Bug 159484 - do not get/set passwords for URLs with no host. r=morse, sr=dveditz.

git-svn-id: svn://10.0.0.236/branches/NETSCAPE_6_2_3_BRANCH@126096 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/caps/idl/nsIAggregatePrincipal.idl

@@ -34,7 +34,9 @@ interface nsIAggregatePrincipal : nsISupports {
 
     attribute nsIPrincipal certificate;
     attribute nsIPrincipal codebase;
+    readonly attribute nsIPrincipal originalCodebase;
     readonly attribute nsIPrincipal primaryChild;
 
     void intersect(in nsIPrincipal other);
+    boolean wasCodebaseChanged();
 };

mozilla/caps/idl/nsIScriptSecurityManager.idl

@@ -183,6 +183,13 @@ interface nsIScriptSecurityManager : nsIXPCSecurityManager
      */
     [noscript] nsIPrincipal getObjectPrincipal(in JSContextPtr cx,
                                                in JSObjectPtr obj);
+
+    /**
+     * Returns OK if aJSContext and target have the same "origin"
+     * (scheme, host, and port).
+     */
+    [noscript] void checkSameOrigin(in JSContextPtr aJSContext,
+                                    in nsIURI aTargetURI);
 };
 
 %{C++

mozilla/caps/include/nsAggregatePrincipal.h

@@ -94,6 +94,8 @@ public:
 protected:
     nsCOMPtr<nsIPrincipal> mCertificate;
     nsCOMPtr<nsIPrincipal> mCodebase;
+    nsCOMPtr<nsIPrincipal> mOriginalCodebase;
+    PRBool mCodebaseWasChanged;
 };
 
 #endif // _NS_AGGREGATE_PRINCIPAL_H_

mozilla/caps/include/nsScriptSecurityManager.h

@@ -126,8 +126,9 @@ private:
                             const char* aProperty, void** aPolicy);
 
     nsresult
-    CheckSameOrigin(JSContext* aCx, nsIPrincipal* aSubject, 
-                    nsIPrincipal* aObject, PRUint32 aAction);
+    CheckSameOriginInternal(nsIPrincipal* aSubject, 
+                            nsIPrincipal* aObject, PRUint32 aAction,
+                            PRBool checkForPrivileges);
     
     PRInt32 
     GetSecurityLevel(nsIPrincipal *principal,

mozilla/caps/src/nsAggregatePrincipal.cpp

@@ -170,27 +170,44 @@ NS_IMETHODIMP
 nsAggregatePrincipal::SetCodebase(nsIPrincipal* aCodebase)
 {
     nsresult rv;
-    //-- Make sure this really is a codebase principal
-    if (aCodebase)
+    nsCOMPtr<nsIPrincipal> newCodebase(aCodebase);
+
+    //-- If newCodebase is an aggregate, get its underlying codebase
+    nsCOMPtr<nsIAggregatePrincipal> agg = 
+        do_QueryInterface(newCodebase, &rv);
+    if (NS_SUCCEEDED(rv))
     {
+        rv = agg->GetCodebase(getter_AddRefs(newCodebase));
+        if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
+    }
+    else
+    { //-- Make sure this really is a codebase principal
         nsCOMPtr<nsICodebasePrincipal> tempCodebase = 
-            do_QueryInterface(aCodebase, &rv);
+            do_QueryInterface(newCodebase, &rv);
         if (NS_FAILED(rv))
             return NS_ERROR_FAILURE;
     }
 
-    //-- If aCodebase is an aggregate, get its underlying codebase
-    nsCOMPtr<nsIAggregatePrincipal> agg = 
-        do_QueryInterface(aCodebase, &rv);
-    if (NS_SUCCEEDED(rv))
-    {
-        nsCOMPtr<nsIPrincipal> underlying;
-        rv = agg->GetCodebase(getter_AddRefs(underlying));
-        if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
-        mCodebase = underlying.get();
-    }
+    mCodebase = newCodebase;
+
+    //-- If this is the first codebase set, remember it.
+    //   If not, remember that the codebase was explicitly set
+    if (!mOriginalCodebase)
+        mOriginalCodebase = newCodebase;
     else
-        mCodebase = aCodebase;
+        mCodebaseWasChanged = PR_TRUE;
+
+    return NS_OK;
+}
+
+NS_IMETHODIMP 
+nsAggregatePrincipal::GetOriginalCodebase(nsIPrincipal** aOriginalCodebase)
+{
+    NS_ENSURE_ARG_POINTER(aOriginalCodebase);
+
+    *aOriginalCodebase = mOriginalCodebase;
+    NS_IF_ADDREF(*aOriginalCodebase);
+
     return NS_OK;
 }
 
@@ -229,6 +246,13 @@ nsAggregatePrincipal::Intersect(nsIPrincipal* other)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsAggregatePrincipal::WasCodebaseChanged(PRBool* changed)
+{
+    *changed = mCodebaseWasChanged;
+    return NS_OK;
+}
+
 ///////////////////////////////////////
 // Methods implementing nsIPrincipal //
 ///////////////////////////////////////
@@ -403,7 +427,7 @@ nsAggregatePrincipal::Write(nsIObjectOutputStream* aStream)
 // Constructor, Destructor, initialization //
 /////////////////////////////////////////////
 
-nsAggregatePrincipal::nsAggregatePrincipal() 
+nsAggregatePrincipal::nsAggregatePrincipal() : mCodebaseWasChanged(PR_FALSE)
 {
     NS_INIT_ISUPPORTS();
 }

mozilla/caps/src/nsScriptSecurityManager.cpp

@@ -204,6 +204,55 @@ nsScriptSecurityManager::CheckConnect(JSContext* aJSContext,
                                    nsnull, nsnull, aClassName, aPropertyName, nsnull);
 }
 
