import changes from tenfourfox:

- Issue #607: new, separate blocklist in caps/ for scripts that can crash the browser, but have no obvious workaround (#609) (5748c7513) - incorporate #608, #609 (256479e9f) - closes #610: M1317422 + tests (f187b2dfe) - #612: M969874 M1525628 (689819e12) - #612: M1019551 (7850b17a7) - #604: M1236639 M1257931 M1256590 M1291543 M1363647 + backbugs (80ece6a15) - #611: M1277475 (0c828a96e) - #611: M1644477 (6ad5c12da) - #611: update TLDs, HSTS (67c056259)
2026-05-26 15:39:48 +00:00 · 2020-06-19 21:30:34 +08:00
parent 2e902be270
commit b5b03bdced
32 changed files with 2823 additions and 1995 deletions
@@ -688,6 +688,34 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
       return NS_ERROR_DOM_BAD_URI;
    }

+    // See TenFourFox issue 607
+    // determine if this is a script we want to block
+    // Scripts that somehow hit hard limits should go in here
+    if (!mIsTenFourFoxTroublesomeJsAllowed &&
+            (targetScheme.EqualsLiteral("http") || targetScheme.EqualsLiteral("https"))) {
+        nsAutoCString hostname;
+        if (MOZ_LIKELY(NS_SUCCEEDED(targetBaseURI->GetHost(hostname)))) {
+            ToLowerCase(hostname);
+#define BLOC(q) hostname.EqualsLiteral(q)
+            if (0 ||
+
+#ifdef __ppc__
+                BLOC("static.twitchcdn.net") ||
+#endif // __ppc__
+
+                    0) {
+#undef BLOC
+
+#ifndef DEBUG
+                if (mIsTenFourFoxTroublesomeJsLoggingEnabled)
+#endif
+                fprintf(stderr, "Warning: TenFourFox blocking problematic script from %s.\n",
+                    hostname.get());
+                return NS_ERROR_DOM_BAD_URI;
+            }
+        }
+    }
+
    // TenFourFox issue 469
    // determine if this is a script we want to block
    if (mIsTenFourFoxAdBlockEnabled &&
@@ -1790,6 +1818,7 @@ static const char* kObservedPrefs[] = {
  sFileOriginPolicyPrefName,
  "capability.policy.",
  "tenfourfox.adblock.",
+  "tenfourfox.troublesome-js.",
  nullptr
 };

@@ -1810,6 +1839,8 @@ nsScriptSecurityManager::nsScriptSecurityManager(void)
    , mIsJavaScriptEnabled(false)
    , mIsTenFourFoxAdBlockEnabled(false)
    , mIsTenFourFoxAdBlockLoggingEnabled(false)
+    , mIsTenFourFoxTroublesomeJsAllowed(false)
+    , mIsTenFourFoxTroublesomeJsLoggingEnabled(false)
 {
    static_assert(sizeof(intptr_t) == sizeof(void*),
                  "intptr_t and void* have different lengths on this platform. "
@@ -1950,6 +1981,12 @@ nsScriptSecurityManager::ScriptSecurityPrefChanged()
        Preferences::GetBool("tenfourfox.adblock.enabled", mIsTenFourFoxAdBlockEnabled);
    mIsTenFourFoxAdBlockLoggingEnabled =
        Preferences::GetBool("tenfourfox.adblock.logging.enabled", mIsTenFourFoxAdBlockLoggingEnabled);
+    mIsTenFourFoxTroublesomeJsAllowed =
+        Preferences::GetBool("tenfourfox.troublesome-js.allow",
+                                        mIsTenFourFoxTroublesomeJsAllowed);
+    mIsTenFourFoxTroublesomeJsLoggingEnabled =
+        Preferences::GetBool("tenfourfox.troublesome-js.logging.enabled",
+                                        mIsTenFourFoxTroublesomeJsLoggingEnabled);

    //
    // Rebuild the set of principals for which we allow file:// URI loads. This
@@ -125,6 +125,8 @@ private:
    bool mIsJavaScriptEnabled;
    bool mIsTenFourFoxAdBlockEnabled;
    bool mIsTenFourFoxAdBlockLoggingEnabled;
+    bool mIsTenFourFoxTroublesomeJsAllowed;
+    bool mIsTenFourFoxTroublesomeJsLoggingEnabled;
    nsTArray<nsCOMPtr<nsIURI>> mFileURIWhitelist;

    // This machinery controls new-style domain policies. The old-style
@@ -8293,7 +8293,7 @@ nsDocument::IsScriptEnabled()
 {
  // If this document is sandboxed without 'allow-scripts'
  // script is not enabled
-  if (mSandboxFlags & SANDBOXED_SCRIPTS) {
+  if (HasScriptsBlockedBySandbox()) {
    return false;
  }

@@ -13044,6 +13044,12 @@ nsIDocument::InlineScriptAllowedByCSP()
  return allowsInlineScript;
 }

+bool
+nsIDocument::HasScriptsBlockedBySandbox()
+{
+  return mSandboxFlags & SANDBOXED_SCRIPTS;
+}
+
 static bool
 MightBeAboutOrChromeScheme(nsIURI* aURI)
 {
@@ -2678,6 +2678,8 @@ public:
    return mUserHasInteracted;
  }

+  bool HasScriptsBlockedBySandbox();
+
  bool InlineScriptAllowedByCSP();

  void SetLinkHandlingEnabled(bool aValue) { mLinksEnabled = aValue; }
@@ -272,7 +272,7 @@ nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType,
                          bool aScriptFromHead)
 {
  // If this document is sandboxed without 'allow-scripts', abort.
-  if (mDocument->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+  if (mDocument->HasScriptsBlockedBySandbox()) {
    return NS_OK;
  }

@@ -704,7 +704,7 @@ nsScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)

  // inline script
  // Is this document sandboxed without 'allow-scripts'?
-  if (mDocument->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+  if (mDocument->HasScriptsBlockedBySandbox()) {
    return false;
  }

