Fix for bug 165532 (Disable cross-site loading of XSLT stylesheets by default). r=sicking, sr=bz.

git-svn-id: svn://10.0.0.236/trunk@134676 18797224-902f-48f8-a5cc-f745e15eee43
2002-12-03 09:20:43 +00:00 · 2002-12-03 09:20:43 +00:00 · 496da7acfd
commit 496da7acfd
parent e47b242a89
1 changed files with 11 additions and 5 deletions
--- a/mozilla/content/xml/document/src/nsXMLContentSink.cpp
+++ b/mozilla/content/xml/document/src/nsXMLContentSink.cpp
@ -818,13 +818,19 @@ nsXMLContentSink::ProcessStyleLink(nsIContent* aElement,

    nsCOMPtr<nsIScriptSecurityManager> secMan = 
      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-    NS_ENSURE_SUCCESS(rv, rv);
+    NS_ENSURE_SUCCESS(rv, NS_OK);
+
    rv = secMan->CheckLoadURI(mDocumentURL, url,
                              nsIScriptSecurityManager::ALLOW_CHROME);
-    if (NS_FAILED(rv))
-      return NS_OK;
-    rv = LoadXSLStyleSheet(url);
-  } else if (aType.Equals(NS_LITERAL_STRING("text/css"))) {
+    NS_ENSURE_SUCCESS(rv, NS_OK);
+
+    rv = secMan->CheckSameOriginURI(mDocumentURL, url);
+    NS_ENSURE_SUCCESS(rv, NS_OK);
+
+    return LoadXSLStyleSheet(url);
+  }
+
+  if (aType.Equals(NS_LITERAL_STRING("text/css"))) {
    nsCOMPtr<nsIURI> url;
    rv = NS_NewURI(getter_AddRefs(url), aHref, nsnull, mDocumentBaseURL);
    if (NS_FAILED(rv)) {