+NS_IMETHODIMP
+nsScriptSecurityManager::CheckSameOrigin(JSContext* cx,
+                                         nsIURI* aTargetURI)
+{
+    nsresult rv;
+
+    // Get a context if necessary
+    if (!cx)
+    {
+        cx = GetCurrentContextQuick();
+        if (!cx)
+            return NS_OK; // No JS context, so allow access
+    }
+
+    // Get a principal from the context
+    nsCOMPtr<nsIPrincipal> sourcePrincipal;
+    rv = GetSubjectPrincipal(cx, getter_AddRefs(sourcePrincipal));
+    if (NS_FAILED(rv))
+        return rv;
+
+    PRBool equals;
+    if (!sourcePrincipal ||
+        NS_SUCCEEDED(sourcePrincipal->Equals(mSystemPrincipal, &equals))
+                     && equals)
+        // We have native code or the system principal, so allow access
+        return NS_OK;
+
+    // Get the original URI from the source principal.
+    // This has the effect of ignoring any change to document.domain
+    // which must be done to avoid DNS spoofing (bug 154930)
+    nsCOMPtr<nsIAggregatePrincipal> sourceAgg(do_QueryInterface(sourcePrincipal, &rv));
+    NS_ENSURE_SUCCESS(rv, rv); // If it's not a system principal, it must be an aggregate
+    nsCOMPtr<nsIPrincipal> sourceOriginal;
+    rv = sourceAgg->GetOriginalCodebase(getter_AddRefs(sourceOriginal));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // Create a principal from the target URI
+    // XXX factor out the Equals function so this isn't necessary
+    nsCOMPtr<nsIPrincipal> targetPrincipal;
+    rv = GetCodebasePrincipal(aTargetURI, getter_AddRefs(targetPrincipal));
+    if (NS_FAILED(rv))
+        return rv;
+
+    // Compare origins
+    return CheckSameOriginInternal(sourceOriginal, targetPrincipal,
+                                   0, PR_FALSE /* do not check for privileges */);
+}
+
+
 nsresult
 nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
                                                  nsIXPCNativeCallContext* aCallContext,
@@ -316,8 +365,8 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
                 rv = NS_ERROR_DOM_SECURITY_ERR;
                 break;
             }
-            rv = CheckSameOrigin(aJSContext, subjectPrincipal, objectPrincipal,
-                                 aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY);
+            rv = CheckSameOriginInternal(subjectPrincipal, objectPrincipal,
+                                         aAction, PR_TRUE /* check for privileges */);
 
             break;
         }
@@ -449,9 +498,12 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
 }
 
 nsresult
-nsScriptSecurityManager::CheckSameOrigin(JSContext *aCx, nsIPrincipal* aSubject,
-                                         nsIPrincipal* aObject, PRUint32 aAction)
+nsScriptSecurityManager::CheckSameOriginInternal(nsIPrincipal* aSubject,
+                                                 nsIPrincipal* aObject,
+                                                 PRUint32 aAction,
+                                                 PRBool checkForPrivileges)
 {
+    nsresult rv;
     /*
     ** Get origin of subject and object and compare.
     */
@@ -463,7 +515,25 @@ nsScriptSecurityManager::CheckSameOrigin(JSContext *aCx, nsIPrincipal* aSubject,
         return NS_ERROR_FAILURE;
 
     if (isSameOrigin)
-        return NS_OK;
+    {   // If either the subject or the object has changed its principal by
+        // explicitly setting document.domain then the other must also have
+        // done so in order to be considered the same origin. This prevents
+        // DNS spoofing based on document.domain (154930)
+        nsCOMPtr<nsIAggregatePrincipal> subjectAgg(do_QueryInterface(aSubject, &rv));
+        NS_ENSURE_SUCCESS(rv, rv);
+        PRBool subjectSetDomain = PR_FALSE;
+        subjectAgg->WasCodebaseChanged(&subjectSetDomain);
+
+        nsCOMPtr<nsIAggregatePrincipal> objectAgg(do_QueryInterface(aObject, &rv));
+        NS_ENSURE_SUCCESS(rv, rv);
+        PRBool objectSetDomain = PR_FALSE;
+        objectAgg->WasCodebaseChanged(&objectSetDomain);
+
+        // If both or neither explicitly set their domain, allow the access
+        if (!(subjectSetDomain || objectSetDomain) ||
+            (subjectSetDomain && objectSetDomain))
+            return NS_OK;
+    }
 
     // Allow access to about:blank
     nsCOMPtr<nsICodebasePrincipal> objectCodebase(do_QueryInterface(aObject));
@@ -476,19 +546,21 @@ nsScriptSecurityManager::CheckSameOrigin(JSContext *aCx, nsIPrincipal* aSubject,
             return NS_OK;
     }
 
-    /*
-    ** If we failed the origin tests it still might be the case that we
-    ** are a signed script and have permissions to do this operation.
-    ** Check for that here
-    */
-    PRBool capabilityEnabled = PR_FALSE;
-    const char* cap = aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY ?
-                      "UniversalBrowserWrite" : "UniversalBrowserRead";
-    if (NS_FAILED(IsCapabilityEnabled(cap, &capabilityEnabled)))
-        return NS_ERROR_FAILURE;
-    if (capabilityEnabled)
-        return NS_OK;
-
+    if (checkForPrivileges)
+    {
+        /*
+        ** If we failed the origin tests it still might be the case that we
+        ** are a signed script and have permissions to do this operation.
+        ** Check for that here
+        */
+        PRBool capabilityEnabled = PR_FALSE;
+        const char* cap = aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY ?
+                          "UniversalBrowserWrite" : "UniversalBrowserRead";
+        if (NS_FAILED(IsCapabilityEnabled(cap, &capabilityEnabled)))
+            return NS_ERROR_FAILURE;
+        if (capabilityEnabled)
+            return NS_OK;
+        }
     /*
     ** Access tests failed, so now report error.
     */

mozilla/content/xml/document/src/Makefile.in

@@ -28,7 +28,7 @@ include $(DEPTH)/config/autoconf.mk
 
 MODULE		= layout
 LIBRARY_NAME	= gkconxmldoc_s
-REQUIRES	= xpcom string js dom widget caps htmlparser necko view docshell webshell uriloader pref xpconnect uconv chardet lwbrk exthandler mimetype
+REQUIRES	= xpcom string js dom widget caps htmlparser necko view docshell webshell uriloader pref xpconnect uconv chardet lwbrk exthandler mimetype windowwatcher
 
