Issue #1258 - Part 1: Import mailnews, ldap, and mork from comm-esr52.9.1

1 files changed, 1076 insertions, 0 deletions

diff --git a/mailnews/base/src/nsMsgContentPolicy.cpp b/mailnews/base/src/nsMsgContentPolicy.cpp
new file mode 100644
index 000000000..ebc02635f
--- /dev/null
+++ b/mailnews/base/src/nsMsgContentPolicy.cpp
@@ -0,0 +1,1076 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsMsgContentPolicy.h"
+#include "nsIPermissionManager.h"
+#include "nsIPrefService.h"
+#include "nsIPrefBranch.h"
+#include "nsIAbManager.h"
+#include "nsIAbDirectory.h"
+#include "nsIAbCard.h"
+#include "nsIMsgWindow.h"
+#include "nsIMimeMiscStatus.h"
+#include "nsIMsgHdr.h"
+#include "nsIEncryptedSMIMEURIsSrvc.h"
+#include "nsNetUtil.h"
+#include "nsIMsgComposeService.h"
+#include "nsMsgCompCID.h"
+#include "nsIDocShellTreeItem.h"
+#include "nsIWebNavigation.h"
+#include "nsContentPolicyUtils.h"
+#include "nsIDOMHTMLImageElement.h"
+#include "nsIFrameLoader.h"
+#include "nsIWebProgress.h"
+#include "nsMsgUtils.h"
+#include "nsThreadUtils.h"
+#include "mozilla/mailnews/MimeHeaderParser.h"
+#include "nsINntpUrl.h"
+#include "nsSandboxFlags.h"
+
+static const char kBlockRemoteImages[] = "mailnews.message_display.disable_remote_image";
+static const char kAllowPlugins[] = "mailnews.message_display.allow_plugins";
+static const char kTrustedDomains[] =  "mail.trusteddomains";
+
+using namespace mozilla::mailnews;
+
+// Per message headder flags to keep track of whether the user is allowing remote
+// content for a particular message.
+// if you change or add more values to these constants, be sure to modify
+// the corresponding definitions in mailWindowOverlay.js
+#define kNoRemoteContentPolicy 0
+#define kBlockRemoteContent 1
+#define kAllowRemoteContent 2
+
+NS_IMPL_ISUPPORTS(nsMsgContentPolicy,
+                  nsIContentPolicy,
+                  nsIWebProgressListener,
+                  nsIMsgContentPolicy,
+                  nsIObserver,
+                  nsISupportsWeakReference)
+
+nsMsgContentPolicy::nsMsgContentPolicy()
+{
+  mAllowPlugins = false;
+  mBlockRemoteImages = true;
+}
+
+nsMsgContentPolicy::~nsMsgContentPolicy()
+{
+  // hey, we are going away...clean up after ourself....unregister our observer
+  nsresult rv;
+  nsCOMPtr<nsIPrefBranch> prefInternal = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+  if (NS_SUCCEEDED(rv))
+  {
+    prefInternal->RemoveObserver(kBlockRemoteImages, this);
+    prefInternal->RemoveObserver(kAllowPlugins, this);
+  }
+}
+
+nsresult nsMsgContentPolicy::Init()
+{
+  nsresult rv;
+
+  // register ourself as an observer on the mail preference to block remote images
+  nsCOMPtr<nsIPrefBranch> prefInternal = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  prefInternal->AddObserver(kBlockRemoteImages, this, true);
+  prefInternal->AddObserver(kAllowPlugins, this, true);
+
+  prefInternal->GetBoolPref(kAllowPlugins, &mAllowPlugins);
+  prefInternal->GetCharPref(kTrustedDomains, getter_Copies(mTrustedMailDomains));
+  prefInternal->GetBoolPref(kBlockRemoteImages, &mBlockRemoteImages);
+
+  // Grab a handle on the PermissionManager service for managing allowed remote
+  // content senders.
+  mPermissionManager = do_GetService(NS_PERMISSIONMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  return NS_OK;
+}
+
+/**
+ * @returns true if the sender referenced by aMsgHdr is explicitly allowed to
+ *          load remote images according to the PermissionManager
+ */
+bool
+nsMsgContentPolicy::ShouldAcceptRemoteContentForSender(nsIMsgDBHdr *aMsgHdr)
+{
+  if (!aMsgHdr)
+    return false;
+
+  // extract the e-mail address from the msg hdr
+  nsCString author;
+  nsresult rv = aMsgHdr->GetAuthor(getter_Copies(author));
+  NS_ENSURE_SUCCESS(rv, false);
+
+  nsCString emailAddress;
+  ExtractEmail(EncodedHeader(author), emailAddress);
+  if (emailAddress.IsEmpty())
+    return false;
+
+  nsCOMPtr<nsIIOService> ios = do_GetService("@mozilla.org/network/io-service;1", &rv);
+  NS_ENSURE_SUCCESS(rv, false);
+  nsCOMPtr<nsIURI> mailURI;
+  emailAddress.Insert("chrome://messenger/content/email=", 0);
+  rv = ios->NewURI(emailAddress, nullptr, nullptr, getter_AddRefs(mailURI));
+  NS_ENSURE_SUCCESS(rv, false);
+
+  // check with permission manager
+  uint32_t permission = 0;
+  rv = mPermissionManager->TestPermission(mailURI, "image", &permission);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  // Only return true if the permission manager has an explicit allow
+  return (permission == nsIPermissionManager::ALLOW_ACTION);
+}
+
+/**
+ * Extract the host name from aContentLocation, and look it up in our list
+ * of trusted domains.
