From c486969a1071084d9bf57930c7eeb03fbd3f337b Mon Sep 17 00:00:00 2001
From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 15 Sep 2010 15:53:01 -0700
Subject: [PATCH] Bug 591198: Display element using normal layout rules if XBL
 binding fails for security reasons. r=jst a=blocker

---
 content/base/public/nsContentErrors.h      |  4 +++
 content/xbl/src/nsXBLService.cpp           |  7 +++--
 content/xbl/test/Makefile.in               |  3 ++
 content/xbl/test/file_bug591198_inner.html | 38 ++++++++++++++++++++++++
 content/xbl/test/file_bug591198_xbl.xml    |  5 ++++
 content/xbl/test/test_bug591198.html       | 47 ++++++++++++++++++++++++++++++
 layout/base/nsCSSFrameConstructor.cpp      |  4 +--
 7 files changed, 103 insertions(+), 5 deletions(-)
 create mode 100644 content/xbl/test/file_bug591198_inner.html
 create mode 100644 content/xbl/test/file_bug591198_xbl.xml
 create mode 100644 content/xbl/test/test_bug591198.html

diff --git a/content/base/public/nsContentErrors.h b/content/base/public/nsContentErrors.h
index 0351f46703..4a16574a9f 100644
--- a/content/base/public/nsContentErrors.h
+++ b/content/base/public/nsContentErrors.h
@@ -91,4 +91,8 @@
 #define NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION \
   NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, 99)
 
+/* Error codes for XBL */
+#define NS_ERROR_XBL_BLOCKED \
+  NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_CONTENT, 15)
+
 #endif // nsContentErrors_h___
diff --git a/content/xbl/src/nsXBLService.cpp b/content/xbl/src/nsXBLService.cpp
index fa7d4d0ad2..84fdd25e3e 100644
--- a/content/xbl/src/nsXBLService.cpp
+++ b/content/xbl/src/nsXBLService.cpp
@@ -76,6 +76,7 @@
 #include "nsIDOM3Node.h"
 #include "nsContentPolicyUtils.h"
 #include "nsTArray.h"
+#include "nsContentErrors.h"
 
 #include "nsIPresShell.h"
 #include "nsIDocumentObserver.h"
@@ -1107,7 +1108,7 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement,
                               gAllowDataURIs,
                               nsIContentPolicy::TYPE_XBL,
                               aBoundDocument);
-    NS_ENSURE_SUCCESS(rv, rv);
+    NS_ENSURE_SUCCESS(rv, NS_ERROR_XBL_BLOCKED);
 
     if (!IsSystemOrChromeURLPrincipal(aOriginPrincipal)) {
       // Also make sure that we're same-origin with the bound document
@@ -1116,12 +1117,12 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement,
           !SchemeIs(aBindingURI, "chrome")) {
         rv = aBoundDocument->NodePrincipal()->CheckMayLoad(aBindingURI,
                                                            PR_TRUE);
-        NS_ENSURE_SUCCESS(rv, rv);
+        NS_ENSURE_SUCCESS(rv, NS_ERROR_XBL_BLOCKED);
       }
 
       // Finally check if this document is allowed to use XBL at all.
       NS_ENSURE_TRUE(aBoundDocument->AllowXULXBL(),
-                     NS_ERROR_NOT_AVAILABLE);
+                     NS_ERROR_XBL_BLOCKED);
     }
   }
 
diff --git a/content/xbl/test/Makefile.in b/content/xbl/test/Makefile.in
index b770b67eb2..b791a2e7a6 100644
--- a/content/xbl/test/Makefile.in
+++ b/content/xbl/test/Makefile.in
@@ -72,6 +72,9 @@ _TEST_FILES =	\
 		file_bug481558.xbl \
 		test_bug526178.xhtml \
 		test_bug542406.xhtml \
+		test_bug591198.html \
+		file_bug591198_xbl.xml \
+		file_bug591198_inner.html \
 		$(NULL)
 
