From a54dd3f9ed06d1e6c0a54e679a803b6b3e7ba184 Mon Sep 17 00:00:00 2001
From: Honza Bambas <honzab.moz@firemni.cz>
Date: Thu, 27 Sep 2012 21:35:07 +0200
Subject: [PATCH] Bug 776797 - Lock down POfflineCacheUpdate, r=jduell

---
 .../prefetch/OfflineCacheUpdateChild.cpp      |  1 +
 .../prefetch/OfflineCacheUpdateParent.cpp     | 21 ++++++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/uriloader/prefetch/OfflineCacheUpdateChild.cpp b/uriloader/prefetch/OfflineCacheUpdateChild.cpp
index 8839aa443a3f..17099efb0240 100644
--- a/uriloader/prefetch/OfflineCacheUpdateChild.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateChild.cpp
@@ -55,6 +55,7 @@ namespace docshell {
 //-----------------------------------------------------------------------------
 
 NS_INTERFACE_MAP_BEGIN(OfflineCacheUpdateChild)
+  NS_INTERFACE_MAP_ENTRY(nsISupports)
   NS_INTERFACE_MAP_ENTRY(nsIOfflineCacheUpdate)
 NS_INTERFACE_MAP_END
 
diff --git a/uriloader/prefetch/OfflineCacheUpdateParent.cpp b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
index 045c40d22033..5e6e43baa8ca 100644
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@@ -8,6 +8,7 @@
 #include "mozilla/ipc/URIUtils.h"
 #include "nsOfflineCacheUpdate.h"
 #include "nsIApplicationCache.h"
+#include "nsNetUtil.h"
 
 using namespace mozilla::ipc;
 
@@ -83,20 +84,30 @@ OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,
     if (!manifestURI)
         return NS_ERROR_FAILURE;
 
-    nsCOMPtr<nsIURI> documentURI = DeserializeURI(aDocumentURI);
-    if (!documentURI)
-        return NS_ERROR_FAILURE;
-
     nsOfflineCacheUpdateService* service =
         nsOfflineCacheUpdateService::EnsureService();
     if (!service)
         return NS_ERROR_FAILURE;
 
+    bool offlinePermissionAllowed = false;
+    nsresult rv = service->OfflineAppAllowedForURI(
+        manifestURI, nullptr, &offlinePermissionAllowed);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (!offlinePermissionAllowed)
+        return NS_ERROR_DOM_SECURITY_ERR;
+
+    nsCOMPtr<nsIURI> documentURI = DeserializeURI(aDocumentURI);
+    if (!documentURI)
+        return NS_ERROR_FAILURE;
+
+    if (!NS_SecurityCompareURIs(manifestURI, documentURI, false))
+        return NS_ERROR_DOM_SECURITY_ERR;
+
     service->FindUpdate(manifestURI, this, getter_AddRefs(update));
     if (!update) {
         update = new nsOfflineCacheUpdate();
 
-        nsresult rv;
         // Leave aDocument argument null. Only glues and children keep 
         // document instances.
         rv = update->Init(manifestURI, documentURI, nullptr, nullptr, this);