+ */
+bool nsMsgContentPolicy::IsTrustedDomain(nsIURI * aContentLocation)
+{
+  bool trustedDomain = false;
+  // get the host name of the server hosting the remote image
+  nsAutoCString host;
+  nsresult rv = aContentLocation->GetHost(host);
+
+  if (NS_SUCCEEDED(rv) && !mTrustedMailDomains.IsEmpty())
+    trustedDomain = MsgHostDomainIsTrusted(host, mTrustedMailDomains);
+
+  return trustedDomain;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::ShouldLoad(uint32_t          aContentType,
+                               nsIURI           *aContentLocation,
+                               nsIURI           *aRequestingLocation,
+                               nsISupports      *aRequestingContext,
+                               const nsACString &aMimeGuess,
+                               nsISupports      *aExtra,
+                               nsIPrincipal     *aRequestPrincipal,
+                               int16_t          *aDecision)
+{
+  nsresult rv = NS_OK;
+  // The default decision at the start of the function is to accept the load.
+  // Once we have checked the content type and the requesting location, then
+  // we switch it to reject.
+  //
+  // Be very careful about returning error codes - if this method returns an
+  // NS_ERROR_*, any decision made here will be ignored, and the document could
+  // be accepted when we don't want it to be.
+  //
+  // In most cases if an error occurs, its something we didn't expect so we
+  // should be rejecting the document anyway.
+  *aDecision = nsIContentPolicy::ACCEPT;
+
+  NS_ENSURE_ARG_POINTER(aContentLocation);
+
+#ifdef DEBUG_MsgContentPolicy
+  fprintf(stderr, "aContentType: %d\naContentLocation = %s\n",
+          aContentType,
+          aContentLocation->GetSpecOrDefault().get());
+#endif
+
+#ifndef MOZ_THUNDERBIRD
+  // Go find out if we are dealing with mailnews. Anything else
+  // isn't our concern and we accept content.
+  nsCOMPtr<nsIDocShell> rootDocShell;
+  rv = GetRootDocShellForContext(aRequestingContext,
+                                 getter_AddRefs(rootDocShell));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  uint32_t appType;
+  rv = rootDocShell->GetAppType(&appType);
+  // We only want to deal with mailnews
+  if (NS_FAILED(rv) || appType != nsIDocShell::APP_TYPE_MAIL)
+    return NS_OK;
+#endif
+
+  switch(aContentType) {
+    // Plugins (nsIContentPolicy::TYPE_OBJECT) are blocked on document load.
+  case nsIContentPolicy::TYPE_DOCUMENT:
+    // At this point, we have no intention of supporting a different JS
+    // setting on a subdocument, so we don't worry about TYPE_SUBDOCUMENT here.
+
+    // If the timing were right, we'd enable JavaScript on the docshell
+    // for non mailnews URIs here.  However, at this point, the
+    // old document may still be around, so we can't do any enabling just yet.
+    // Instead, we apply the policy in nsIWebProgressListener::OnLocationChange.
+    // For now, we explicitly disable JavaScript in order to be safe rather than
+    // sorry, because OnLocationChange isn't guaranteed to necessarily be called
+    // soon enough to disable it in time (though bz says it _should_ be called
+    // soon enough "in all sane cases").
+    rv = SetDisableItemsOnMailNewsUrlDocshells(aContentLocation,
+                                               aRequestingContext);
+    // if something went wrong during the tweaking, reject this content
+    if (NS_FAILED(rv)) {
+      NS_WARNING("Failed to set disable items on docShells");
+      *aDecision = nsIContentPolicy::REJECT_TYPE;
+      return NS_OK;
+    }
+    break;
+
+  case nsIContentPolicy::TYPE_CSP_REPORT:
+    // We cannot block CSP reports.
+    *aDecision = nsIContentPolicy::ACCEPT;
+    return NS_OK;
+    break;
+
+  default:
+    break;
+  }
+
+  // NOTE: Not using NS_ENSURE_ARG_POINTER because this is a legitimate case
+  // that can happen.  Also keep in mind that the default policy used for a
+  // failure code is ACCEPT.
+  if (!aRequestingLocation)
+    return NS_ERROR_INVALID_POINTER;
+
+#ifdef DEBUG_MsgContentPolicy
+  fprintf(stderr, "aRequestingLocation = %s\n", aRequestingLocation->GetSpecOrDefault().get());
+#endif
+
+  // If the requesting location is safe, accept the content location request.
+  if (IsSafeRequestingLocation(aRequestingLocation))
+    return rv;
+
+  // Now default to reject so early returns via NS_ENSURE_SUCCESS
+  // cause content to be rejected.
+  *aDecision = nsIContentPolicy::REJECT_REQUEST;
+
+  // We want to establish the following:
+  // \--------\  requester    |               |              |
+  // content   \------------\ |               |              |
+  // requested               \| mail message  | news message | http(s)/data etc.
