Bug 1157127. When reusing the global of an initial about:blank for a new document, clear out its XBL scope when we change the global's principal. r=bholley

dom/base/nsGlobalWindow.cpp

@@ -2745,8 +2745,16 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
     aDocument->NodePrincipal()->Equals(existing, &sameOrigin);
     MOZ_ASSERT(sameOrigin);
 #endif
-    JS_SetCompartmentPrincipals(compartment,
-                                nsJSPrincipals::get(aDocument->NodePrincipal()));
+    MOZ_ASSERT_IF(aDocument == oldDoc,
+                  xpc::GetCompartmentPrincipal(compartment) ==
+                  aDocument->NodePrincipal());
+    if (aDocument != oldDoc) {
+      JS_SetCompartmentPrincipals(compartment,
+                                  nsJSPrincipals::get(aDocument->NodePrincipal()));
+      // Make sure we clear out the old content XBL scope, so the new one will
+      // get created with a principal that subsumes our new principal.
+      xpc::ClearContentXBLScope(newInnerGlobal);
+    }
   } else {
     if (aState) {
       newInnerWindow = wsh->GetInnerWindow();

js/xpconnect/src/XPCWrappedNativeScope.cpp

@@ -375,6 +375,12 @@ UseContentXBLScope(JSCompartment* c)
   return scope && scope->UseContentXBLScope();
 }
 
+void
+ClearContentXBLScope(JSObject* global)
+{
+    CompartmentPrivate::Get(global)->scope->ClearContentXBLScope();
+}
+
 } /* namespace xpc */
 
 JSObject*

js/xpconnect/src/xpcprivate.h

@@ -1015,6 +1015,7 @@ public:
     bool IsContentXBLScope() { return mIsContentXBLScope; }
     bool AllowContentXBLScope();
     bool UseContentXBLScope() { return mUseContentXBLScope; }
+    void ClearContentXBLScope() { mContentXBLScope = nullptr; }
 
     bool IsAddonScope() { return mIsAddonScope; }
 

js/xpconnect/src/xpcpublic.h

@@ -123,6 +123,11 @@ AllowContentXBLScope(JSCompartment* c);
 bool
 UseContentXBLScope(JSCompartment* c);
 
+// Clear out the content XBL scope (if any) on the given global.  This will
+// force creation of a new one if one is needed again.
+void
+ClearContentXBLScope(JSObject* global);
+
 bool
 IsInAddonScope(JSObject* obj);
 

layout/reftests/bugs/1157127-1-ref.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<body>
+  <script>
+    var ifr = document.createElement("iframe");
+    ifr.src = "1157127-subframe.xml";
+    document.body.appendChild(ifr);
+
+    var doc = ifr.contentDocument;
+    var div = doc.createElement("div");
+    div.style.resize = "both";
+    div.style.overflow = "scroll";
+    doc.body.appendChild(div);
+    div.offsetWidth;
+  </script>
+</body>

layout/reftests/bugs/1157127-1.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<body>
+  <script>
+    document.domain = document.domain;
+    var ifr = document.createElement("iframe");
+    ifr.src = "1157127-subframe.xml";
+    document.body.appendChild(ifr);
+
+    var doc = ifr.contentDocument;
+    var div = doc.createElement("div");
+    div.style.resize = "both";
+    div.style.overflow = "scroll";
+    doc.body.appendChild(div);
+    div.offsetWidth;
+  </script>
+</body>

layout/reftests/bugs/1157127-subframe.xml

@@ -0,0 +1 @@
+<root/>

layout/reftests/bugs/reftest.list

@@ -1929,6 +1929,7 @@ skip-if(B2G||Mulet) == 1150021-1.xul 1150021-1-ref.xul
 == 1153845-1.html 1153845-1-ref.html
 == 1155828-1.html 1155828-1-ref.html
 == 1156129-1.html 1156129-1-ref.html
+pref(dom.use_xbl_scopes_for_remote_xul,true) HTTP(..) == 1157127-1.html 1157127-1-ref.html
 == 1169331-1.html 1169331-1-ref.html
 fuzzy(1,74) fuzzy-if(gtkWidget,6,79) == 1174332-1.html 1174332-1-ref.html
 == 1179078-1.html 1179078-1-ref.html