Bug 1415352: Part 4c - Use subject principal as the triggering principal for inline <style> nodes. r=bz

This change captures the subject principal when a scripted caller sets the
textContent or innerHTML property of a <style> node, and uses it as the
triggering principal for the resulting stylesheet.

If the node contents are modified in any way other than through textContent or
innerHTML, the triggering principal is forgotten (which is an intentional
design feature).

MozReview-Commit-ID: GacZFIB5BzS

dom/html/HTMLStyleElement.cpp

@@ -100,6 +100,7 @@ HTMLStyleElement::ContentRemoved(nsIDocument* aDocument,
 void
 HTMLStyleElement::ContentChanged(nsIContent* aContent)
 {
+  mTriggeringPrincipal = nullptr;
   if (nsContentUtils::IsInSameAnonymousTree(this, aContent)) {
     UpdateStyleSheetInternal(nullptr, nullptr);
   }
@@ -176,13 +177,23 @@ void
 HTMLStyleElement::SetInnerHTML(const nsAString& aInnerHTML,
                                nsIPrincipal& aScriptedPrincipal,
                                ErrorResult& aError)
+{
+  SetTextContentInternal(aInnerHTML, &aScriptedPrincipal, aError);
+}
+
+void
+HTMLStyleElement::SetTextContentInternal(const nsAString& aTextContent,
+                                         nsIPrincipal* aScriptedPrincipal,
+                                         ErrorResult& aError)
 {
   SetEnableUpdates(false);
 
-  aError = nsContentUtils::SetNodeTextContent(this, aInnerHTML, true);
+  aError = nsContentUtils::SetNodeTextContent(this, aTextContent, true);
 
   SetEnableUpdates(true);
 
+  mTriggeringPrincipal = aScriptedPrincipal;
+
   UpdateStyleSheetInternal(nullptr, nullptr);
 }
 
@@ -190,7 +201,7 @@ already_AddRefed<nsIURI>
 HTMLStyleElement::GetStyleSheetURL(bool* aIsInline, nsIPrincipal** aTriggeringPrincipal)
 {
   *aIsInline = true;
-  *aTriggeringPrincipal = nullptr;
+  *aTriggeringPrincipal = do_AddRef(mTriggeringPrincipal).take();
   return nullptr;
 }