+  // -------------------------+---------------+--------------+------------------
+  // mail message content     | load if same  | don't load   | don't load
+  // mailbox, imap, JsAccount | message (1)   | (2)          | (3)
+  // -------------------------+---------------+--------------+------------------
+  // news message             | don't load (4)| load (5)     | load (6)
+  // -------------------------+---------------+--------------+------------------
+  // http(s)/data, etc.       | (default)     | (default)    | (default)
+  // -------------------------+---------------+--------------+------------------
+  nsCOMPtr<nsIMsgMessageUrl> contentURL(do_QueryInterface(aContentLocation));
+  if (contentURL) {
+    nsCOMPtr<nsINntpUrl> contentNntpURL(do_QueryInterface(aContentLocation));
+    if (!contentNntpURL) {
+      // Mail message (mailbox, imap or JsAccount) content requested, for example
+      // a message part, like an image:
+      // To load mail message content the requester must have the same
+      // "normalised" principal. This is basically a "same origin" test, it
+      // protects against cross-loading of mail message content from
+      // other mail or news messages.
+      nsCOMPtr<nsIMsgMessageUrl> requestURL(do_QueryInterface(aRequestingLocation));
+      // If the request URL is not also a message URL, then we don't accept.
+      if (requestURL) {
+        nsCString contentPrincipalSpec, requestPrincipalSpec;
+        nsresult rv1 = contentURL->GetPrincipalSpec(contentPrincipalSpec);
+        nsresult rv2 = requestURL->GetPrincipalSpec(requestPrincipalSpec);
+        if (NS_SUCCEEDED(rv1) && NS_SUCCEEDED(rv2) &&
+            contentPrincipalSpec.Equals(requestPrincipalSpec))
+          *aDecision = nsIContentPolicy::ACCEPT; // (1)
+      }
+      return NS_OK; // (2) and (3)
+    }
+
+    // News message content requested. Don't accept request coming
+    // from a mail message since it would access the news server.
+    nsCOMPtr<nsIMsgMessageUrl> requestURL(do_QueryInterface(aRequestingLocation));
+    if (requestURL) {
+      nsCOMPtr<nsINntpUrl> requestNntpURL(do_QueryInterface(aRequestingLocation));
+      if (!requestNntpURL)
+        return NS_OK; // (4)
+    }
+    *aDecision = nsIContentPolicy::ACCEPT; // (5) and (6)
+    return NS_OK;
+  }
+
+  // If exposed protocol not covered by the test above or protocol that has been
+  // specifically exposed by an add-on, or is a chrome url, then allow the load.
+  if (IsExposedProtocol(aContentLocation))
+  {
+    *aDecision = nsIContentPolicy::ACCEPT;
+    return NS_OK;
+  }
+
+  // never load unexposed protocols except for http, https and file.
+  // Protocols like ftp are always blocked.
+  if (ShouldBlockUnexposedProtocol(aContentLocation))
+    return NS_OK;
+
+
+  // Find out the URI that originally initiated the set of requests for this
+  // context.
+  nsCOMPtr<nsIURI> originatorLocation;
+  if (!aRequestingContext && aRequestPrincipal)
+  {
+    // Can get the URI directly from the principal.
+    rv = aRequestPrincipal->GetURI(getter_AddRefs(originatorLocation));
+  }
+  else
+  {
+    rv = GetOriginatingURIForContext(aRequestingContext,
+                                     getter_AddRefs(originatorLocation));
+  }
+  NS_ENSURE_SUCCESS(rv, NS_OK);
+
+#ifdef DEBUG_MsgContentPolicy
+  fprintf(stderr, "originatorLocation = %s\n", originatorLocation->GetSpecOrDefault().get());
+#endif
+
+  // Don't load remote content for encrypted messages.
+  nsCOMPtr<nsIEncryptedSMIMEURIsService> encryptedURIService =
+    do_GetService("@mozilla.org/messenger-smime/smime-encrypted-uris-service;1", &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+  bool isEncrypted;
+  rv = encryptedURIService->IsEncrypted(aRequestingLocation->GetSpecOrDefault(), &isEncrypted);
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (isEncrypted)
+  {
+    *aDecision = nsIContentPolicy::REJECT_REQUEST;
+    NotifyContentWasBlocked(originatorLocation, aContentLocation, false);
+    return NS_OK;
+  }
+
+  // If we are allowing all remote content...
+  if (!mBlockRemoteImages)
+  {
+    *aDecision = nsIContentPolicy::ACCEPT;
+    return NS_OK;
+  }
+
+  // Extract the windowtype to handle compose windows separately from mail
+  if (aRequestingContext)
+  {
+    nsCOMPtr<nsIMsgCompose> msgCompose =
+      GetMsgComposeForContext(aRequestingContext);
+    // Work out if we're in a compose window or not.
+    if (msgCompose)
+    {
+      ComposeShouldLoad(msgCompose, aRequestingContext, aContentLocation,
+                        aDecision);
+      return NS_OK;
+    }
+  }
+
+  // Allow content when using a remote page.
+  bool isHttp;
+  bool isHttps;
+  rv = originatorLocation->SchemeIs("http", &isHttp);
+  nsresult rv2 = originatorLocation->SchemeIs("https", &isHttps);
+  if (NS_SUCCEEDED(rv) && NS_SUCCEEDED(rv2) && (isHttp || isHttps))
+  {
+    *aDecision = nsIContentPolicy::ACCEPT;
+    return NS_OK;
+  }
+
+  uint32_t permission;
+  mPermissionManager->TestPermission(aContentLocation, "image", &permission);
+  switch (permission) {
+    case nsIPermissionManager::UNKNOWN_ACTION:
+    {
+      // No exception was found for this location.
+      break;
+    }
+    case nsIPermissionManager::ALLOW_ACTION:
+    {
+      *aDecision = nsIContentPolicy::ACCEPT;
+      return NS_OK;
+    }
+    case nsIPermissionManager::DENY_ACTION:
+    {
+      *aDecision = nsIContentPolicy::REJECT_REQUEST;
+      return NS_OK;
+    }
+  }
+
+  // The default decision is still to reject.