 CPPSRCS		= \
 		nsXMLContentSink.cpp \

mozilla/content/xml/document/src/nsXMLDocument.cpp

@@ -75,6 +75,8 @@
 #include "nsContentCID.h"
 #include "nsDOMAttribute.h"
 #include "nsGUIEvent.h"
+#include "nsIWindowWatcher.h"
+#include "nsIAuthPrompt.h"
 
 #include "nsCExternalHandlerService.h"
 #include "nsIMIMEService.h"
@@ -183,7 +185,7 @@ NS_NewXMLDocument(nsIDocument** aInstancePtrResult)
 
 nsXMLDocument::nsXMLDocument() 
   : mAttrStyleSheet(nsnull), mInlineStyleSheet(nsnull), 
-    mParser(nsnull)
+    mParser(nsnull), mCrossSiteAccessEnabled(PR_FALSE)
 {
 }
 
@@ -256,35 +258,72 @@ nsXMLDocument::GetContentType(nsAWritableString& aContentType) const
 NS_IMETHODIMP
 nsXMLDocument::GetInterface(const nsIID& aIID, void** aSink)
 {
-  // Since we implement all the interfaces that you can get with
-  // GetInterface() we can simply call QueryInterface() here and let
-  // it do all the work.
+  if (aIID.Equals(NS_GET_IID(nsIAuthPrompt))) {
+    NS_ENSURE_ARG_POINTER(aSink);
+    *aSink = nsnull;
+
+    nsresult rv;
+    nsCOMPtr<nsIWindowWatcher> ww(do_GetService("@mozilla.org/embedcomp/window-watcher;1", &rv));
+    if (NS_FAILED(rv))
+      return rv;
+
+    nsCOMPtr<nsIAuthPrompt> prompt;
+    rv = ww->GetNewAuthPrompter(nsnull, getter_AddRefs(prompt));
+    if (NS_FAILED(rv))
+      return rv;
+
+    nsIAuthPrompt *p = prompt.get();
+    NS_ADDREF(p);
+    *aSink = p;
+    return NS_OK;
+  }
+
 
   return QueryInterface(aIID, aSink);
 }
 
-
 // nsIHttpEventSink
 NS_IMETHODIMP
 nsXMLDocument::OnRedirect(nsIHttpChannel *aHttpChannel, nsIChannel *aNewChannel)
 {
+  NS_ENSURE_ARG_POINTER(aNewChannel);
+
   nsresult rv;
 
-  nsCOMPtr<nsIScriptSecurityManager> securityManager = 
+  nsCOMPtr<nsIScriptSecurityManager> secMan = 
            do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
 
   if (NS_FAILED(rv))
     return NS_ERROR_FAILURE;
 
-  nsCOMPtr<nsIURI> newLocation;
+  nsCOMPtr<nsIURI> newLocation; // The redirected URI
   rv = aNewChannel->GetURI(getter_AddRefs(newLocation));
 
   if (NS_FAILED(rv))
     return NS_ERROR_FAILURE;
 
+  if (mScriptContext && !mCrossSiteAccessEnabled) {
+    nsCOMPtr<nsIJSContextStack> stack(do_GetService("@mozilla.org/js/xpc/ContextStack;1", & rv));
+    if (NS_FAILED(rv))
+      return rv;
+
+    JSContext *cx = (JSContext *)mScriptContext->GetNativeContext();
+    if (!cx)
+      return NS_ERROR_UNEXPECTED;
+
+    stack->Push(cx);
+
+    rv = secMan->CheckSameOrigin(nsnull, newLocation);
+
+    stack->Pop(&cx);
+  
+    if (NS_FAILED(rv))
+      return rv;
+  }
+
   nsCOMPtr<nsIPrincipal> newCodebase;
-  rv = securityManager->GetCodebasePrincipal(newLocation,
-                                             getter_AddRefs(newCodebase));
+  rv = secMan->GetCodebasePrincipal(newLocation,
+                                    getter_AddRefs(newCodebase));
   if (NS_FAILED(rv))
     return NS_ERROR_FAILURE;
 
@@ -322,6 +361,25 @@ nsXMLDocument::Load(const nsAReadableString& aUrl)
   SetBaseURL(uri);
   mBaseTarget.Truncate();
 
+
+  // Store script context, if any, in case we encounter redirect (because we need it there)
+  nsCOMPtr<nsIJSContextStack> stack =
+    do_GetService("@mozilla.org/js/xpc/ContextStack;1");
+  if (stack) {
+    JSContext *cx;
+    if (NS_SUCCEEDED(stack->Peek(&cx)) && cx) {
+      nsISupports *priv = (nsISupports *)::JS_GetContextPrivate(cx);
+      if (priv) {
+        priv->QueryInterface(NS_GET_IID(nsIScriptContext), getter_AddRefs(mScriptContext));        
+      }
+    }
+  }
+
+  // Find out if UniversalBrowserRead privileges are enabled - we will need this
+  // in case of a redirect
+  rv = secMan->IsCapabilityEnabled("UniversalBrowserRead", &mCrossSiteAccessEnabled);
+  if (NS_FAILED(rv)) return rv;
+
   // Create a channel
   rv = NS_OpenURI(getter_AddRefs(channel), uri, nsnull, nsnull, this);
   if (NS_FAILED(rv)) return rv;

mozilla/content/xml/document/src/nsXMLDocument.h

@@ -28,6 +28,7 @@
 #include "nsIHTMLContentContainer.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIHttpEventSink.h"
+#include "nsIScriptContext.h"
 
 class nsIParser;
 class nsIDOMNode;
@@ -114,6 +115,9 @@ protected:
   nsString mBaseTarget;
 
   nsIParser *mParser;
+
+  nsCOMPtr<nsIScriptContext> mScriptContext;
+  PRBool mCrossSiteAccessEnabled;
 };
 