@@ -735,7 +735,7 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
  if (doc) {
    // Don't allow adding an event listener if the document is sandboxed
    // without 'allow-scripts'.
-    if (doc->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
+    if (doc->HasScriptsBlockedBySandbox()) {
      return NS_ERROR_DOM_SECURITY_ERR;
    }

@@ -545,17 +545,23 @@ HTMLCanvasElement::CopyInnerTo(Element* aDest)
    HTMLCanvasElement* dest = static_cast<HTMLCanvasElement*>(aDest);
    dest->mOriginalCanvas = this;

-    nsCOMPtr<nsISupports> cxt;
-    dest->GetContext(NS_LITERAL_STRING("2d"), getter_AddRefs(cxt));
-    RefPtr<CanvasRenderingContext2D> context2d =
-      static_cast<CanvasRenderingContext2D*>(cxt.get());
-    if (context2d && !mPrintCallback) {
-      CanvasImageSource source;
-      source.SetAsHTMLCanvasElement() = this;
-      ErrorResult err;
-      context2d->DrawImage(source,
-                           0.0, 0.0, err);
-      rv = err.StealNSResult();
+    // We make sure that the canvas is not zero sized since that would cause
+    // the DrawImage call below to return an error, which would cause printing
+    // to fail.
+    nsIntSize size = GetWidthHeight();
+    if (size.height > 0 && size.width > 0) {
+      nsCOMPtr<nsISupports> cxt;
+      dest->GetContext(NS_LITERAL_STRING("2d"), getter_AddRefs(cxt));
+      RefPtr<CanvasRenderingContext2D> context2d =
+        static_cast<CanvasRenderingContext2D*>(cxt.get());
+      if (context2d && !mPrintCallback) {
+        CanvasImageSource source;
+        source.SetAsHTMLCanvasElement() = this;
+        ErrorResult err;
+        context2d->DrawImage(source,
+                             0.0, 0.0, err);
+        rv = err.StealNSResult();
+      }
    }
  }
  return rv;
@@ -201,7 +201,7 @@ nsresult nsJSThunk::EvaluateScript(nsIChannel *aChannel,
    // Sandboxed document check: javascript: URI's are disabled
    // in a sandboxed document unless 'allow-scripts' was specified.
    nsIDocument* doc = aOriginalInnerWindow->GetExtantDoc();
-    if (doc && (doc->GetSandboxFlags() & SANDBOXED_SCRIPTS)) {
+    if (doc && doc->HasScriptsBlockedBySandbox()) {
        return NS_ERROR_DOM_RETVAL_UNDEFINED;
    }

@@ -157,7 +157,6 @@ MP3TrackDemuxer::SeekPosition() const {
  return pos;
 }

-#ifdef ENABLE_TESTS
 const FrameParser::Frame&
 MP3TrackDemuxer::LastFrame() const {
  return mParser.PrevFrame();
@@ -167,7 +166,6 @@ RefPtr<MediaRawData>
 MP3TrackDemuxer::DemuxSample() {
  return GetNextFrame(FindNextFrame());
 }
-#endif

 const ID3Parser::ID3Header&
 MP3TrackDemuxer::ID3Header() const {
@@ -373,6 +371,55 @@ MP3TrackDemuxer::Duration(int64_t aNumFrames) const {
  return TimeUnit::FromMicroseconds(aNumFrames * usPerFrame);
 }

+MediaByteRange
+MP3TrackDemuxer::FindFirstFrame() {
+  // Get engough successive frames to avoid invalid frame from cut stream.
+  // However, some website use very short mp3 file so using the same value as Chrome.
+  static const int MIN_SUCCESSIVE_FRAMES = 3;
+
+  MediaByteRange candidateFrame = FindNextFrame();
+  int numSuccFrames = candidateFrame.Length() > 0;
+  MediaByteRange currentFrame = candidateFrame;
+  MP3LOGV("FindFirst() first candidate frame: mOffset=%" PRIu64 " Length()=%" PRIu64,
+          candidateFrame.mStart, candidateFrame.Length());
+
+  while (candidateFrame.Length() && numSuccFrames < MIN_SUCCESSIVE_FRAMES) {
+    mParser.EndFrameSession();
+    mOffset = currentFrame.mEnd;
+    const MediaByteRange prevFrame = currentFrame;
+
+    // FindNextFrame() here will only return frames consistent with our candidate frame.
+    currentFrame = FindNextFrame();
+    numSuccFrames += currentFrame.Length() > 0;
+    // Multiple successive false positives, which wouldn't be caught by the consistency
+    // checks alone, can be detected by wrong alignment (non-zero gap between frames).
+    const int64_t frameSeparation = currentFrame.mStart - prevFrame.mEnd;
+
+    if (!currentFrame.Length() || frameSeparation != 0) {
+      MP3LOGV("FindFirst() not enough successive frames detected, "
+              "rejecting candidate frame: successiveFrames=%d, last Length()=%" PRIu64
+              ", last frameSeparation=%" PRId64, numSuccFrames, currentFrame.Length(),
+              frameSeparation);
+
+      mParser.ResetFrameData();
+      mOffset = candidateFrame.mStart + 1;
+      candidateFrame = FindNextFrame();
+      numSuccFrames = candidateFrame.Length() > 0;
+      currentFrame = candidateFrame;
+      MP3LOGV("FindFirst() new candidate frame: mOffset=%" PRIu64 " Length()=%" PRIu64,
+              candidateFrame.mStart, candidateFrame.Length());
+    }
+  }
+
+  if (numSuccFrames >= MIN_SUCCESSIVE_FRAMES) {
+    MP3LOG("FindFirst() accepting candidate frame: "
+            "successiveFrames=%d", numSuccFrames);
+  } else {
+    MP3LOG("FindFirst() no suitable first frame found");
+  }
+  return candidateFrame;
+}
+
 static bool
 VerifyFrameConsistency(
    const FrameParser::Frame& aFrame1, const FrameParser::Frame& aFrame2) {
@@ -652,15 +699,20 @@ FrameParser::Reset() {
  mFrame.Reset();
 }