+  ShouldAcceptContentForPotentialMsg(originatorLocation, aContentLocation,
+                                     aDecision);
+  return NS_OK;
+}
+
+/**
+ * Determines if the requesting location is a safe one, i.e. its under the
+ * app/user's control - so file, about, chrome etc.
+ */
+bool
+nsMsgContentPolicy::IsSafeRequestingLocation(nsIURI *aRequestingLocation)
+{
+  if (!aRequestingLocation)
+    return false;
+
+  // If aRequestingLocation is one of chrome, resource, file or view-source,
+  // allow aContentLocation to load.
+  bool isChrome;
+  bool isRes;
+  bool isFile;
+  bool isViewSource;
+
+  nsresult rv = aRequestingLocation->SchemeIs("chrome", &isChrome);
+  NS_ENSURE_SUCCESS(rv, false);
+  rv = aRequestingLocation->SchemeIs("resource", &isRes);
+  NS_ENSURE_SUCCESS(rv, false);
+  rv = aRequestingLocation->SchemeIs("file", &isFile);
+  NS_ENSURE_SUCCESS(rv, false);
+  rv = aRequestingLocation->SchemeIs("view-source", &isViewSource);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  if (isChrome || isRes || isFile || isViewSource)
+    return true;
+
+  // Only allow about: to load anything if the requesting location is not the
+  // special about:blank one.
+  bool isAbout;
+  rv = aRequestingLocation->SchemeIs("about", &isAbout);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  if (!isAbout)
+    return false;
+
+  nsCString fullSpec;
+  rv = aRequestingLocation->GetSpec(fullSpec);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  return !fullSpec.EqualsLiteral("about:blank");
+}
+
+/**
+ * Determines if the content location is a scheme that we're willing to expose
+ * for unlimited loading of content.
+ */
+bool
+nsMsgContentPolicy::IsExposedProtocol(nsIURI *aContentLocation)
+{
+  nsAutoCString contentScheme;
+  nsresult rv = aContentLocation->GetScheme(contentScheme);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  // Check some exposed protocols. Not all protocols in the list of
+  // network.protocol-handler.expose.* prefs in all-thunderbird.js are
+  // admitted purely based on their scheme.
+  // news, snews, nntp, imap and mailbox are checked before the call
+  // to this function by matching content location and requesting location.
+  if (MsgLowerCaseEqualsLiteral(contentScheme, "mailto") ||
+      MsgLowerCaseEqualsLiteral(contentScheme, "addbook") ||
+      MsgLowerCaseEqualsLiteral(contentScheme, "about"))
+    return true;
+
+  // check if customized exposed scheme
+  if (mCustomExposedProtocols.Contains(contentScheme))
+    return true;
+
+  bool isData;
+  bool isChrome;
+  bool isRes;
+  rv = aContentLocation->SchemeIs("chrome", &isChrome);
+  NS_ENSURE_SUCCESS(rv, false);
+  rv = aContentLocation->SchemeIs("resource", &isRes);
+  NS_ENSURE_SUCCESS(rv, false);
+  rv = aContentLocation->SchemeIs("data", &isData);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  return isChrome || isRes || isData;
+}
+
+/**
+ * We block most unexposed protocols - apart from http(s) and file.
+ */
+bool
+nsMsgContentPolicy::ShouldBlockUnexposedProtocol(nsIURI *aContentLocation)
+{
+  bool isHttp;
+  bool isHttps;
+  bool isFile;
+  // Error condition - we must return true so that we block.
+  nsresult rv = aContentLocation->SchemeIs("http", &isHttp);
+  NS_ENSURE_SUCCESS(rv, true);
+  rv = aContentLocation->SchemeIs("https", &isHttps);
+  NS_ENSURE_SUCCESS(rv, true);
+  rv = aContentLocation->SchemeIs("file", &isFile);
+  NS_ENSURE_SUCCESS(rv, true);
+
+  return !isHttp && !isHttps && !isFile;
+}
+
+/**
+ * The default for this function will be to reject the content request.
+ * When determining if to allow the request for a given msg hdr, the function
+ * will go through the list of remote content blocking criteria:
+ *
+ * #1 Allow if there is a db header for a manual override.
+ * #2 Allow if the message is in an RSS folder.
+ * #3 Allow if the domain for the remote image in our white list.
+ * #4 Allow if the author has been specifically white listed.
+ */
+int16_t
+nsMsgContentPolicy::ShouldAcceptRemoteContentForMsgHdr(nsIMsgDBHdr *aMsgHdr,
+                                                       nsIURI *aRequestingLocation,
+                                                       nsIURI *aContentLocation)
+{
+  if (!aMsgHdr)
+    return static_cast<int16_t>(nsIContentPolicy::REJECT_REQUEST);
+
+  // Case #1, check the db hdr for the remote content policy on this particular
+  // message.
+  uint32_t remoteContentPolicy = kNoRemoteContentPolicy;
+  aMsgHdr->GetUint32Property("remoteContentPolicy", &remoteContentPolicy);
+
+  // Case #2, check if the message is in an RSS folder
+  bool isRSS = false;
+  IsRSSArticle(aRequestingLocation, &isRSS);
+
+  // Case #3, the domain for the remote image is in our white list
+  bool trustedDomain = IsTrustedDomain(aContentLocation);
+
+  // Case 4 means looking up items in the permissions database. So if
+  // either of the two previous items means we load the data, just do it.