 

mozilla/extensions/cookie/nsCookies.cpp

@@ -34,6 +34,7 @@
 #include "nsIPref.h"
 #include "nsTextFormatter.h"
 #include "nsAppDirectoryServiceDefs.h"
+#include "nsNetUtil.h"
 
 #define MAX_NUMBER_OF_COOKIES 300
 #define MAX_COOKIES_PER_SERVER 20
@@ -455,6 +456,20 @@ COOKIE_GetCookie(char * address) {
      isSecure = PR_TRUE;
   }
 
+  /* Hacky security check: If address is of a scheme that
+     doesn't support hostnames, we have no host to get a cookie for,
+     so we must not attempt to get cookies (bug 152725)
+  */
+  nsCOMPtr<nsIURI> uri;
+  nsresult secResult = NS_NewURI(getter_AddRefs(uri),
+                                 address, nsnull);
+  if (NS_FAILED(secResult))
+      return nsnull;
+  nsXPIDLCString tempHost;
+  secResult = uri->GetHost(getter_Copies(tempHost));
+  if (NS_FAILED(secResult))
+      return nsnull;
+
   /* search for all cookies */
   if (cookie_list == nsnull) {
     return NULL;
@@ -710,6 +725,20 @@ cookie_SetCookieString(char * curURL, nsIPrompt *aPrompter, const char * setCook
     return;
   }
 
+  /* Hacky security check: If address is of a scheme that
+     doesn't support hostnames, we have no host to set a cookie on,
+     so we must not attempt to set cookies (bug 152725)
+  */
+  nsCOMPtr<nsIURI> uri;
+  nsresult secResult = NS_NewURI(getter_AddRefs(uri),
+                                 curURL, nsnull);
+  if (NS_FAILED(secResult))
+      return;
+  nsXPIDLCString tempHost;
+  secResult = uri->GetHost(getter_Copies(tempHost));
+  if (NS_FAILED(secResult))
+      return;
+
 //printf("\nSetCookieString(URL '%s', header '%s') time %d == %s\n",curURL,setCookieHeader,timeToExpire,asctime(gmtime(&timeToExpire)));
   if(cookie_GetLifetimePref() == COOKIE_Discard) {
     if(cookie_GetLifetimeTime() < timeToExpire) {

mozilla/extensions/wallet/src/singsign.cpp

@@ -2041,6 +2041,24 @@ SINGSIGN_RememberSignonData
   nsXPIDLCString strippedRealm;
   nsCOMPtr<nsIIOService> ioService = do_GetService(NS_IOSERVICE_CONTRACTID);
   if (!ioService) return;
+
+
+  /* Hacky security check: If address is of a scheme that
+     doesn't support hostnames, we have no host to get the signon data from,
+     so we must not attempt to restore the signon data (bug 159484)
+  */
+  nsCOMPtr<nsIURI> uri;
+  nsresult result = ioService->NewURI(passwordRealm,
+                                      nsnull, getter_AddRefs(uri));
+  if (NS_FAILED(result)) {
+      return;
+  }
+  nsXPIDLCString tempHost;
+  result = uri->GetHost(getter_Copies(tempHost));
+  if (NS_FAILED(result)) {
+      return;
+  }
+
   ioService->ExtractUrlPart(passwordRealm, nsIIOService::url_Host, 0, 0, getter_Copies(strippedRealm));
   if (strippedRealm) {
     si_RememberSignonData(dialog, strippedRealm, signonData, window);
@@ -2156,6 +2174,24 @@ SINGSIGN_RestoreSignonData(nsIPrompt* dialog, const char* passwordRealm, const P
   nsXPIDLCString strippedRealm;
   nsCOMPtr<nsIIOService> ioService = do_GetService(NS_IOSERVICE_CONTRACTID);
   if (!ioService) return;
+
+
+  /* Hacky security check: If address is of a scheme that
+      doesn't support hostnames, we have no host to get the signon data from,
+      so we must not attempt to restore the signon data (bug 159484)
+  */
+  nsCOMPtr<nsIURI> uri;
+  nsresult result = ioService->NewURI(passwordRealm,
+                                      nsnull, getter_AddRefs(uri));
+  if (NS_FAILED(result)) {
+      return;
+  }
+  nsXPIDLCString tempHost;
+  result = uri->GetHost(getter_Copies(tempHost));
+  if (NS_FAILED(result)) {
+      return;
+  }
+
   ioService->ExtractUrlPart(passwordRealm, nsIIOService::url_Host, 0, 0, getter_Copies(strippedRealm));
   si_RestoreSignonData(dialog, strippedRealm, name, value, elementNumber);
 }

mozilla/extensions/xmlextras/base/src/Makefile.in

@@ -28,7 +28,7 @@ include $(DEPTH)/config/autoconf.mk
 
 MODULE		= xmlextras
 LIBRARY_NAME	= xmlextrasbase_s
-REQUIRES	= xpcom string dom js layout widget caps uconv necko docshell xpconnect webbrwsr
+REQUIRES	= xpcom string dom js layout widget caps uconv necko docshell xpconnect webbrwsr windowwatcher
 