+void
+FrameParser::ResetFrameData() {
+  mFrame.Reset();
+  mFirstFrame.Reset();
+  mPrevFrame.Reset();
+}
+
 void
 FrameParser::EndFrameSession() {
  if (!mID3Parser.Header().IsValid()) {
    // Reset ID3 tags only if we have not parsed a valid ID3 header yet.
    mID3Parser.Reset();
  }
-#ifdef ENABLE_TESTS
  mPrevFrame = mFrame;
-#endif
  mFrame.Reset();
 }

@@ -669,12 +721,10 @@ FrameParser::CurrentFrame() const {
  return mFrame;
 }

-#ifdef ENABLE_TESTS
 const FrameParser::Frame&
 FrameParser::PrevFrame() const {
  return mPrevFrame;
 }
-#endif

 const FrameParser::Frame&
 FrameParser::FirstFrame() const {
@@ -1063,7 +1113,7 @@ FrameParser::VBRHeader::ParseVBRI(ByteReader* aReader) {
  MOZ_ASSERT(aReader);
  // ParseVBRI assumes that the ByteReader offset points to the beginning of a frame,
  // therefore as a simple check, we look for the presence of a frame sync at that position.
-  MOZ_ASSERT(aReader->PeekU16() & 0xFFE0);
+  MOZ_ASSERT((aReader->PeekU16() & 0xFFE0) == 0xFFE0);
  const size_t prevReaderOffset = aReader->Offset();

  // VBRI have a fixed relative position, so let's check for it there.
@@ -304,10 +304,8 @@ public:
  // Returns the currently parsed frame. Reset via Reset or EndFrameSession.
  const Frame& CurrentFrame() const;

-#ifdef ENABLE_TESTS
  // Returns the previously parsed frame. Reset via Reset.
  const Frame& PrevFrame() const;
-#endif

  // Returns the first parsed frame. Reset via Reset.
  const Frame& FirstFrame() const;
@@ -318,9 +316,13 @@ public:
  // Returns the parsed VBR header info. Note: check for validity by type.
  const VBRHeader& VBRInfo() const;

-  // Resets the parser. Don't use between frames as first frame data is reset.
+  // Resets the parser.
  void Reset();

+  // Resets all frame data, but not the ID3Header.
+  // Don't use between frames as first frame data is reset.
+  void ResetFrameData();
+
  // Clear the last parsed frame to allow for next frame parsing, i.e.:
  // - sets PrevFrame to CurrentFrame
  // - resets the CurrentFrame
@@ -350,9 +352,7 @@ private:
  // previously parsed frame for debugging and the currently parsed frame.
  Frame mFirstFrame;
  Frame mFrame;
-#ifdef ENABLE_TESTS
  Frame mPrevFrame;
-#endif
 };

 // The MP3 demuxer used to extract MPEG frames and side information out of
@@ -379,10 +379,8 @@ public:
  // Returns the estimated current seek position time.
  media::TimeUnit SeekPosition() const;

-#ifdef ENABLE_TESTS
  const FrameParser::Frame& LastFrame() const;
  RefPtr<MediaRawData> DemuxSample();
-#endif

  const ID3Parser::ID3Header& ID3Header() const;
  const FrameParser::VBRHeader& VBRInfo() const;
@@ -407,7 +405,12 @@ private:
  // Seeks by scanning the stream up to the given time for more accurate results.
  media::TimeUnit ScanUntil(const media::TimeUnit& aTime);

-  // Finds the next valid frame and returns its byte range.
+  // Finds the first valid frame and returns its byte range if found
+  // or a null-byte range otherwise.
+  MediaByteRange FindFirstFrame();
+
+  // Finds the next valid frame and returns its byte range if found
+  // or a null-byte range otherwise.
  MediaByteRange FindNextFrame();

  // Skips the next frame given the provided byte range.
@@ -403,6 +403,12 @@ partial interface Document {
  [ChromeOnly] readonly attribute boolean userHasInteracted;
 };

+// Extension to give chrome and XBL JS the ability to determine whether
+// the document is sandboxed without permission to run scripts.
+partial interface Document {
+  [Func="IsChromeOrXBL"] readonly attribute boolean hasScriptsBlockedBySandbox;
+};
+
 // Extension to give chrome and XBL JS the ability to determine whether
 // inline scripts are blocked by the document's CSP.
 partial interface Document {
@@ -719,7 +719,7 @@ struct JSClass {
 // application.
 #define JSCLASS_GLOBAL_APPLICATION_SLOTS 5
 #define JSCLASS_GLOBAL_SLOT_COUNT                                             \
-    (JSCLASS_GLOBAL_APPLICATION_SLOTS + JSProto_LIMIT * 3 + 36)
+    (JSCLASS_GLOBAL_APPLICATION_SLOTS + JSProto_LIMIT * 3 + 37)
 #define JSCLASS_GLOBAL_FLAGS_WITH_SLOTS(n)                                    \
    (JSCLASS_IS_GLOBAL | JSCLASS_HAS_RESERVED_SLOTS(JSCLASS_GLOBAL_SLOT_COUNT + (n)))
 #define JSCLASS_GLOBAL_FLAGS                                                  \
@@ -1079,6 +1079,11 @@ JS_ResolveStandardClass(JSContext* cx, HandleObject obj, HandleId id, bool* reso
                              JSPROP_PERMANENT | JSPROP_READONLY | JSPROP_RESOLVING);
    }

+    // Resolve a "globalThis" self-referential property if necessary.
+    if (idAtom == cx->names().globalThis) {
+        return GlobalObject::maybeResolveGlobalThis(cx, global, resolved);
+    }
+
    /* Try for class constructors/prototypes named by well-known atoms. */
    stdnm = LookupStdName(cx->names(), idAtom, standard_class_names);