+  if (isRSS || remoteContentPolicy == kAllowRemoteContent || trustedDomain)
+    return nsIContentPolicy::ACCEPT;
+
+  // Case #4, author is in our white list..
+  bool allowForSender = ShouldAcceptRemoteContentForSender(aMsgHdr);
+
+  int16_t result = allowForSender ?
+    static_cast<int16_t>(nsIContentPolicy::ACCEPT) :
+    static_cast<int16_t>(nsIContentPolicy::REJECT_REQUEST);
+
+  // kNoRemoteContentPolicy means we have never set a value on the message
+  if (result == nsIContentPolicy::REJECT_REQUEST && !remoteContentPolicy)
+    aMsgHdr->SetUint32Property("remoteContentPolicy", kBlockRemoteContent);
+
+  return result;
+}
+
+class RemoteContentNotifierEvent : public mozilla::Runnable
+{
+public:
+  RemoteContentNotifierEvent(nsIMsgWindow *aMsgWindow, nsIMsgDBHdr *aMsgHdr,
+                             nsIURI *aContentURI, bool aCanOverride = true)
+    : mMsgWindow(aMsgWindow), mMsgHdr(aMsgHdr), mContentURI(aContentURI),
+    mCanOverride(aCanOverride)
+  {}
+
+  NS_IMETHOD Run()
+  {
+    if (mMsgWindow)
+    {
+      nsCOMPtr<nsIMsgHeaderSink> msgHdrSink;
+      (void)mMsgWindow->GetMsgHeaderSink(getter_AddRefs(msgHdrSink));
+      if (msgHdrSink)
+        msgHdrSink->OnMsgHasRemoteContent(mMsgHdr, mContentURI, mCanOverride);
+    }
+    return NS_OK;
+  }
+
+private:
+  nsCOMPtr<nsIMsgWindow> mMsgWindow;
+  nsCOMPtr<nsIMsgDBHdr> mMsgHdr;
+  nsCOMPtr<nsIURI> mContentURI;
+  bool mCanOverride;
+};
+
+/**
+ * This function is used to show a blocked remote content notification.
+ */
+void
+nsMsgContentPolicy::NotifyContentWasBlocked(nsIURI *aOriginatorLocation,
+                                            nsIURI *aContentLocation,
+                                            bool aCanOverride)
+{
+  // Is it a mailnews url?
+  nsresult rv;
+  nsCOMPtr<nsIMsgMessageUrl> msgUrl(do_QueryInterface(aOriginatorLocation,
+                                                      &rv));
+  if (NS_FAILED(rv))
+  {
+    return;
+  }
+
+  nsCString resourceURI;
+  rv = msgUrl->GetUri(getter_Copies(resourceURI));
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  nsCOMPtr<nsIMsgMailNewsUrl> mailnewsUrl(do_QueryInterface(aOriginatorLocation, &rv));
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  nsCOMPtr<nsIMsgDBHdr> msgHdr;
+  rv = GetMsgDBHdrFromURI(resourceURI.get(), getter_AddRefs(msgHdr));
+  if (NS_FAILED(rv))
+  {
+    // Maybe we can get a dummy header.
+    nsCOMPtr<nsIMsgWindow> msgWindow;
+    rv = mailnewsUrl->GetMsgWindow(getter_AddRefs(msgWindow));
+    if (msgWindow)
+    {
+      nsCOMPtr<nsIMsgHeaderSink> msgHdrSink;
+      rv = msgWindow->GetMsgHeaderSink(getter_AddRefs(msgHdrSink));
+      if (msgHdrSink)
+        rv = msgHdrSink->GetDummyMsgHeader(getter_AddRefs(msgHdr));
+    }
+  }
+
+  nsCOMPtr<nsIMsgWindow> msgWindow;
+  (void)mailnewsUrl->GetMsgWindow(getter_AddRefs(msgWindow));
+  if (msgWindow)
+  {
+    nsCOMPtr<nsIRunnable> event =
+      new RemoteContentNotifierEvent(msgWindow, msgHdr, aContentLocation, aCanOverride);
+    // Post this as an event because it can cause dom mutations, and we
+    // get called at a bad time to be causing dom mutations.
+    if (event)
+      NS_DispatchToCurrentThread(event);
+  }
+}
+
+/**
+ * This function is used to determine if we allow content for a remote message.
+ * If we reject loading remote content, then we'll inform the message window
+ * that this message has remote content (and hence we are not loading it).
+ *
+ * See ShouldAcceptRemoteContentForMsgHdr for the actual decisions that
+ * determine if we are going to allow remote content.
+ */
+void
+nsMsgContentPolicy::ShouldAcceptContentForPotentialMsg(nsIURI *aOriginatorLocation,
+                                                       nsIURI *aContentLocation,
+                                                       int16_t *aDecision)
+{
+  NS_PRECONDITION(*aDecision == nsIContentPolicy::REJECT_REQUEST,
+                  "AllowContentForPotentialMessage expects default decision to be reject!");
+
+  // Is it a mailnews url?
+  nsresult rv;
+  nsCOMPtr<nsIMsgMessageUrl> msgUrl(do_QueryInterface(aOriginatorLocation,
+                                                      &rv));
+  if (NS_FAILED(rv))
+  {
+    // It isn't a mailnews url - so we accept the load here, and let other
+    // content policies make the decision if we should be loading it or not.