 CPPSRCS	= 				\
 		nsDOMSerializer.cpp	\

mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp

@@ -60,6 +60,8 @@
 #include "nsIDOMElement.h"
 #include "nsIParser.h"
 #include "nsLoadListenerProxy.h"
+#include "nsIWindowWatcher.h"
+#include "nsIAuthPrompt.h"
 
 static const char* kLoadAsData = "loadAsData";
 #define LOADSTR NS_LITERAL_STRING("load")
@@ -117,6 +119,7 @@ nsXMLHttpRequest::nsXMLHttpRequest()
   NS_INIT_ISUPPORTS();
   ChangeState(XML_HTTP_REQUEST_UNINITIALIZED,PR_FALSE);
   mAsync = PR_TRUE;
+  mCrossSiteAccessEnabled = PR_FALSE;
 }
 
 nsXMLHttpRequest::~nsXMLHttpRequest()
@@ -141,6 +144,8 @@ NS_INTERFACE_MAP_BEGIN(nsXMLHttpRequest)
   NS_INTERFACE_MAP_ENTRY(nsIDOMEventTarget)
   NS_INTERFACE_MAP_ENTRY(nsIRequestObserver)
   NS_INTERFACE_MAP_ENTRY(nsIStreamListener)
+  NS_INTERFACE_MAP_ENTRY(nsIHttpEventSink)
+  NS_INTERFACE_MAP_ENTRY(nsIInterfaceRequestor)
   NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference)
   NS_INTERFACE_MAP_ENTRY_DOM_CLASSINFO(XMLHttpRequest)
 NS_INTERFACE_MAP_END
@@ -641,6 +646,12 @@ nsXMLHttpRequest::Open(const char *method, const char *url)
       return NS_OK;
     }
 
+    // Find out if UniversalBrowserRead privileges are enabled
+    // we will need this in case of a redirect
+    rv = secMan->IsCapabilityEnabled("UniversalBrowserRead",
+                                     &mCrossSiteAccessEnabled);
+    if (NS_FAILED(rv)) return rv;
+
     if (argc > 2) {
       JSBool asyncBool;
       JS_ValueToBoolean(cx, argv[2], &asyncBool);
@@ -1113,6 +1124,11 @@ nsXMLHttpRequest::Send(nsISupports *body)
   }
 #endif
 
+  if (!mScriptContext) {
+    // We need a context to check if redirect (if any) is allowed
+    GetCurrentContext(getter_AddRefs(mScriptContext));
+  }
+
   rv = document->StartDocumentLoad(kLoadAsData, mChannel, 
                                    nsnull, nsnull, 
                                    getter_AddRefs(listener),
@@ -1129,6 +1145,9 @@ nsXMLHttpRequest::Send(nsISupports *body)
   if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 #endif
 
+  // Hook us up to listen to redirects and the like
+  mChannel->SetNotificationCallbacks(this);
+
   // Start reading from the channel
   ChangeState(XML_HTTP_REQUEST_SENT);
   mXMLParserStreamListener = listener;
@@ -1332,6 +1351,79 @@ nsXMLHttpRequest::ChangeState(nsXMLHttpRequestState aState, PRBool aBroadcast)
   return rv;
 }
 
+/////////////////////////////////////////////////////
+// nsIHttpEventSink methods:
+//
+NS_IMETHODIMP
+nsXMLHttpRequest::OnRedirect(nsIHttpChannel *aHttpChannel, nsIChannel *aNewChannel)
+{
+  NS_ENSURE_ARG_POINTER(aNewChannel);
+
+  if (mScriptContext && !mCrossSiteAccessEnabled) {
+    nsresult rv = NS_ERROR_FAILURE;
+
+    nsCOMPtr<nsIJSContextStack> stack(do_GetService("@mozilla.org/js/xpc/ContextStack;1", & rv));
+    if (NS_FAILED(rv))
+      return rv;
+
+    JSContext *cx = (JSContext *)mScriptContext->GetNativeContext();
+    if (!cx)
+      return NS_ERROR_UNEXPECTED;
+
+    nsCOMPtr<nsIScriptSecurityManager> secMan = 
+             do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+    if (NS_FAILED(rv))
+      return rv;
+
+    nsCOMPtr<nsIURI> newURI;
+    rv = aNewChannel->GetURI(getter_AddRefs(newURI)); // The redirected URI
+    if (NS_FAILED(rv)) 
+      return rv;
+
+    stack->Push(cx);
+
+    rv = secMan->CheckSameOrigin(cx, newURI);
+
+    stack->Pop(&cx);
+    
+    if (NS_FAILED(rv))
+      return rv;
+  }
+
+  mChannel = aNewChannel;
+
+  return NS_OK;
+}
+
+/////////////////////////////////////////////////////
+// nsIInterfaceRequestor methods:
+//
+NS_IMETHODIMP
+nsXMLHttpRequest::GetInterface(const nsIID & aIID, void **aResult)
+{
+  if (aIID.Equals(NS_GET_IID(nsIAuthPrompt))) {
+    NS_ENSURE_ARG_POINTER(aResult);
+    *aResult = nsnull;
+
+    nsresult rv;
+    nsCOMPtr<nsIWindowWatcher> ww(do_GetService("@mozilla.org/embedcomp/window-watcher;1", &rv));
+    if (NS_FAILED(rv))
+      return rv;
+
+    nsCOMPtr<nsIAuthPrompt> prompt;
+    rv = ww->GetNewAuthPrompter(nsnull, getter_AddRefs(prompt));
+    if (NS_FAILED(rv))
+      return rv;
+
+    nsIAuthPrompt *p = prompt.get();
+    NS_ADDREF(p);
+    *aResult = p;
+    return NS_OK;
+  }
+
+  return QueryInterface(aIID, aResult);
+}
+
 NS_IMPL_ISUPPORTS1(nsXMLHttpRequest::nsHeaderVisitor, nsIHttpHeaderVisitor)
 