 libs:: $(_TEST_FILES)
diff --git a/content/xbl/test/file_bug591198_inner.html b/content/xbl/test/file_bug591198_inner.html
new file mode 100644
index 0000000000..12fc9f5834
--- /dev/null
+++ b/content/xbl/test/file_bug591198_inner.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <style>
+      #b {
+        -moz-binding: url("file_bug591198_xbl.xml#xbltest");
+      }
+      span {
+        white-space: nowrap;
+      }
+    </style>
+    <script>
+function sendResults() {
+  var res = {
+    widths: []
+  };
+
+  ps = document.getElementsByTagName('span');
+  for (var i = 0; i < ps.length; i++) {
+    res.widths.push(ps[i].offsetWidth);
+  }
+  
+  try {
+    res.anonChildCount =
+      document.getAnonymousNodes(document.getElementById('b')).length;
+  }
+  catch (ex) {}
+
+  parent.postMessage(JSON.stringify(res), "*");
+}
+    </script>
+  </head>
+  <body onload="sendResults();">
+    <div><span id=b>long long text here</span></div>
+    <div><span>long long text here</span></div>
+    <div><span>PASS</span></div>
+  </body>
+</html>
diff --git a/content/xbl/test/file_bug591198_xbl.xml b/content/xbl/test/file_bug591198_xbl.xml
new file mode 100644
index 0000000000..f69959b47c
--- /dev/null
+++ b/content/xbl/test/file_bug591198_xbl.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<bindings id="xbltestBindings" xmlns="http://www.mozilla.org/xbl"
+          xmlns:html="http://www.w3.org/1999/xhtml">
+  <binding id="xbltest"><content>PASS<html:b style="display:none"><children/></html:b></content></binding>
+</bindings>
diff --git a/content/xbl/test/test_bug591198.html b/content/xbl/test/test_bug591198.html
new file mode 100644
index 0000000000..f107746045
--- /dev/null
+++ b/content/xbl/test/test_bug591198.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=591198
+-->
+<head>
+  <title>Test for Bug 591198</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
+</head>
+<body onload="gen.next();">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=591198">Mozilla Bug 591198</a>
+<iframe id=iframe></iframe>
+<pre id="test">
+<script class="testbody" type="text/javascript;version=1.8">
+
+SimpleTest.waitForExplicitFinish();
+
+gen = runTest();
+
+function runTest() {
+  let iframe = $('iframe');
+  window.addEventListener("message", function(e) {
+    gen.send(JSON.parse(e.data));
+  }, false);
+  
+  iframe.src = "file_bug591198_inner.html";
+  let res = (yield);
+  is(res.widths[0], res.widths[2], "binding was rendered");
+  isnot(res.widths[0], res.widths[1], "binding was rendered");
+  is(res.anonChildCount, 2, "correct number of anon children");
+
+  iframe.src = "http://noxul.example.com/tests/content/xbl/test/file_bug591198_inner.html";
+  let res = (yield);
+  is(res.widths[0], res.widths[1], "binding was not rendered");
+  isnot(res.widths[0], res.widths[2], "binding was not rendered");
+  is("anonChildCount" in res, false, "no anon children");
+
+  SimpleTest.finish();
+  yield;
+}
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
index 06c2033aaf..d7fd0bb6e0 100644
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -2341,7 +2341,7 @@ nsCSSFrameConstructor::ConstructDocElementFrame(Element*                 aDocEle
                                   display->mBinding->mOriginPrincipal,
                                   PR_FALSE, getter_AddRefs(binding),
                                   &resolveStyle);
-    if (NS_FAILED(rv))
+    if (NS_FAILED(rv) && rv != NS_ERROR_XBL_BLOCKED)
       return NS_OK; // Binding will load asynchronously.
 
     if (binding) {
@@ -5095,7 +5095,7 @@ nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState
                                            PR_FALSE,
                                            getter_AddRefs(newPendingBinding->mBinding),
                                            &resolveStyle);
-    if (NS_FAILED(rv))
+    if (NS_FAILED(rv) && rv != NS_ERROR_XBL_BLOCKED)
       return;
 
     if (newPendingBinding->mBinding) {
-- 
2.11.4.GIT