+    *aDecision = nsIContentPolicy::ACCEPT;
+    return;
+  }
+
+  nsCString resourceURI;
+  rv = msgUrl->GetUri(getter_Copies(resourceURI));
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  nsCOMPtr<nsIMsgMailNewsUrl> mailnewsUrl(do_QueryInterface(aOriginatorLocation, &rv));
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  nsCOMPtr<nsIMsgDBHdr> msgHdr;
+  rv = GetMsgDBHdrFromURI(resourceURI.get(), getter_AddRefs(msgHdr));
+  if (NS_FAILED(rv))
+  {
+    // Maybe we can get a dummy header.
+    nsCOMPtr<nsIMsgWindow> msgWindow;
+    rv = mailnewsUrl->GetMsgWindow(getter_AddRefs(msgWindow));
+    if (msgWindow)
+    {
+      nsCOMPtr<nsIMsgHeaderSink> msgHdrSink;
+      rv = msgWindow->GetMsgHeaderSink(getter_AddRefs(msgHdrSink));
+      if (msgHdrSink)
+        rv = msgHdrSink->GetDummyMsgHeader(getter_AddRefs(msgHdr));
+    }
+  }
+
+  // Get a decision on whether or not to allow remote content for this message
+  // header.
+  *aDecision = ShouldAcceptRemoteContentForMsgHdr(msgHdr, aOriginatorLocation,
+                                                  aContentLocation);
+
+  // If we're not allowing the remote content, tell the nsIMsgWindow loading
+  // this url that this is the case, so that the UI knows to show the remote
+  // content header bar, so the user can override if they wish.
+  if (*aDecision == nsIContentPolicy::REJECT_REQUEST)
+  {
+    nsCOMPtr<nsIMsgWindow> msgWindow;
+    (void)mailnewsUrl->GetMsgWindow(getter_AddRefs(msgWindow));
+    if (msgWindow)
+    {
+      nsCOMPtr<nsIRunnable> event =
+        new RemoteContentNotifierEvent(msgWindow, msgHdr, aContentLocation);
+      // Post this as an event because it can cause dom mutations, and we
+      // get called at a bad time to be causing dom mutations.
+      if (event)
+        NS_DispatchToCurrentThread(event);
+    }
+  }
+}
+
+/**
+ * Content policy logic for compose windows
+ *
+ */
+void nsMsgContentPolicy::ComposeShouldLoad(nsIMsgCompose *aMsgCompose,
+                                           nsISupports *aRequestingContext,
+                                           nsIURI *aContentLocation,
+                                           int16_t *aDecision)
+{
+  NS_PRECONDITION(*aDecision == nsIContentPolicy::REJECT_REQUEST,
+                  "ComposeShouldLoad expects default decision to be reject!");
+
+  nsCString originalMsgURI;
+  nsresult rv = aMsgCompose->GetOriginalMsgURI(getter_Copies(originalMsgURI));
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  MSG_ComposeType composeType;
+  rv = aMsgCompose->GetType(&composeType);
+  NS_ENSURE_SUCCESS_VOID(rv);
+
+  // Only allow remote content for new mail compositions or mailto
+  // Block remote content for all other types (drafts, templates, forwards, replies, etc)
+  // unless there is an associated msgHdr which allows the load, or unless the image is being
+  // added by the user and not the quoted message content...
+  if (composeType == nsIMsgCompType::New ||
+      composeType == nsIMsgCompType::MailToUrl)
+    *aDecision = nsIContentPolicy::ACCEPT;
+  else if (!originalMsgURI.IsEmpty())
+  {
+    nsCOMPtr<nsIMsgDBHdr> msgHdr;
+    rv = GetMsgDBHdrFromURI(originalMsgURI.get(), getter_AddRefs(msgHdr));
+    NS_ENSURE_SUCCESS_VOID(rv);
+    *aDecision = ShouldAcceptRemoteContentForMsgHdr(msgHdr, nullptr,
+                                                    aContentLocation);
+
+    // Special case image elements. When replying to a message, we want to allow
+    // the user to add remote images to the message. But we don't want remote
+    // images that are a part of the quoted content to load. Hence we block them
+    // while the reply is created (insertingQuotedContent==true), but allow them
+    // later when the user inserts them.
+    if (*aDecision == nsIContentPolicy::REJECT_REQUEST)
+    {
+      bool insertingQuotedContent = true;
+      aMsgCompose->GetInsertingQuotedContent(&insertingQuotedContent);
+      nsCOMPtr<nsIDOMHTMLImageElement> imageElement(do_QueryInterface(aRequestingContext));
+      if (imageElement)
+      {
+        if (!insertingQuotedContent)
+        {
+          *aDecision = nsIContentPolicy::ACCEPT;
+          return;
+        }
+
+        // Test whitelist.
+        uint32_t permission;
+        mPermissionManager->TestPermission(aContentLocation, "image", &permission);
+        if (permission == nsIPermissionManager::ALLOW_ACTION)
+          *aDecision = nsIContentPolicy::ACCEPT;
+      }
+    }
+  }
+}
+
+already_AddRefed<nsIMsgCompose> nsMsgContentPolicy::GetMsgComposeForContext(nsISupports *aRequestingContext)
+{
+  nsresult rv;
+
+  nsIDocShell *shell = NS_CP_GetDocShellFromContext(aRequestingContext);
+  nsCOMPtr<nsIDocShellTreeItem> docShellTreeItem(do_QueryInterface(shell, &rv));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+
+  nsCOMPtr<nsIDocShellTreeItem> rootItem;
+  rv = docShellTreeItem->GetSameTypeRootTreeItem(getter_AddRefs(rootItem));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+
+  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(rootItem, &rv));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+
+  nsCOMPtr<nsIMsgComposeService> composeService(do_GetService(NS_MSGCOMPOSESERVICE_CONTRACTID, &rv));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+
+  nsCOMPtr<nsIMsgCompose> msgCompose;
+  // Don't bother checking rv, as GetMsgComposeForDocShell returns NS_ERROR_FAILURE
+  // for not found.