 NS_IMETHODIMP nsXMLHttpRequest::

mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.h

@@ -43,6 +43,8 @@
 #include "nsISupportsArray.h"
 #include "jsapi.h"
 #include "nsIScriptContext.h"
+#include "nsIHttpEventSink.h"
+#include "nsIInterfaceRequestor.h"
 
 
 enum nsXMLHttpRequestState {
@@ -60,6 +62,8 @@ class nsXMLHttpRequest : public nsIXMLHttpRequest,
                          public nsIDOMLoadListener,
                          public nsIDOMEventTarget,
                          public nsIStreamListener,
+                         public nsIHttpEventSink, 
+                         public nsIInterfaceRequestor,
                          public nsSupportsWeakReference
 {
 public:
@@ -92,6 +96,12 @@ public:
   // nsIRequestObserver
   NS_DECL_NSIREQUESTOBSERVER
 
+  // nsIHttpEventSink
+  NS_DECL_NSIHTTPEVENTSINK
+ 
+  // nsIInterfaceRequestor
+  NS_DECL_NSIINTERFACEREQUESTOR
+
 protected:
   nsresult GetStreamForWString(const PRUnichar* aStr,
                                PRInt32 aLength,
@@ -145,6 +155,7 @@ protected:
 
   PRInt32 mStatus;
   PRBool mAsync;
+  PRBool mCrossSiteAccessEnabled;
 };
 
 #endif

mozilla/netwerk/base/src/nsSocketTransport.cpp

@@ -203,7 +203,7 @@ nsSocketTransport::~nsSocketTransport()
     }
     
     if (mService) {
-        PR_AtomicDecrement(&mService->mTotalTransports);
+        mService->OnTransportDestroyed();
         NS_RELEASE(mService);
     }
     
@@ -340,7 +340,7 @@ nsresult nsSocketTransport::Init(nsSocketTransportService* aService,
     
     // Update the active time for timeout purposes...
     mLastActiveTime = PR_IntervalNow();
-    PR_AtomicIncrement(&mService->mTotalTransports);
+    mService->OnTransportCreated();
     
     LOG(("nsSocketTransport: Initializing [%s:%d %x].  rv = %x",
         mHostName, mPort, this, rv));
@@ -422,8 +422,11 @@ nsresult nsSocketTransport::Process(PRInt16 aSelectFlags)
             //
             // A connection has been established with the server
             //
-            PR_AtomicIncrement(&mService->mConnectedTransports);
-            mWasConnected = PR_TRUE;
+            if (!mWasConnected) {
+                const char *host = (mProxyHost && !mProxyTransparent) ? mProxyHost : mHostName;
+                mService->OnTransportConnected(host, &mNetAddress);
+                mWasConnected = PR_TRUE;
+            }
 
             // Send status message
             OnStatus(NS_NET_STATUS_CONNECTED_TO);
@@ -626,46 +629,65 @@ nsresult nsSocketTransport::doResolveHost(void)
     //
     if (PR_IsNetAddrType(&mNetAddress, PR_IpAddrAny)) {
         //
-        // Initialize the port used for the connection...
+        // determine the desired host:port
         //
-        // XXX: The list of ports must be restricted - see net_bad_ports_table[] in 
-        //      mozilla/network/main/mkconect.c
-        //
-        mNetAddress.ipv6.port = PR_htons(((mProxyPort != -1 && !mProxyTransparent) ? mProxyPort : mPort));
+        const char *host = (mProxyHost && !mProxyTransparent) ? mProxyHost : mHostName;
+        PRInt32 port = (mProxyPort != -1 && !mProxyTransparent) ? mProxyPort : mPort;
 
-        nsCOMPtr<nsIDNSService> pDNSService(do_GetService(kDNSService, &rv));
-        if (NS_FAILED(rv)) return rv;
+        PRIPv6Addr addr;
+        if (mService->LookupHost(host, &addr)) {
+            // found address!
+            PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &mNetAddress);
+            memcpy(&mNetAddress.ipv6.ip, &addr, sizeof(addr));
+#ifdef PR_LOGGING
+            char buf[128];
+            PR_NetAddrToString(&mNetAddress, buf, sizeof(buf));
+            LOG((" -> using cached ip address [%s]\n", buf));
+#endif
+        }
+        else {
+            //
+            // Initialize the port used for the connection...
+            //
+            // XXX: The list of ports must be restricted - see net_bad_ports_table[] in 
+            //      mozilla/network/main/mkconect.c
+            //
+            mNetAddress.ipv6.port = PR_htons(port);
 
-        //
-        // Give up the SocketTransport lock.  This allows the DNS thread to call the
-        // nsIDNSListener notifications without blocking...
-        //
-        PR_ExitMonitor(mMonitor);
+            nsCOMPtr<nsIDNSService> pDNSService(do_GetService(kDNSService, &rv));
+            if (NS_FAILED(rv)) return rv;
 
-        rv = pDNSService->Lookup((mProxyHost && !mProxyTransparent) ? mProxyHost : mHostName, 
-                                 this, 
-                                 nsnull, 
-                                 getter_AddRefs(mDNSRequest));
-        //
-        // Aquire the SocketTransport lock again...
-        //
-        PR_EnterMonitor(mMonitor);
+            //
+            // Give up the SocketTransport lock.  This allows the DNS thread to call the
+            // nsIDNSListener notifications without blocking...
+            //
+            PR_ExitMonitor(mMonitor);
 
