Bug 1673237 - Always allow SVGs on about: pages r=acat,tjr,emilio

- Updated layout/svg/tests/test_disabled.html to ensure that this doesn't allow
  rendering SVGs on about:blank and about:srcdoc.

Differential Revision: https://phabricator.services.mozilla.com/D95139

dom/base/nsNodeInfoManager.cpp

@@ -352,9 +352,12 @@ void nsNodeInfoManager::RemoveNodeInfo(NodeInfo* aNodeInfo) {
   MOZ_ASSERT(ret, "Can't find mozilla::dom::NodeInfo to remove!!!");
 }
 
-static bool IsSystemOrAddonPrincipal(nsIPrincipal* aPrincipal) {
+static bool IsSystemOrAddonOrAboutPrincipal(nsIPrincipal* aPrincipal) {
   return aPrincipal->IsSystemPrincipal() ||
-         BasePrincipal::Cast(aPrincipal)->AddonPolicy();
+         BasePrincipal::Cast(aPrincipal)->AddonPolicy() ||
+         // NOTE: about:blank and about:srcdoc inherit the principal of their
+         // parent, so aPrincipal->SchemeIs("about") returns false for them.
+         aPrincipal->SchemeIs("about");
 }
 
 bool nsNodeInfoManager::InternalSVGEnabled() {
@@ -375,17 +378,18 @@ bool nsNodeInfoManager::InternalSVGEnabled() {
   }
 
   // We allow SVG (regardless of the pref) if this is a system or add-on
-  // principal, or if this load was requested for a system or add-on principal
-  // (e.g. a remote image being served as part of system or add-on UI)
+  // principal or about: page, or if this load was requested for a system or
+  // add-on principal or about: page (e.g. a remote image being served as part
+  // of system or add-on UI or about: page)
   bool conclusion =
-      (SVGEnabled || IsSystemOrAddonPrincipal(mPrincipal) ||
+      (SVGEnabled || IsSystemOrAddonOrAboutPrincipal(mPrincipal) ||
        (loadInfo &&
         (loadInfo->GetExternalContentPolicyType() ==
              nsIContentPolicy::TYPE_IMAGE ||
          loadInfo->GetExternalContentPolicyType() ==
              nsIContentPolicy::TYPE_OTHER) &&
-        (IsSystemOrAddonPrincipal(loadInfo->GetLoadingPrincipal()) ||
-         IsSystemOrAddonPrincipal(loadInfo->TriggeringPrincipal()))));
+        (IsSystemOrAddonOrAboutPrincipal(loadInfo->GetLoadingPrincipal()) ||
+         IsSystemOrAddonOrAboutPrincipal(loadInfo->TriggeringPrincipal()))));
   mSVGEnabled = Some(conclusion);
   return conclusion;
 }

layout/svg/tests/file_disabled_iframe.html

@@ -48,5 +48,34 @@
   t.firstChild.firstChild.textContent = "1&2<3>4\xA0";
   is(t.innerHTML, '<svg><style>1&amp;2&lt;3&gt;4&nbsp;\u003C/style></svg>');
 
-  SimpleTest.finish();
+  //
+  // Tests for Bug 1673237
+  //
+
+  // This test fails if about:blank renders SVGs
+  t.innerHTML = null;
+  var iframe = document.createElement("iframe");
+  iframe.setAttribute("src", "about:blank")
+  t.appendChild(iframe);
+  iframe.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg:svg"));
+  iframe.firstChild.textContent = "<foo>";
+  is(iframe.innerHTML, "<svg:svg>&lt;foo&gt;</svg:svg>");
+
+  // This test fails if about:blank renders SVGs
+  var win = window.open("about:blank");
+  win.document.body.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg:svg"))
+  win.document.body.firstChild.textContent = "<foo>";
+  is(win.document.body.innerHTML, "<svg:svg>&lt;foo&gt;</svg:svg>");
+  win.close();
+
+  // This test fails if about:srcdoc renders SVGs
+  t.innerHTML = null;
+  iframe = document.createElement("iframe");
+  iframe.srcdoc = "<svg:svg></svg:svg>";
+  iframe.onload = function() {
+    iframe.contentDocument.body.firstChild.textContent = "<foo>";
+    is(iframe.contentDocument.body.innerHTML, "<svg:svg>&lt;foo&gt;</svg:svg>");
+    SimpleTest.finish();
+  }
+  t.appendChild(iframe);
 </script>