+  composeService->GetMsgComposeForDocShell(docShell,
+                                           getter_AddRefs(msgCompose));
+  return msgCompose.forget();
+}
+
+nsresult nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells(
+  nsIURI *aContentLocation, nsISupports *aRequestingContext)
+{
+  // XXX if this class changes so that this method can be called from
+  // ShouldProcess, and if it's possible for this to be null when called from
+  // ShouldLoad, but not in the corresponding ShouldProcess call,
+  // we need to re-think the assumptions underlying this code.
+
+  // If there's no docshell to get to, there's nowhere for the JavaScript to
+  // run, so we're already safe and don't need to disable anything.
+  if (!aRequestingContext) {
+    return NS_OK;
+  }
+
+  nsresult rv;
+  bool isAllowedContent = !ShouldBlockUnexposedProtocol(aContentLocation);
+  nsCOMPtr<nsIMsgMessageUrl> msgUrl = do_QueryInterface(aContentLocation, &rv);
+  if (NS_FAILED(rv) && !isAllowedContent) {
+    // If it's not a mailnews url or allowed content url (http[s]|file) then
+    // bail; otherwise set whether js and plugins are allowed.
+    return NS_OK;
+  }
+
+  // since NS_CP_GetDocShellFromContext returns the containing docshell rather
+  // than the contained one we need, we can't use that here, so...
+  nsCOMPtr<nsIFrameLoaderOwner> flOwner = do_QueryInterface(aRequestingContext,
+                                                            &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIFrameLoader> frameLoader;
+  rv = flOwner->GetFrameLoaderXPCOM(getter_AddRefs(frameLoader));
+  NS_ENSURE_SUCCESS(rv, rv);
+  NS_ENSURE_TRUE(frameLoader, NS_ERROR_INVALID_POINTER);
+
+  nsCOMPtr<nsIDocShell> docShell;
+  rv = frameLoader->GetDocShell(getter_AddRefs(docShell));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIDocShellTreeItem> docshellTreeItem(do_QueryInterface(docShell, &rv));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // what sort of docshell is this?
+  int32_t itemType;
+  rv = docshellTreeItem->GetItemType(&itemType);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // we're only worried about policy settings in content docshells
+  if (itemType != nsIDocShellTreeItem::typeContent) {
+    return NS_OK;
+  }
+
+  if (!isAllowedContent) {
+    // Disable JavaScript on message URLs.
+    rv = docShell->SetAllowJavascript(false);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = docShell->SetAllowContentRetargetingOnChildren(false);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = docShell->SetAllowPlugins(mAllowPlugins);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    uint32_t sandboxFlags;
+    rv = docShell->GetSandboxFlags(&sandboxFlags);
+    sandboxFlags |= SANDBOXED_FORMS;
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = docShell->SetSandboxFlags(sandboxFlags);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+  else {
+    // JavaScript and plugins are allowed on non-message URLs.
+    rv = docShell->SetAllowJavascript(true);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = docShell->SetAllowContentRetargetingOnChildren(true);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = docShell->SetAllowPlugins(true);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  return NS_OK;
+}
+
+/**
+ * Gets the root docshell from a requesting context.
+ */
+nsresult
+nsMsgContentPolicy::GetRootDocShellForContext(nsISupports *aRequestingContext,
+                                              nsIDocShell **aDocShell)
+{
+  NS_ENSURE_ARG_POINTER(aRequestingContext);
+  nsresult rv;
+
+  nsIDocShell *shell = NS_CP_GetDocShellFromContext(aRequestingContext);
+  nsCOMPtr<nsIDocShellTreeItem> docshellTreeItem(do_QueryInterface(shell, &rv));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIDocShellTreeItem> rootItem;
+  rv = docshellTreeItem->GetRootTreeItem(getter_AddRefs(rootItem));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  return CallQueryInterface(rootItem, aDocShell);
+}
+
+/**
+ * Gets the originating URI that started off a set of requests, accounting
+ * for multiple iframes.
+ *
+ * Navigates up the docshell tree from aRequestingContext and finds the
+ * highest parent with the same type docshell as aRequestingContext, then
+ * returns the URI associated with that docshell.
+ */
+nsresult
+nsMsgContentPolicy::GetOriginatingURIForContext(nsISupports *aRequestingContext,
+                                                nsIURI **aURI)
+{
+  NS_ENSURE_ARG_POINTER(aRequestingContext);
+  nsresult rv;
+
+  nsIDocShell *shell = NS_CP_GetDocShellFromContext(aRequestingContext);
+  nsCOMPtr<nsIDocShellTreeItem> docshellTreeItem(do_QueryInterface(shell, &rv));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIDocShellTreeItem> rootItem;
+  rv = docshellTreeItem->GetSameTypeRootTreeItem(getter_AddRefs(rootItem));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIWebNavigation> webNavigation(do_QueryInterface(rootItem, &rv));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  return webNavigation->GetCurrentURI(aURI);
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::ShouldProcess(uint32_t          aContentType,
+                                  nsIURI           *aContentLocation,
+                                  nsIURI           *aRequestingLocation,
+                                  nsISupports      *aRequestingContext,
+                                  const nsACString &aMimeGuess,
+                                  nsISupports      *aExtra,
+                                  nsIPrincipal     *aRequestPrincipal,
+                                  int16_t          *aDecision)
+{
+  // XXX Returning ACCEPT is presumably only a reasonable thing to do if we
+  // think that ShouldLoad is going to catch all possible cases (i.e. that
+  // everything we use to make decisions is going to be available at
+  // ShouldLoad time, and not only become available in time for ShouldProcess).