@@ -1128,6 +1133,7 @@ JS_MayResolveStandardClass(const JSAtomState& names, jsid id, JSObject* maybeObj
    JSAtom* atom = JSID_TO_ATOM(id);

    return atom == names.undefined ||
+           atom == names.globalThis ||
           LookupStdName(names, atom, standard_class_names) ||
           LookupStdName(names, atom, builtin_property_names);
 }
@@ -0,0 +1,28 @@
+// Copyright (C) 2016 Jordan Harband. All rights reserved.
+// This code is governed by the BSD license found in the LICENSE file.
+
+/*---
+esid: sec-other-properties-of-the-global-object-globalThis
+description: "'globalThis' should be the global object"
+author: Jordan Harband
+features: [globalThis]
+---*/
+
+assert.sameValue(this, globalThis);
+assert.sameValue(globalThis.globalThis, globalThis);
+
+assert.sameValue(Array, globalThis.Array);
+assert.sameValue(Boolean, globalThis.Boolean);
+assert.sameValue(Date, globalThis.Date);
+assert.sameValue(Error, globalThis.Error);
+assert.sameValue(Function, globalThis.Function);
+assert.sameValue(JSON, globalThis.JSON);
+assert.sameValue(Math, globalThis.Math);
+assert.sameValue(Number, globalThis.Number);
+assert.sameValue(RegExp, globalThis.RegExp);
+assert.sameValue(String, globalThis.String);
+
+var globalVariable = {};
+assert.sameValue(globalVariable, globalThis.globalVariable);
+
+reportCompare(0, 0);
@@ -0,0 +1,16 @@
+// Copyright (C) 2016 Jordan Harband. All rights reserved.
+// This code is governed by the BSD license found in the LICENSE file.
+
+/*---
+esid: sec-other-properties-of-the-global-object-global
+description: "'globalThis' should be writable, non-enumerable, and configurable"
+author: Jordan Harband
+includes: [propertyHelper.js]
+features: [globalThis]
+---*/
+
+verifyNotEnumerable(this, 'globalThis');
+verifyWritable(this, 'globalThis');
+verifyConfigurable(this, 'globalThis');
+
+reportCompare(0, 0);
@@ -0,0 +1 @@
+
@@ -0,0 +1 @@
+
@@ -938,3 +938,148 @@ var fnGlobalObject = (function()
  var global = Function("return this")();
  return function fnGlobalObject() { return global; };
 })();
+
+/* hack */
+function _assert(c, s)
+{
+  if (!c) $ERROR(s);
+}
+var assert = {
+	sameValue : function(x, y) {
+		assertEq(x,y);
+	}
+};
+
+function isConfigurable(obj, name) {
+  var hasOwnProperty = Object.prototype.hasOwnProperty;
+  try {
+    delete obj[name];
+  } catch (e) {
+    if (!(e instanceof TypeError)) {
+      $ERROR("Expected TypeError, got " + e);
+    }
+  }
+  return !hasOwnProperty.call(obj, name);
+}
+
+function isEnumerable(obj, name) {
+  var stringCheck = false;
+
+  if (typeof name === "string") {
+    for (var x in obj) {
+      if (x === name) {
+        stringCheck = true;
+        break;
+      }
+    }
+  } else {
+    // skip it if name is not string, works for Symbol names.
+    stringCheck = true;
+  }
+
+  return stringCheck &&
+    Object.prototype.hasOwnProperty.call(obj, name) &&
+    Object.prototype.propertyIsEnumerable.call(obj, name);
+}
+
+function isSameValue(a, b) {
+  if (a === 0 && b === 0) return 1 / a === 1 / b;
+  if (a !== a && b !== b) return true;
+
+  return a === b;
+}
+
+var __isArray = Array.isArray;
+function isWritable(obj, name, verifyProp, value) {
+  var unlikelyValue = __isArray(obj) && name === "length" ?
+    Math.pow(2, 32) - 1 :
+    "unlikelyValue";
+  var newValue = value || unlikelyValue;
+  var hadValue = Object.prototype.hasOwnProperty.call(obj, name);
+  var oldValue = obj[name];
+  var writeSucceeded;
+
+  try {
+    obj[name] = newValue;
+  } catch (e) {
+    if (!(e instanceof TypeError)) {
+      $ERROR("Expected TypeError, got " + e);
+    }
+  }
+
+  writeSucceeded = isSameValue(obj[verifyProp || name], newValue);
+
+  // Revert the change only if it was successful (in other cases, reverting
+  // is unnecessary and may trigger exceptions for certain property
+  // configurations)
+  if (writeSucceeded) {
+    if (hadValue) {
+      obj[name] = oldValue;
+    } else {
+      delete obj[name];
+    }
+  }
+
+  return writeSucceeded;
+}
+
+function verifyEqualTo(obj, name, value) {
+  if (!isSameValue(obj[name], value)) {
+    $ERROR("Expected obj[" + String(name) + "] to equal " + value +
+           ", actually " + obj[name]);
+  }
+}
+
+function verifyWritable(obj, name, verifyProp, value) {
+  if (!verifyProp) {
+    _assert(Object.getOwnPropertyDescriptor(obj, name).writable,
+         "Expected obj[" + String(name) + "] to have writable:true.");
+  }
+  if (!isWritable(obj, name, verifyProp, value)) {
+    $ERROR("Expected obj[" + String(name) + "] to be writable, but was not.");
+  }
+}
+
+function verifyNotWritable(obj, name, verifyProp, value) {
+  if (!verifyProp) {
+    _assert(!Object.getOwnPropertyDescriptor(obj, name).writable,
+         "Expected obj[" + String(name) + "] to have writable:false.");
+  }
+  if (isWritable(obj, name, verifyProp)) {
+    $ERROR("Expected obj[" + String(name) + "] NOT to be writable, but was.");
+  }
+}
+
+function verifyEnumerable(obj, name) {
+  _assert(Object.getOwnPropertyDescriptor(obj, name).enumerable,
+       "Expected obj[" + String(name) + "] to have enumerable:true.");
+  if (!isEnumerable(obj, name)) {
+    $ERROR("Expected obj[" + String(name) + "] to be enumerable, but was not.");
+  }
+}
+
+function verifyNotEnumerable(obj, name) {
+  _assert(!Object.getOwnPropertyDescriptor(obj, name).enumerable,
+       "Expected obj[" + String(name) + "] to have enumerable:false.");
+  if (isEnumerable(obj, name)) {
+    $ERROR("Expected obj[" + String(name) + "] NOT to be enumerable, but was.");
+  }
+}
+
+function verifyConfigurable(obj, name) {
+  _assert(Object.getOwnPropertyDescriptor(obj, name).configurable,
+       "Expected obj[" + String(name) + "] to have configurable:true.");
+  if (!isConfigurable(obj, name)) {
+    $ERROR("Expected obj[" + String(name) + "] to be configurable, but was not."
+);
+  }
+}
+
+function verifyNotConfigurable(obj, name) {
+  _assert(!Object.getOwnPropertyDescriptor(obj, name).configurable,
+       "Expected obj[" + String(name) + "] to have configurable:false.");
+  if (isConfigurable(obj, name)) {
+    $ERROR("Expected obj[" + String(name) + "] NOT to be configurable, but was."
+);
+  }
+}
@@ -109,6 +109,7 @@
    macro(getOwnPropertyNames, getOwnPropertyNames, "getOwnPropertyNames") \
    macro(getPropertyDescriptor, getPropertyDescriptor, "getPropertyDescriptor") \
    macro(global, global, "global") \
+    macro(globalThis, globalThis, "globalThis") \
    macro(Handle, Handle, "Handle") \
    macro(has, has, "has") \
    macro(hasOwn, hasOwn, "hasOwn") \
@@ -238,6 +238,34 @@ GlobalObject::initBuiltinConstructor(JSContext* cx, Handle<GlobalObject*> global
    return true;
 }

