#633: M1683627 M786797 and disable CSP reporting due to M1542194 and others

dom/base/nsContentUtils.cpp

@@ -8807,10 +8807,6 @@ ShouldEscape(nsIContent* aParent)
     nsGkAtoms::style, nsGkAtoms::script, nsGkAtoms::xmp,
     nsGkAtoms::iframe, nsGkAtoms::noembed, nsGkAtoms::noframes,
     nsGkAtoms::plaintext,
-    // Per the current spec noscript should be escaped in case
-    // scripts are disabled or if document doesn't have
-    // browsing context. However the latter seems to be a spec bug
-    // and Gecko hasn't traditionally done the former.
     nsGkAtoms::noscript
   };
   static mozilla::BloomFilter<12, nsIAtom> sFilter;
@@ -8826,6 +8822,10 @@ ShouldEscape(nsIContent* aParent)
   if (sFilter.mightContain(tag)) {
     for (uint32_t i = 0; i < ArrayLength(nonEscapingElements); ++i) {
       if (tag == nonEscapingElements[i]) {
+        if (MOZ_UNLIKELY(tag == nsGkAtoms::noscript) &&
+            MOZ_UNLIKELY(!aParent->OwnerDoc()->IsScriptEnabled())) {
+          return true;
+        }
         return false;
       }
     }

dom/security/nsCSPContext.cpp

@@ -740,6 +740,11 @@ nsCSPContext::SendReports(nsISupports* aBlockedContentSource,
                           nsAString& aScriptSample,
                           uint32_t aLineNum)
 {
+  /* Due to unclear vulnerabilities in bug 1542194 and others, just don't.
+     We probably don't do it right anymore anyway. -- Cameron */
+  if (!Preferences::GetBool("security.csp.sendreports", false))
+    return NS_OK;
+
   NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
 
 #ifdef MOZ_B2G

modules/libpref/init/all.js

@@ -1978,6 +1978,8 @@ pref("security.notification_enable_delay", 500);
 pref("security.csp.enable", true);
 pref("security.csp.debug", false);
 pref("security.csp.experimentalEnabled", false);
+// see bug 1542194, etc.
+pref("security.csp.sendreports", false);
 
 // Default Content Security Policy to apply to privileged apps.
 pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");

parser/html/nsHtml5MetaScanner.cpp

@@ -740,7 +740,8 @@ void
 nsHtml5MetaScanner::addToBuffer(int32_t c)
 {
   if (strBufLen == strBuf.length) {
-    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(strBuf.length + (strBuf.length << 1));
+    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(
+        nsHtml5Portability::checkedAdd(strBuf.length, (strBuf.length << 1)));
     nsHtml5ArrayCopy::arraycopy(strBuf, newBuf, strBuf.length);
     strBuf = newBuf;
   }

parser/html/nsHtml5Portability.cpp

@@ -7,6 +7,16 @@
 #include "jArray.h"
 #include "nsHtml5Portability.h"
 #include "nsHtml5TreeBuilder.h"
+#include "mozilla/CheckedInt.h"
+
+int32_t
+nsHtml5Portability::checkedAdd(int32_t a, int32_t b) {
+  mozilla::CheckedInt<int32_t> sum(a);
+  sum += b;
+  MOZ_RELEASE_ASSERT(sum.isValid(),
+                     "HTML input too large for signed 32-bit integer.");
+  return sum.value();
+}
 
 nsIAtom*
 nsHtml5Portability::newLocalNameFromBuffer(char16_t* buf, int32_t offset, int32_t length, nsHtml5AtomTable* interner)

parser/html/nsHtml5Portability.h

@@ -58,6 +58,7 @@ class nsHtml5StateSnapshot;
 class nsHtml5Portability
 {
   public:
+    static int32_t checkedAdd(int32_t a, int32_t b);
     static nsIAtom* newLocalNameFromBuffer(char16_t* buf, int32_t offset, int32_t length, nsHtml5AtomTable* interner);
     static nsHtml5String newStringFromBuffer(char16_t* buf,
                                              int32_t offset,

parser/html/nsHtml5Tokenizer.cpp

@@ -240,7 +240,7 @@ nsHtml5Tokenizer::emitStrBuf()
 void 
 nsHtml5Tokenizer::appendStrBuf(char16_t* buffer, int32_t offset, int32_t length)
 {
-  int32_t newLen = strBufLen + length;
+  int32_t newLen = nsHtml5Portability::checkedAdd(strBufLen, length);
   MOZ_ASSERT(newLen <= strBuf.length, "Previous buffer length insufficient.");
   if (MOZ_UNLIKELY(strBuf.length < newLen)) {
     if (MOZ_UNLIKELY(!EnsureBufferSpace(length))) {