *aContent);
   nsresult UnregisterNamedItems(nsIContent *aContent);
@@ -389,13 +384,11 @@ protected:
   static jsval       sCutCopyInternal_id;
   static jsval       sPasteInternal_id;
 
   // kNameSpaceID_None for good ol' HTML documents, and
   // kNameSpaceID_XHTML for spiffy new XHTML documents.
   // XXXbz should this be reset if someone manually calls
   // SetContentType() on this document?
   PRInt32 mDefaultNamespaceID;
-
-  PRBool mDisableCookieAccess;
 };
 
 #endif /* nsHTMLDocument_h___ */
--- a/content/html/document/src/nsIHTMLDocument.h
+++ b/content/html/document/src/nsIHTMLDocument.h
@@ -147,18 +147,13 @@ public:
 
   /**
    * Returns the result of document.all[aID] which can either be a node
    * or a nodelist depending on if there are multiple nodes with the same
    * id.
    */
   virtual nsresult GetDocumentAllResult(const nsAString& aID,
                                         nsISupports** aResult) = 0;
-
-  /**
-   * Disables getting and setting cookies
-   */
-  virtual void DisableCookieAccess() = 0;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(nsIHTMLDocument, NS_IHTMLDOCUMENT_IID)
 
 #endif /* nsIHTMLDocument_h___ */
--- a/content/xml/document/src/nsXMLDocument.cpp
+++ b/content/xml/document/src/nsXMLDocument.cpp
@@ -556,28 +556,38 @@ nsresult
 nsXMLDocument::StartDocumentLoad(const char* aCommand,
                                  nsIChannel* aChannel,
                                  nsILoadGroup* aLoadGroup,
                                  nsISupports* aContainer,
                                  nsIStreamListener **aDocListener,
                                  PRBool aReset,
                                  nsIContentSink* aSink)
 {
+  if (nsCRT::strcmp(kLoadAsData, aCommand) == 0) {
+    mLoadedAsData = PR_TRUE;
+    // We need to disable script & style loading in this case.
+    // We leave them disabled even in EndLoad(), and let anyone
+    // who puts the document on display to worry about enabling.
+
+    // Do not load/process scripts when loading as data
+    ScriptLoader()->SetEnabled(PR_FALSE);
+
+    // styles
+    CSSLoader()->SetEnabled(PR_FALSE); // Do not load/process styles when loading as data
+  } else if (nsCRT::strcmp("loadAsInteractiveData", aCommand) == 0) {
+    mLoadedAsInteractiveData = PR_TRUE;
+    aCommand = kLoadAsData; // XBL, for example, needs scripts and styles
+  }
+
   nsresult rv = nsDocument::StartDocumentLoad(aCommand,
                                               aChannel, aLoadGroup,
                                               aContainer, 
                                               aDocListener, aReset, aSink);
   if (NS_FAILED(rv)) return rv;
 
-  if (nsCRT::strcmp("loadAsInteractiveData", aCommand) == 0) {
-    mLoadedAsInteractiveData = PR_TRUE;
-    aCommand = kLoadAsData; // XBL, for example, needs scripts and styles
-  }
-
-
   PRInt32 charsetSource = kCharsetFromDocTypeDefault;
   nsCAutoString charset(NS_LITERAL_CSTRING("UTF-8"));
   TryChannelCharset(aChannel, charsetSource, charset);
 
   nsCOMPtr<nsIURI> aUrl;
   rv = aChannel->GetURI(getter_AddRefs(aUrl));
   if (NS_FAILED(rv)) return rv;
 
@@ -641,16 +651,23 @@ nsXMLDocument::EndLoad()
     nsCxPusher pusher(sgo);
 
     nsEventDispatcher::Dispatch(static_cast<nsIDocument*>(this), nsnull,
                                 &event, nsnull, &status);
   }    
   nsDocument::EndLoad();  
 }
 
+PRBool
+nsXMLDocument::IsLoadedAsData()
+{
+  return mLoadedAsData;
+}
+  
+
 // nsIDOMNode interface
 
 NS_IMETHODIMP    
 nsXMLDocument::CloneNode(PRBool aDeep, nsIDOMNode** aReturn)
 {
   return nsNodeUtils::CloneNodeImpl(this, aDeep, aReturn);
 }
  
--- a/content/xml/document/src/nsXMLDocument.h
+++ b/content/xml/document/src/nsXMLDocument.h
@@ -70,16 +70,18 @@ public:
                                      nsILoadGroup* aLoadGroup,
                                      nsISupports* aContainer,
                                      nsIStreamListener **aDocListener,
                                      PRBool aReset = PR_TRUE,
                                      nsIContentSink* aSink = nsnull);
 
   virtual void EndLoad();
 
+  virtual PRBool IsLoadedAsData();
+
   // nsIDOMNode interface
   NS_IMETHOD CloneNode(PRBool aDeep, nsIDOMNode** aReturn);
 
   // nsIDOMDocument interface
   NS_IMETHOD GetElementById(const nsAString& aElementId,
                             nsIDOMElement** aReturn);
 
   // nsIInterfaceRequestor
@@ -105,15 +107,16 @@ protected:
   // mChannelIsPending indicates whether we're currently asynchronously loading
   // data from mChannel (via document.load() or normal load).  It's set to true
   // when we first find out about the channel (StartDocumentLoad) and set to
   // false in EndLoad or if ResetToURI() is called.  In the latter case our
   // mChannel is also cancelled.  Note that if this member is true, mChannel
   // cannot be null.
   PRPackedBool mChannelIsPending;
   PRPackedBool mCrossSiteAccessEnabled;
+  PRPackedBool mLoadedAsData;
   PRPackedBool mLoadedAsInteractiveData;
   PRPackedBool mAsync;
   PRPackedBool mLoopingForSyncLoad;
 };
 
 
 #endif // nsXMLDocument_h___
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -438,17 +438,16 @@ pref("capability.policy.mailnews.WSDLLoa
 pref("capability.policy.mailnews.WebServiceProxyFactory.createProxy", "noAccess");
 pref("capability.policy.mailnews.WebServiceProxyFactory.createProxyAsync", "noAccess");
 pref("capability.policy.mailnews.WebServiceProxyFactory.onLoad", "noAccess");
 pref("capability.policy.mailnews.WebServiceProxyFactory.onError", "noAccess");
 
 // XMLExtras
 pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
 pref("capability.policy.default.XMLHttpRequest.getInterface", "noAccess");
-pref("capability.policy.default.XMLHttpRequest.open-uri", "allAccess");
 pref("capability.policy.default.DOMParser.parseFromStream", "noAccess");
 
 // Clipboard
 pref("capability.policy.default.Clipboard.cutcopy", "noAccess");
 pref("capability.policy.default.Clipboard.paste", "noAccess");
 
 // Scripts & Windows prefs
 pref("dom.disable_image_src_set",           false);