Backing out last change that was intended for a branch, not the trunk.

xpinstall/src/nsJSInstallTriggerGlobal.cpp

@@ -143,39 +143,6 @@ static JSBool CreateNativeObject(JSContext *cx, JSObject *obj, nsIDOMInstallTrig
     return JS_TRUE;
 }
 
-//
-// Helper function for URI verification
-//
-static nsresult
-InstallTriggerCheckLoadURIFromScript(const nsAString& uriStr)
-{
-    nsresult rv;
-    nsCOMPtr<nsIScriptSecurityManager> secman(
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID,&rv));
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // get the script base URI
-    nsCOMPtr<nsIURI> scriptURI;
-    nsCOMPtr<nsIPrincipal> principal;
-    rv = secman->GetSubjectPrincipal(getter_AddRefs(principal));
-    NS_ENSURE_SUCCESS(rv, rv);
-    if (!principal)
-        return NS_ERROR_FAILURE;
-
-    rv = principal->GetURI(getter_AddRefs(scriptURI));
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // convert the requested URL string to a URI
-    nsCOMPtr<nsIURI> uri;
-    rv = NS_NewURI(getter_AddRefs(uri), uriStr);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // are we allowed to load this one?
-    rv = secman->CheckLoadURI(scriptURI, uri,
-                    nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
-    return rv;
-}
-
 //
 // Native method UpdateEnabled
 //
@@ -248,7 +215,11 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
     }
   }
 
+  // if we can't create a security manager we might be in the wizard, allow
   PRBool abortLoad = PR_FALSE;
+  nsCOMPtr<nsIScriptSecurityManager> secman(
+      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
+
 
   // parse associative array of installs
   if ( argc >= 1 && JSVAL_IS_OBJECT(argv[0]) )
@@ -296,6 +267,19 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
                 xpiURL = NS_ConvertUTF8toUTF16(resolvedURL);
             }
 
+            // Make sure we're allowed to load this URL
+            if (secman)
+            {
+                nsCOMPtr<nsIURI> uri;
+                nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
+                if (NS_SUCCEEDED(rv))
+                {
+                    rv = secman->CheckLoadURIFromScript(cx, uri);
+                    if (NS_FAILED(rv))
+                        abortLoad = PR_TRUE;
+                }
+            }
+
             nsAutoString icon(iconURL);
             if (iconURL && baseURL)
             {
@@ -304,28 +288,13 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
                 icon = NS_ConvertUTF8toUTF16(resolvedIcon);
             }
 
-            // Make sure we're allowed to load this URL and the icon URL
-            nsresult rv = InstallTriggerCheckLoadURIFromScript(xpiURL);
-            if (NS_FAILED(rv))
+            nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
+            if ( item )
+            {
+                trigger->Add( item );
+            }
+            else
                 abortLoad = PR_TRUE;
-
-            if (!abortLoad && iconURL)
-            {
-                rv = InstallTriggerCheckLoadURIFromScript(icon);
-                if (NS_FAILED(rv))
-                    abortLoad = PR_TRUE;
-            }
-
-            if (!abortLoad)
-            {
-                nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
-                if ( item )
-                {
-                    trigger->Add( item );
-                }
-                else
-                    abortLoad = PR_TRUE;
-            }
         }
         else
             abortLoad = PR_TRUE;
@@ -424,9 +393,20 @@ InstallTriggerGlobalInstallChrome(JSContext *cx, JSObject *obj, uintN argc, jsva
     }
 
     // Make sure caller is allowed to load this url.
-    nsresult rv = InstallTriggerCheckLoadURIFromScript(sourceURL);
-    if (NS_FAILED(rv))
-        return JS_FALSE;
+    // if we can't create a security manager we might be in the wizard, allow
+    nsCOMPtr<nsIScriptSecurityManager> secman(
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
+    if (secman)
+    {
+        nsCOMPtr<nsIURI> uri;
+        nsresult rv = NS_NewURI(getter_AddRefs(uri), sourceURL);
+        if (NS_SUCCEEDED(rv))
+        {
+            rv = secman->CheckLoadURIFromScript(cx, uri);
+            if (NS_FAILED(rv))
+                return JS_FALSE;
+        }
+    }
 
     if ( chromeType & CHROME_ALL )
     {
@@ -501,9 +481,20 @@ InstallTriggerGlobalStartSoftwareUpdate(JSContext *cx, JSObject *obj, uintN argc
     }
 
     // Make sure caller is allowed to load this url.
-    nsresult rv = InstallTriggerCheckLoadURIFromScript(xpiURL);
-    if (NS_FAILED(rv))
-        return JS_FALSE;
+    // if we can't create a security manager we might be in the wizard, allow
+    nsCOMPtr<nsIScriptSecurityManager> secman(
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
+    if (secman)
+    {
+        nsCOMPtr<nsIURI> uri;
+        nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
+        if (NS_SUCCEEDED(rv))
+        {
+            rv = secman->CheckLoadURIFromScript(cx, uri);
+            if (NS_FAILED(rv))
+                return JS_FALSE;
+        }
+    }
 
     if (argc >= 2 && !JS_ValueToInt32(cx, argv[1], (int32 *)&flags))
     {