From 0c828a96e687e4f0d180cfcb6b6df5f8dd69694e Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Tue, 16 Jun 2020 19:38:16 -0700
Subject: [PATCH] #611: M1277475

---
 dom/base/nsDocument.cpp                  | 8 +++++++-
 dom/base/nsIDocument.h                   | 2 ++
 dom/base/nsScriptLoader.cpp              | 4 ++--
 dom/events/EventListenerManager.cpp      | 2 +-
 dom/jsurl/nsJSProtocolHandler.cpp        | 2 +-
 dom/webidl/Document.webidl               | 6 ++++++
 layout/style/xbl-marquee/xbl-marquee.xml | 7 +++++++
 7 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index b204f7462..abf40548c 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -8293,7 +8293,7 @@ nsDocument::IsScriptEnabled()
 {
   // If this document is sandboxed without 'allow-scripts'
   // script is not enabled
-  if (mSandboxFlags & SANDBOXED_SCRIPTS) {
+  if (HasScriptsBlockedBySandbox()) {
     return false;
   }
 
@@ -13044,6 +13044,12 @@ nsIDocument::InlineScriptAllowedByCSP()
   return allowsInlineScript;
 }
 
+bool
+nsIDocument::HasScriptsBlockedBySandbox()
+{
+  return mSandboxFlags & SANDBOXED_SCRIPTS;
+}
+
 static bool
 MightBeAboutOrChromeScheme(nsIURI* aURI)
 {
diff --git a/dom/base/nsIDocument.h b/dom/base/nsIDocument.h
index 73ee21dd6..ce2c80006 100644
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -2678,6 +2678,8 @@ public:
     return mUserHasInteracted;
   }
 
+  bool HasScriptsBlockedBySandbox();
+
   bool InlineScriptAllowedByCSP();
 
   void SetLinkHandlingEnabled(bool aValue) { mLinksEnabled = aValue; }
diff --git a/dom/base/nsScriptLoader.cpp b/dom/base/nsScriptLoader.cpp
index dc3d6f50d..997122f38 100644
--- a/dom/base/nsScriptLoader.cpp
+++ b/dom/base/nsScriptLoader.cpp
@@ -272,7 +272,7 @@ nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType,
                           bool aScriptFromHead)
 {
   // If this document is sandboxed without 'allow-scripts', abort.
-  if (mDocument->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+  if (mDocument->HasScriptsBlockedBySandbox()) {
     return NS_OK;
   }
 
@@ -704,7 +704,7 @@ nsScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)
 
   // inline script
   // Is this document sandboxed without 'allow-scripts'?
-  if (mDocument->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+  if (mDocument->HasScriptsBlockedBySandbox()) {
     return false;
   }
 
diff --git a/dom/events/EventListenerManager.cpp b/dom/events/EventListenerManager.cpp
index a818f677d..0dd85094d 100644
--- a/dom/events/EventListenerManager.cpp
+++ b/dom/events/EventListenerManager.cpp
@@ -735,7 +735,7 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
   if (doc) {
     // Don't allow adding an event listener if the document is sandboxed
     // without 'allow-scripts'.
-    if (doc->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+    if (doc->HasScriptsBlockedBySandbox()) {
       return NS_ERROR_DOM_SECURITY_ERR;
     }
 
diff --git a/dom/jsurl/nsJSProtocolHandler.cpp b/dom/jsurl/nsJSProtocolHandler.cpp
index 795a07093..b1b295e2b 100644
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -201,7 +201,7 @@ nsresult nsJSThunk::EvaluateScript(nsIChannel *aChannel,
     // Sandboxed document check: javascript: URI's are disabled
     // in a sandboxed document unless 'allow-scripts' was specified.
     nsIDocument* doc = aOriginalInnerWindow->GetExtantDoc();
-    if (doc && (doc->GetSandboxFlags() & SANDBOXED_SCRIPTS)) {
+    if (doc && doc->HasScriptsBlockedBySandbox()) {
         return NS_ERROR_DOM_RETVAL_UNDEFINED;
     }
 
diff --git a/dom/webidl/Document.webidl b/dom/webidl/Document.webidl
index 5a6468241..5302f8ce9 100644
--- a/dom/webidl/Document.webidl
+++ b/dom/webidl/Document.webidl
@@ -403,6 +403,12 @@ partial interface Document {
   [ChromeOnly] readonly attribute boolean userHasInteracted;
 };
 
+// Extension to give chrome and XBL JS the ability to determine whether
+// the document is sandboxed without permission to run scripts.
+partial interface Document {
+  [Func="IsChromeOrXBL"] readonly attribute boolean hasScriptsBlockedBySandbox;
+};
+
 // Extension to give chrome and XBL JS the ability to determine whether
 // inline scripts are blocked by the document's CSP.
 partial interface Document {
diff --git a/layout/style/xbl-marquee/xbl-marquee.xml b/layout/style/xbl-marquee/xbl-marquee.xml
index 6b46c8f77..7f26d85f0 100644
--- a/layout/style/xbl-marquee/xbl-marquee.xml
+++ b/layout/style/xbl-marquee/xbl-marquee.xml
@@ -240,6 +240,13 @@
         <parameter name="aIgnoreNextCall"/>
         <body>
           <![CDATA[
+          // _setEventListener is only used for setting the attribute event
+          // handlers, which we want to ignore if our document is sandboxed
+          // without the allow-scripts keyword.
+          if (document.hasScriptsBlockedBySandbox) {
+            return true;
+          }
+
           // attribute event handlers should only be added if the
           // document's CSP allows it.
           if (!document.inlineScriptAllowedByCSP) {