+
+// Resolve a "globalThis" self-referential property if necessary,
+// per a stage-3 proposal. https://github.com/tc39/ecma262/pull/702
+//
+// We could also do this in |FinishObjectClassInit| to trim the global
+// resolve hook.  Unfortunately, |ToWindowProxyIfWindow| doesn't work then:
+// the browser's |nsGlobalWindow::SetNewDocument| invokes Object init
+// *before* it sets the global's WindowProxy using |js::SetWindowProxy|.
+//
+// Refactoring global object creation code to support this approach is a
+// challenge for another day.
+/* static */ bool
+GlobalObject::maybeResolveGlobalThis(JSContext* cx, Handle<GlobalObject*> global, bool* resolved)
+{
+    if (global->getSlot(GLOBAL_THIS_RESOLVED).isUndefined()) {
+        RootedValue v(cx, ObjectValue(*ToWindowProxyIfWindow(global)));
+        if (!DefineProperty(cx, global, cx->names().globalThis, v, nullptr, nullptr,
+JSPROP_RESOLVING)) {
+            return false;
+        }
+
+        *resolved = true;
+        global->setSlot(GLOBAL_THIS_RESOLVED, BooleanValue(true));
+    }
+
+    return true;
+}
+
 GlobalObject*
 GlobalObject::createInternal(JSContext* cx, const Class* clasp)
 {
@@ -346,6 +374,12 @@ GlobalObject::initStandardClasses(JSContext* cx, Handle<GlobalObject*> global)
        return false;
    }

+    // Resolve a "globalThis" self-referential property if necessary.
+    bool resolved;
+    if (!GlobalObject::maybeResolveGlobalThis(cx, global, &resolved)) {
+        return false;
+    }
+
    for (size_t k = 0; k < JSProto_LIMIT; ++k) {
        if (!ensureConstructor(cx, global, static_cast<JSProtoKey>(k)))
            return false;
@@ -119,6 +119,7 @@ class GlobalObject : public NativeObject
        FOR_OF_PIC_CHAIN,
        MODULE_RESOLVE_HOOK,
        WINDOW_PROXY,
+        GLOBAL_THIS_RESOLVED,

        /* Total reserved-slot count for global objects. */
        RESERVED_SLOTS
@@ -167,6 +168,7 @@ class GlobalObject : public NativeObject
    static bool resolveConstructor(JSContext* cx, Handle<GlobalObject*> global, JSProtoKey key);
    static bool initBuiltinConstructor(JSContext* cx, Handle<GlobalObject*> global,
                                       JSProtoKey key, HandleObject ctor, HandleObject proto);
+    static bool maybeResolveGlobalThis(JSContext* cx, Handle<GlobalObject*> global, bool* resolved);

    void setConstructor(JSProtoKey key, const Value& v) {
        MOZ_ASSERT(key <= JSProto_LIMIT);
@@ -5889,6 +5889,11 @@ nsIFrame::IsBlockWrapper() const
          pseudoType == nsCSSAnonBoxes::cellContent);
 }

+bool nsIFrame::IsBlockFrameOrSubclass() {
+  nsBlockFrame* thisAsBlock = do_QueryFrame(this);
+  return !!thisAsBlock;
+}
+
 static nsIFrame*
 GetNearestBlockContainer(nsIFrame* frame)
 {
@@ -972,6 +972,29 @@ nsHTMLScrollFrame::AccessibleType()
 }
 #endif