+  // Do we think that's actually the case?
+  *aDecision = nsIContentPolicy::ACCEPT;
+  return NS_OK;
+}
+
+NS_IMETHODIMP nsMsgContentPolicy::Observe(nsISupports *aSubject, const char *aTopic, const char16_t *aData)
+{
+  if (!strcmp(NS_PREFBRANCH_PREFCHANGE_TOPIC_ID, aTopic))
+  {
+    NS_LossyConvertUTF16toASCII pref(aData);
+
+    nsresult rv;
+
+    nsCOMPtr<nsIPrefBranch> prefBranchInt = do_QueryInterface(aSubject, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (pref.Equals(kBlockRemoteImages))
+      prefBranchInt->GetBoolPref(kBlockRemoteImages, &mBlockRemoteImages);
+    if (pref.Equals(kAllowPlugins))
+      prefBranchInt->GetBoolPref(kAllowPlugins, &mAllowPlugins);
+  }
+
+  return NS_OK;
+}
+
+/**
+ * We implement the nsIWebProgressListener interface in order to enforce
+ * settings at onLocationChange time.
+ */
+NS_IMETHODIMP
+nsMsgContentPolicy::OnStateChange(nsIWebProgress *aWebProgress,
+                                  nsIRequest *aRequest, uint32_t aStateFlags,
+                                  nsresult aStatus)
+{
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::OnProgressChange(nsIWebProgress *aWebProgress,
+                                     nsIRequest *aRequest,
+                                     int32_t aCurSelfProgress,
+                                     int32_t aMaxSelfProgress,
+                                     int32_t aCurTotalProgress,
+                                     int32_t aMaxTotalProgress)
+{
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::OnLocationChange(nsIWebProgress *aWebProgress,
+                                     nsIRequest *aRequest, nsIURI *aLocation,
+                                     uint32_t aFlags)
+{
+  nsresult rv;
+
+  // If anything goes wrong and/or there's no docshell associated with this
+  // request, just give up.  The behavior ends up being "don't consider
+  // re-enabling JS on the docshell", which is the safe thing to do (and if
+  // the problem was that there's no docshell, that means that there was
+  // nowhere for any JavaScript to run, so we're already safe
+
+  nsCOMPtr<nsIDocShell> docShell = do_QueryInterface(aWebProgress, &rv);
+  if (NS_FAILED(rv)) {
+    return NS_OK;
+  }
+
+#ifdef DEBUG
+  nsCOMPtr<nsIChannel> channel = do_QueryInterface(aRequest, &rv);
+  if (NS_SUCCEEDED(rv)) {
+    nsCOMPtr<nsIDocShell> docShell2;
+    NS_QueryNotificationCallbacks(channel, docShell2);
+    NS_ASSERTION(docShell == docShell2, "aWebProgress and channel callbacks"
+                                        " do not point to the same docshell");
+  }
+#endif
+
+  nsCOMPtr<nsIMsgMessageUrl> messageUrl = do_QueryInterface(aLocation, &rv);
+
+  if (NS_SUCCEEDED(rv)) {
+    // Disable javascript on message URLs.
+    rv = docShell->SetAllowJavascript(false);
+    NS_ASSERTION(NS_SUCCEEDED(rv),
+                 "Failed to set javascript disabled on docShell");
+    // Also disable plugins if the preference requires it.
+    rv = docShell->SetAllowPlugins(mAllowPlugins);
+    NS_ASSERTION(NS_SUCCEEDED(rv),
+                 "Failed to set plugins disabled on docShell");
+  }
+  else {
+    // Disable javascript and plugins are allowed on non-message URLs.
+    rv = docShell->SetAllowJavascript(true);
+    NS_ASSERTION(NS_SUCCEEDED(rv),
+                 "Failed to set javascript allowed on docShell");
+    rv = docShell->SetAllowPlugins(true);
+    NS_ASSERTION(NS_SUCCEEDED(rv),
+                 "Failed to set plugins allowed on docShell");
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::OnStatusChange(nsIWebProgress *aWebProgress,
+                                   nsIRequest *aRequest, nsresult aStatus,
+                                   const char16_t *aMessage)
+{
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::OnSecurityChange(nsIWebProgress *aWebProgress,
+                                     nsIRequest *aRequest, uint32_t aState)
+{
+  return NS_OK;
+}
+
+/**
+ * Implementation of nsIMsgContentPolicy
+ *
+ */
+NS_IMETHODIMP
+nsMsgContentPolicy::AddExposedProtocol(const nsACString &aScheme)
+{
+  if (mCustomExposedProtocols.Contains(nsCString(aScheme)))
+    return NS_OK;
+
+  mCustomExposedProtocols.AppendElement(aScheme);
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsMsgContentPolicy::RemoveExposedProtocol(const nsACString &aScheme)
+{
+  mCustomExposedProtocols.RemoveElement(nsCString(aScheme));
+
+  return NS_OK;
+}
+