-        if (NS_SUCCEEDED(rv)) {
+            rv = pDNSService->Lookup(host,
+                                     this, 
+                                     nsnull, 
+                                     getter_AddRefs(mDNSRequest));
             //
-            // The DNS lookup has finished...  It has either failed or succeeded.
+            // Aquire the SocketTransport lock again...
             //
-            if (NS_FAILED(mStatus) || !PR_IsNetAddrType(&mNetAddress, PR_IpAddrAny)) {
-                mDNSRequest = 0;
-                rv = mStatus;
-            } 
-            //
-            // The DNS lookup is being processed...  Mark the transport as waiting
-            // until the result is available...
-            //
-            else {
-                SetFlag(eSocketDNS_Wait);
-                rv = NS_BASE_STREAM_WOULD_BLOCK;
+            PR_EnterMonitor(mMonitor);
+
+            if (NS_SUCCEEDED(rv)) {
+                //
+                // The DNS lookup has finished...  It has either failed or succeeded.
+                //
+                if (NS_FAILED(mStatus) || !PR_IsNetAddrType(&mNetAddress, PR_IpAddrAny)) {
+                    mDNSRequest = 0;
+                    rv = mStatus;
+                } 
+                //
+                // The DNS lookup is being processed...  Mark the transport as waiting
+                // until the result is available...
+                //
+                else {
+                    SetFlag(eSocketDNS_Wait);
+                    rv = NS_BASE_STREAM_WOULD_BLOCK;
+                }
             }
         }
     }
@@ -1129,7 +1151,7 @@ nsresult nsSocketTransport::CloseConnection()
 
     if (mWasConnected) {
         if (mService)
-            PR_AtomicDecrement(&mService->mConnectedTransports);
+            mService->OnTransportClosed();
         mWasConnected = PR_FALSE;
     }
     

mozilla/netwerk/base/src/nsSocketTransportService.cpp

@@ -31,6 +31,7 @@
 #include "nsString.h"
 #include "nsNetCID.h"
 #include "nsProtocolProxyService.h"
+#include "plstr.h"
 
 static NS_DEFINE_CID(kIOServiceCID, NS_IOSERVICE_CID);
 static NS_DEFINE_CID(kStringBundleServiceCID, NS_STRINGBUNDLESERVICE_CID);
@@ -165,6 +166,12 @@ nsSocketTransportService::Init(void)
     mThreadRunning = PR_TRUE;
     rv = NS_NewThread(&mThread, this, 0, PR_JOINABLE_THREAD);
   }
+
+  //
+  // Initialize hostname database
+  //
+  PL_DHashTableInit(&mHostDB, &ops, nsnull, sizeof(nsHostEntry), 0);
+
   return rv;
 }
 
@@ -677,6 +684,10 @@ nsSocketTransportService::Shutdown(void)
     
     for (i=0; i<mSelectFDSetCount; i++)
       NS_IF_RELEASE(mActiveTransportList[i]);
+ 
+    // clear the hostname database (NOTE: this runs when the browser
+    // enters the offline state).
+    PL_DHashTableFinish(&mHostDB);
 
   } else {
     rv = NS_ERROR_FAILURE;
@@ -763,3 +774,89 @@ nsSocketTransportService::GetNeckoStringByName (const char *aName, PRUnichar **a
 
 	return res;
 }
+
+//-----------------------------------------------------------------------------
+// hostname database impl
+//-----------------------------------------------------------------------------
+
+PLDHashTableOps nsSocketTransportService::ops =
+{
+    PL_DHashAllocTable,
+    PL_DHashFreeTable,
+    PL_DHashGetKeyStub,
+    PL_DHashStringKey,
+    nsSocketTransportService::MatchEntry,
+    PL_DHashMoveEntryStub,
+    nsSocketTransportService::ClearEntry,
+    PL_DHashFinalizeStub,
+    nsnull
+};
+
+PRBool PR_CALLBACK
+nsSocketTransportService::MatchEntry(PLDHashTable *table,
+                                     const PLDHashEntryHdr *entry,
+                                     const void *key)
+{
+    const nsSocketTransportService::nsHostEntry *he =
+        NS_REINTERPRET_CAST(const nsSocketTransportService::nsHostEntry *, entry);
+
+    return !strcmp(he->host(), (const char *) key);
+}
+
+void PR_CALLBACK
+nsSocketTransportService::ClearEntry(PLDHashTable *table,
+                                     PLDHashEntryHdr *entry)
+{
+    nsSocketTransportService::nsHostEntry *he =
+        NS_REINTERPRET_CAST(nsSocketTransportService::nsHostEntry *, entry);
+
+    PL_strfree((char *) he->key);
+    he->key = nsnull;
+    memset(&he->addr, 0, sizeof(he->addr));
+}
+
+PRBool
+nsSocketTransportService::LookupHost(const char *host, PRIPv6Addr *addr)
+{
+    NS_ASSERTION(host, "null host");
+    NS_ASSERTION(addr, "null addr");
+
+    PLDHashEntryHdr *hdr;
+
+    hdr = PL_DHashTableOperate(&mHostDB, host, PL_DHASH_LOOKUP);
+    if (PL_DHASH_ENTRY_IS_BUSY(hdr)) {
+        // found match
+        nsHostEntry *ent = NS_REINTERPRET_CAST(nsHostEntry *, hdr);
+        memcpy(addr, &ent->addr, sizeof(ent->addr));
+        return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+void
+nsSocketTransportService::OnTransportConnected(const char *host, PRNetAddr *addr)
+{
+    // remember hostname
+
+    PLDHashEntryHdr *hdr;
+
+    hdr = PL_DHashTableOperate(&mHostDB, host, PL_DHASH_ADD);
+    if (!hdr)
+        return;
+
+    NS_ASSERTION(PL_DHASH_ENTRY_IS_BUSY(hdr), "entry not busy");
+
+    nsHostEntry *ent = NS_REINTERPRET_CAST(nsHostEntry *, hdr);
+    if (ent->key == nsnull) {
+        ent->key = (const void *) PL_strdup(host);
+        memcpy(&ent->addr, &addr->ipv6.ip, sizeof(ent->addr));
+    }
+#ifdef DEBUG
+    else {
+        // verify that the existing entry is in fact a perfect match
+        NS_ASSERTION(PL_strcmp(ent->host(), host) == 0, "bad match");
+        NS_ASSERTION(memcmp(&ent->addr, &addr->ipv6.ip, sizeof(ent->addr)) == 0, "bad match");
+    }
+#endif
+}

mozilla/netwerk/base/src/nsSocketTransportService.h

@@ -30,6 +30,8 @@
 #include "nsIInputStream.h"
 #include "nsCOMPtr.h"
 #include "nsIStringBundle.h"
+#include "pldhash.h"
+#include "prio.h"
 