+nscoord nsHTMLScrollFrame::GetLogicalBaseline(WritingMode aWritingMode) const {
+  // This function implements some of the spec text here:
+  //  https://drafts.csswg.org/css-align/#baseline-export
+  //
+  // Specifically: if our scrolled frame is a block, we just use the inherited
+  // GetLogicalBaseline() impl, which synthesizes a baseline from the
+  // margin-box. Otherwise, we defer to our scrolled frame, considering it
+  // to be scrolled to its initial scroll position.
+  if (mHelper.mScrolledFrame->IsBlockFrameOrSubclass()) {
+    return nsContainerFrame::GetLogicalBaseline(aWritingMode);
+  }
+
+  // OK, here's where we defer to our scrolled frame. We have to add our
+  // border BStart thickness to whatever it returns, to produce an offset in
+  // our frame-rect's coordinate system. (We don't have to add padding,
+  // because the scrolled frame handles our padding.)
+  LogicalMargin border = GetLogicalUsedBorder(aWritingMode);
+
+  return border.BStart(aWritingMode) +
+         mHelper.mScrolledFrame->GetLogicalBaseline(aWritingMode);
+}
+
+
 NS_QUERYFRAME_HEAD(nsHTMLScrollFrame)
  NS_QUERYFRAME_ENTRY(nsIAnonymousContentCreator)
  NS_QUERYFRAME_ENTRY(nsIScrollableFrame)
@@ -943,6 +943,8 @@ public:
  virtual mozilla::a11y::AccType AccessibleType() override;
 #endif

+  nscoord GetLogicalBaseline(mozilla::WritingMode aWritingMode) const override;
+
 protected:
  nsHTMLScrollFrame(nsStyleContext* aContext, bool aIsRoot);
  void SetSuppressScrollbarUpdate(bool aSuppress) {
@@ -2162,6 +2162,18 @@ public:
   */
  bool IsBlockWrapper() const;

+  /**
+   * Returns true if the frame is an instance of nsBlockFrame or one of its
+   * subclasses.
+   *
+   * XXXdholbert this is non-const because it uses nsIFrame::QueryFrame which
+   * is non-const.  If we need this accessor to be 'const' down the road, the
+   * right way to do it would be to make the QueryFrame machinery
+   * const-friendly. But it may not be worth the trouble, because we rarely
+   * handle const frame pointers anyway.
+   */
+  bool IsBlockFrameOrSubclass();
+
  /**
   * Get this frame's CSS containing block.
   *
@@ -240,6 +240,13 @@
        <parameter name="aIgnoreNextCall"/>
        <body>
          <![CDATA[
+          // _setEventListener is only used for setting the attribute event
+          // handlers, which we want to ignore if our document is sandboxed
+          // without the allow-scripts keyword.
+          if (document.hasScriptsBlockedBySandbox) {
+            return true;
+          }
+
          // attribute event handlers should only be added if the
          // document's CSP allows it.
          if (!document.inlineScriptAllowedByCSP) {
@@ -407,8 +407,7 @@ static int nr_ice_candidate_copy_for_triggered_check(nr_ice_cand_pair *pair)
    copy->nominated = pair->nominated;

    r_log(LOG_ICE,LOG_INFO,"CAND-PAIR(%s): Adding pair to check list and trigger check queue: %s",pair->codeword,pair->as_string);
-    if(r=nr_ice_candidate_pair_insert(&pair->remote->stream->check_list,copy))
-      ABORT(r);
+    nr_ice_candidate_pair_insert(&pair->remote->stream->check_list,copy);
    nr_ice_candidate_pair_trigger_check_append(&pair->remote->stream->trigger_check_queue,copy);

    copy->triggered = 1;
@@ -590,7 +589,7 @@ int nr_ice_candidate_pair_trigger_check_append(nr_ice_cand_pair_head *head,nr_ic
    return(0);
  }

-int nr_ice_candidate_pair_insert(nr_ice_cand_pair_head *head,nr_ice_cand_pair *pair)
+void nr_ice_candidate_pair_insert(nr_ice_cand_pair_head *head,nr_ice_cand_pair *pair)
  {
    nr_ice_cand_pair *c1;

@@ -604,8 +603,6 @@ int nr_ice_candidate_pair_insert(nr_ice_cand_pair_head *head,nr_ice_cand_pair *p
      c1=TAILQ_NEXT(c1,check_queue_entry);
    }
    if(!c1) TAILQ_INSERT_TAIL(head,pair,check_queue_entry);
-
-    return(0);
  }

 void nr_ice_candidate_pair_restart_stun_nominated_cb(NR_SOCKET s, int how, void *cb_arg)
@@ -82,7 +82,7 @@ int nr_ice_candidate_pair_dump_state(nr_ice_cand_pair *pair, FILE *out);
 int nr_ice_candidate_pair_cancel(nr_ice_peer_ctx *pctx,nr_ice_cand_pair *pair, int move_to_wait_state);
 int nr_ice_candidate_pair_select(nr_ice_cand_pair *pair);
 int nr_ice_candidate_pair_do_triggered_check(nr_ice_peer_ctx *pctx, nr_ice_cand_pair *pair);
-int nr_ice_candidate_pair_insert(nr_ice_cand_pair_head *head,nr_ice_cand_pair *pair);
+void nr_ice_candidate_pair_insert(nr_ice_cand_pair_head *head,nr_ice_cand_pair *pair);
 int nr_ice_candidate_pair_trigger_check_append(nr_ice_cand_pair_head *head,nr_ice_cand_pair *pair);
 void nr_ice_candidate_pair_restart_stun_nominated_cb(NR_SOCKET s, int how, void *cb_arg);
 int nr_ice_candidate_pair_destroy(nr_ice_cand_pair **pairp);
@@ -1333,8 +1333,7 @@ int nr_ice_component_finalize(nr_ice_component *lcomp, nr_ice_component *rcomp)

 int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair)
  {
-    int r,_status;
-    int pair_inserted=0;
+    int _status;

    /* Pairs for peer reflexive are marked SUCCEEDED immediately */
    if (pair->state != NR_ICE_PAIR_STATE_FROZEN &&
@@ -1343,10 +1342,8 @@ int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair
      ABORT(R_BAD_ARGS);
    }