 #if defined(XP_PC) || defined(XP_UNIX) || defined(XP_BEOS) || defined(XP_MAC)
 //
@@ -76,24 +78,54 @@ public:
     
     nsresult AddToSelectList(nsSocketTransport* aTransport);
     nsresult RemoveFromSelectList(nsSocketTransport* aTransport);
-    
-    PRInt32   mConnectedTransports;
-    PRInt32   mTotalTransports;
-    
+   
+    //
+    // LookupHost checks to see if we've previously resolved the hostname
+    // during this session.  We remember all successful connections to prevent
+    // ip-address spoofing.  See bug 149943.
+    //
+    // Returns TRUE if found, and sets |result| to the cached value.
+    //
+    PRBool LookupHost(const char *host, PRIPv6Addr *result);
+
+    void OnTransportCreated()   { PR_AtomicIncrement(&mTotalTransports); }
+    void OnTransportConnected(const char *aHost, PRNetAddr *aAddr);
+    void OnTransportClosed()    { PR_AtomicDecrement(&mConnectedTransports); }
+    void OnTransportDestroyed() { PR_AtomicDecrement(&mTotalTransports); } 
+   
     nsresult  GetNeckoStringByName (const char *aName, PRUnichar **aString);
 
 protected:
-    nsIThread*            mThread;
-    PRFileDesc*           mThreadEvent;
-    PRLock*               mThreadLock;
-    PRBool                mThreadRunning;
+    //
+    // mHostDB maps hostname -> nsHostEntry
+    //
+    struct nsHostEntry : PLDHashEntryStub
+    {
+        PRIPv6Addr  addr;
+        const char *host() const { return (const char *) key; }
+    };
+
+    static PLDHashTableOps ops;
+
+    static PRBool PR_CALLBACK MatchEntry(PLDHashTable *, const PLDHashEntryHdr *, const void *);
+    static void   PR_CALLBACK ClearEntry(PLDHashTable *, PLDHashEntryHdr *);
+
+    nsIThread                     *mThread;
+    PRFileDesc                    *mThreadEvent;
+    PRLock                        *mThreadLock;
+    PRBool                         mThreadRunning;
     
-    PRCList               mWorkQ;
+    PRCList                        mWorkQ;
+
+    PRInt32                        mConnectedTransports;
+    PRInt32                        mTotalTransports;
     
-    PRInt32               mSelectFDSetCount;
-    PRPollDesc*           mSelectFDSet;
-    nsSocketTransport**   mActiveTransportList;
-	nsCOMPtr<nsIStringBundle>   m_stringBundle;
+    PRInt32                        mSelectFDSetCount;
+    PRPollDesc                    *mSelectFDSet;
+    nsSocketTransport            **mActiveTransportList;
+    nsCOMPtr<nsIStringBundle>      m_stringBundle;
+
+    PLDHashTable                   mHostDB;
 };
 
 

mozilla/netwerk/protocol/http/src/Makefile.in

@@ -28,7 +28,7 @@ include $(DEPTH)/config/autoconf.mk
 
 MODULE		= necko
 LIBRARY_NAME = nkhttp_s
-REQUIRES	= xpcom string pref nkcache mimetype intl
+REQUIRES	= xpcom string pref nkcache mimetype intl xpconnect js
 
 CPPSRCS		= \
 		nsHttp.cpp \

mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp

@@ -33,6 +33,7 @@
 #include "nsIStringBundle.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIFileStream.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
 #include "nsString2.h"
@@ -1063,6 +1064,15 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
         rv = ioService->NewURI(location, mURI, getter_AddRefs(newURI));
         if (NS_FAILED(rv)) return rv;
 
+        // verify that this is a legal redirect
+        nsCOMPtr<nsIScriptSecurityManager> securityManager = 
+                 do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+        if (securityManager) {
+            rv = securityManager->CheckLoadURI(mURI, newURI,
+                                               nsIScriptSecurityManager::DISALLOW_FROM_MAIL);
+            if (NS_FAILED(rv)) return rv;
+        }
+
         // move the reference of the old location to the new one if the new
         // one has none.
         nsCOMPtr<nsIURL> newURL = do_QueryInterface(newURI, &rv);

mozilla/uriloader/base/nsDocLoader.cpp

@@ -1253,6 +1253,7 @@ NS_IMETHODIMP nsDocLoaderImpl::OnRedirect(nsIHttpChannel *aOldChannel, nsIChanne
     rv = aNewChannel->GetURI(getter_AddRefs(newURI));
     if (NS_FAILED(rv)) return rv;
 
+#ifdef HTTP_DOESNT_CALL_CHECKLOADURI
     // verify that this is a legal redirect
     nsCOMPtr<nsIScriptSecurityManager> securityManager = 
              do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
@@ -1260,6 +1261,7 @@ NS_IMETHODIMP nsDocLoaderImpl::OnRedirect(nsIHttpChannel *aOldChannel, nsIChanne
     rv = securityManager->CheckLoadURI(oldURI, newURI,
                                        nsIScriptSecurityManager::DISALLOW_FROM_MAIL);
     if (NS_FAILED(rv)) return rv;
+#endif
 
     nsLoadFlags loadFlags = 0;
     PRInt32 stateFlags = nsIWebProgressListener::STATE_REDIRECTING |