-    if(r=nr_ice_candidate_pair_insert(&pair->remote->stream->check_list,pair))
-      ABORT(r);
-
-    pair_inserted=1;
+    /* We do not throw an error after this, because we've inserted the pair. */
+    nr_ice_candidate_pair_insert(&pair->remote->stream->check_list,pair);

    /* Make sure the check timer is running, if the stream was previously
     * started. We will not start streams just because a pair was created,
@@ -1358,13 +1355,12 @@ int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair
        !pair->remote->stream->pctx->checks_started)){
      if(nr_ice_media_stream_start_checks(pair->remote->stream->pctx, pair->remote->stream)) {
        r_log(LOG_ICE,LOG_WARNING,"ICE-PEER(%s)/CAND-PAIR(%s): Could not restart checks for new pair %s.",pair->remote->stream->pctx->label, pair->codeword, pair->as_string);
-        ABORT(R_INTERNAL);
      }
    }

    _status=0;
  abort:
-    if (_status && !pair_inserted) {
+    if (_status) {
      nr_ice_candidate_pair_destroy(&pair);
    }
    return(_status);
@@ -6327,7 +6327,6 @@ cv.ua
 dn.ua
 dnepropetrovsk.ua
 dnipropetrovsk.ua
-dominic.ua
 donetsk.ua
 dp.ua
 if.ua
@@ -7092,7 +7091,7 @@ org.zw

 // newGTLDs

-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-05-06T16:23:34Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-06-11T16:44:38Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@@ -8054,9 +8053,6 @@ esq
 // estate : 2013-08-27 Binky Moon, LLC
 estate

-// esurance : 2015-07-23 Esurance Insurance Company
-esurance
-
 // etisalat : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat)
 etisalat

@@ -8171,7 +8167,7 @@ fit
 // fitness : 2014-03-06 Binky Moon, LLC
 fitness

-// flickr : 2015-04-02 Yahoo! Domain Services Inc.
+// flickr : 2015-04-02 Flickr, Inc.
 flickr

 // flights : 2013-12-05 Binky Moon, LLC
@@ -8867,7 +8863,7 @@ lixil
 // llc : 2017-12-14 Afilias Limited
 llc

-// llp : 2019-08-26 Dot Registry LLC
+// llp : 2019-08-26 Uniregistry, Corp.
 llp

 // loan : 2014-11-20 dot Loan Limited
@@ -9674,9 +9670,6 @@ science
 // scjohnson : 2015-07-23 Johnson Shareholdings, Inc.
 scjohnson

-// scor : 2014-10-31 SCOR SE
-scor
-
 // scot : 2014-01-23 Dot Scot Registry Limited
 scot

@@ -10666,6 +10659,9 @@ cc.ua
 inf.ua
 ltd.ua

+// 611coin : https://611project.org/
+611.to
+
 // Adobe : https://www.adobe.com/
 // Submitted by Ian Boston <boston@adobe.com>
 adobeaemcloud.com
@@ -10685,6 +10681,10 @@ barsy.ca
 *.compute.estate
 *.alces.network

+// all-inkl.com : https://all-inkl.com
+// Submitted by Werner Kaltofen <wk@all-inkl.com>
+kasserver.com
+
 // Altervista: https://www.altervista.org
 // Submitted by Carlo Cannas <tech_staff@altervista.it>
 altervista.org
@@ -10849,8 +10849,11 @@ backplaneapp.io
 balena-devices.com

 // Banzai Cloud
-// Submitted by Gabor Kozma <info@banzaicloud.com>
+// Submitted by Janos Matyas <info@banzaicloud.com>
+*.banzai.cloud
 app.banzaicloud.io
+*.backyards.banzaicloud.io
+

 // BetaInABox
 // Submitted by Adrian <adrian@betainabox.com>
@@ -11193,6 +11196,9 @@ drud.us
 // Submitted by Richard Harper <richard@duckdns.org>
 duckdns.org

+// bitbridge.net : Submitted by Craig Welch, abeliidev@gmail.com
+bitbridge.net
+
 // dy.fi : http://dy.fi/
 // Submitted by Heikki Hannikainen <hessu@hes.iki.fi>
 dy.fi
@@ -11728,12 +11734,11 @@ global.ssl.fastly.net

 // FASTVPS EESTI OU : https://fastvps.ru/
 // Submitted by Likhachev Vasiliy <lihachev@fastvps.ru>
-fastpanel.direct
 fastvps-server.com
-myfast.space
+fastvps.host
 myfast.host
 fastvps.site
-fastvps.host
+myfast.space

 // Featherhead : https://featherhead.xyz/
 // Submitted by Simon Menke <simon@featherhead.xyz>
@@ -11772,6 +11777,12 @@ filegear-sg.me
 // Submitted by Chris Raynor <chris@firebase.com>
 firebaseapp.com

+// fly.io: https://fly.io
+// Submitted by Kurt Mackey <kurt@fly.io>
+fly.dev
+edgeapp.net
+shw.io
+
 // Flynn : https://flynn.io
 // Submitted by Jonathan Rudenberg <jonathan@flynn.io>
 flynnhosting.net
@@ -11793,6 +11804,10 @@ freeboxos.fr
 // Submitted by Daniel Stone <daniel@fooishbar.org>
 freedesktop.org

+// FunkFeuer - Verein zur Förderung freier Netze : https://www.funkfeuer.at
+// Submitted by Daniel A. Maierhofer <vorstand@funkfeuer.at>
+wien.funkfeuer.at
+
 // Futureweb OG : http://www.futureweb.at
 // Submitted by Andreas Schnederle-Wagner <schnederle@futureweb.at>
 *.futurecms.at
@@ -11816,6 +11831,7 @@ usercontent.jp
 // Gentlent, Inc. : https://www.gentlent.com
 // Submitted by Tom Klein <tom@gentlent.com>
 gentapps.com
+gentlentapis.com
 lab.ms

 // GitHub, Inc.
@@ -11827,6 +11843,10 @@ githubusercontent.com
 // Submitted by Alex Hanselka <alex@gitlab.com>
 gitlab.io

+// Gitplac.si - https://gitplac.si
+// Submitted by Aljaž Starc <me@aljaxus.eu>
+gitpage.si
+
 // Glitch, Inc : https://glitch.com
 // Submitted by Mads Hartmann <mads@glitch.com>
 glitch.me
@@ -12006,6 +12026,9 @@ ngo.ng
 ng.school
 sch.so

+// HostyHosting (hostyhosting.com)
+hostyhosting.io
+
 // Häkkinen.fi
 // Submitted by Eero Häkkinen <Eero+psl@Häkkinen.fi>
 häkkinen.fi
@@ -12089,6 +12112,15 @@ iserv.dev
 // Submitted by Yuji Minagawa <domains-admin@iodata.jp>
 iobb.net

+//Jelastic, Inc. : https://jelastic.com/
+// Submitetd by Ihor Kolodyuk <ik@jelastic.com>
+hidora.com
+demo.jelastic.com
+j.scaleforce.com.cy
+mircloud.host
+jls-sto1.elastx.net
+j.layershift.co.uk
+
 // Jino : https://www.jino.ru
 // Submitted by Sergey Ulyashin <ulyashin@jino.ru>
 myjino.ru
@@ -12174,7 +12206,8 @@ linkyard-cloud.ch
 // Linode : https://linode.com
 // Submitted by <security@linode.com>
 members.linode.com
-nodebalancer.linode.com
+*.nodebalancer.linode.com
+*.linodeobjects.com

 // LiquidNet Ltd : http://www.liquidnetlimited.com/
 // Submitted by Victor Velchev <admin@liquidnetlimited.com>
@@ -12313,9 +12346,7 @@ nctu.me

 // Netlify : https://www.netlify.com
 // Submitted by Jessica Parsons <jessica@netlify.com>
-bitballoon.com
 netlify.app
-netlify.com

 // Neustar Inc.
 // Submitted by Trung Tran <Trung.Tran@neustar.biz>
@@ -12562,6 +12593,10 @@ outsystemscloud.com
 ownprovider.com
 own.pm

+// OwO : https://whats-th.is/
+// Submitted by Dean Sheather <dean@deansheather.com>
+*.owo.codes
+
 // OX : http://www.ox.rs
 // Submitted by Adam Grand <webmaster@mail.ox.rs>
 ox.rs
@@ -12578,6 +12613,10 @@ pgfog.com
 // Submitted by Jason Kriss <jason@pagefronthq.com>
 pagefrontapp.com

+// PageXL : https://pagexl.com
+// Submitted by Yann Guichard <yann@pagexl.com>
+pagexl.com
+
 // .pl domains (grandfathered)
 art.pl
 gliwice.pl
@@ -12614,6 +12653,12 @@ platter-app.com
 platter-app.dev
 platterp.us

+// Plesk : https://www.plesk.com/
+// Submitted by Anton Akhtyamov <program-managers@plesk.com>
+pdns.page
+plesk.page
+pleskns.com
+
 // Port53 : https://port53.io/
 // Submitted by Maximilian Schieder <maxi@zeug.co>
 dyn53.io
@@ -12696,6 +12741,10 @@ vaporcloud.io
 rackmaze.com
 rackmaze.net

+// Rakuten Games, Inc : https://dev.viberplay.io
+// Submitted by Joshua Zhang <public-suffix@rgames.jp>
+g.vbrplsbx.io
+
 // Rancher Labs, Inc : https://rancher.com
 // Submitted by Vincent Fiduccia <domains@rancher.com>
 *.on-k3s.io
@@ -12773,6 +12822,10 @@ my-firewall.org
 myfirewall.org
 spdns.org

+// Seidat : https://www.seidat.com
+// Submitted by Artem Kondratev <accounts@seidat.com>
+seidat.net
+
 // Senseering GmbH : https://www.senseering.de
 // Submitted by Felix Mönckemeyer <f.moenckemeyer@senseering.de>
 senseering.net
@@ -13022,6 +13075,12 @@ lib.de.us
 // Submitted by Danko Aleksejevs <danko@very.lv>
 2038.io

+// Vercel, Inc : https://vercel.com/
+// Submitted by Connor Davis <security@vercel.com>
+vercel.app
+vercel.dev
+now.sh
+
 // Viprinet Europe GmbH : http://www.viprinet.com
 // Submitted by Simon Kissel <hostmaster@viprinet.com>
 router.management
@@ -13034,6 +13093,49 @@ v-info.info
 // Submitted by Nathan van Bakel <info@voorloper.com>
 voorloper.cloud

+// Voxel.sh DNS : https://voxel.sh/dns/
+// Submitted by Mia Rehlinger <dns@voxel.sh>
+neko.am
+nyaa.am
+be.ax
+cat.ax
+es.ax
+eu.ax
+gg.ax
+mc.ax
+us.ax
+xy.ax
+nl.ci
+xx.gl
+app.gp
+blog.gt
+de.gt
+to.gt
+be.gy
+cc.hn
+blog.kg
+io.kg
+jp.kg
+tv.kg
+uk.kg
+us.kg
+de.ls
+at.md
+de.md
+jp.md
+to.md
+uwu.nu
+indie.porn
+vxl.sh
+ch.tc
+me.tc
+we.tc
+nyan.to
+at.vg
+blog.vu
+dev.vu
+me.vu
+
 // V.UA Domain Administrator : https://domain.v.ua/
 // Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
 v.ua
@@ -13125,10 +13227,6 @@ noho.st
 za.net
 za.org

-// Zeit, Inc. : https://zeit.domains/
-// Submitted by Olli Vanhoja <olli@zeit.co>
-now.sh
-
 // Zine EOOD : https://zine.bg/
 // Submitted by Martin Angelov <martin@zine.bg>
 bss.design
@@ -1149,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {

 static const int32_t kUnknownId = -1;

-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1598536948620000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1600697271966000);