Merge latest firefox 140 commits 13/03/2026

.cargo/config.toml.in

@@ -85,9 +85,9 @@ git = "https://github.com/mozilla/audioipc"
 rev = "e6f44a2bd1e57d11dfc737632a9e849077632330"
 replace-with = "vendored-sources"
 
-[source."git+https://github.com/mozilla/cubeb-coreaudio-rs?rev=2407441a2f67341a0e13b4ba6547555e387c671c"]
+[source."git+https://github.com/mozilla/cubeb-coreaudio-rs?rev=579b75af21c040700eee6a1d8520e222699fe4cd"]
 git = "https://github.com/mozilla/cubeb-coreaudio-rs"
-rev = "2407441a2f67341a0e13b4ba6547555e387c671c"
+rev = "579b75af21c040700eee6a1d8520e222699fe4cd"
 replace-with = "vendored-sources"
 
 [source."git+https://github.com/mozilla/cubeb-pulse-rs?rev=8678dcab1c287de79c4c184ccc2e065bc62b70e2"]

accessible/ipc/DocAccessibleParent.cpp

@@ -234,6 +234,11 @@ RemoteAccessible* DocAccessibleParent::CreateAcc(
     return nullptr;
   }
 
+  if (aAccData.GenericTypes() & eDocument) {
+    MOZ_ASSERT_UNREACHABLE("Invalid acc type");
+    return nullptr;
+  }
+
   newProxy = new RemoteAccessible(aAccData.ID(), this, aAccData.Role(),
                                   aAccData.Type(), aAccData.GenericTypes(),
                                   aAccData.RoleMapEntryIndex());

docshell/base/BrowsingContext.cpp

@@ -2786,6 +2786,11 @@ void BrowsingContext::DidSet(FieldIndex<IDX_ExplicitActive>,
   });
 }
 
+bool BrowsingContext::CanSet(FieldIndex<IDX_InRDMPane>, const bool&,
+                             ContentParent* aSource) {
+  return XRE_IsParentProcess() && IsTop() && !aSource;
+}
+
 void BrowsingContext::DidSet(FieldIndex<IDX_InRDMPane>, bool aOldValue) {
   MOZ_ASSERT(IsTop(),
              "Should only set InRDMPane in the top-level browsing context");

docshell/base/BrowsingContext.h

@@ -1136,6 +1136,7 @@ class BrowsingContext : public nsILoadContext, public nsWrapperCache {
     return IsTop();
   }
 
+  bool CanSet(FieldIndex<IDX_InRDMPane>, const bool&, ContentParent* aSource);
   void DidSet(FieldIndex<IDX_InRDMPane>, bool aOldValue);
   MOZ_CAN_RUN_SCRIPT_BOUNDARY void DidSet(FieldIndex<IDX_ForceDesktopViewport>,
                                           bool aOldValue);

dom/base/DocumentOrShadowRoot.cpp

@@ -7,6 +7,7 @@
 #include "DocumentOrShadowRoot.h"
 #include "mozilla/AnimationComparator.h"
 #include "mozilla/EventStateManager.h"
+#include "mozilla/Likely.h"
 #include "mozilla/PointerLockManager.h"
 #include "mozilla/PresShell.h"
 #include "mozilla/StyleSheet.h"
@@ -112,6 +113,10 @@ void DocumentOrShadowRoot::RemoveSheetFromStylesIfApplicable(
 void DocumentOrShadowRoot::OnSetAdoptedStyleSheets(StyleSheet& aSheet,
                                                    uint32_t aIndex,
                                                    ErrorResult& aRv) {
+  if (MOZ_UNLIKELY(aIndex > mAdoptedStyleSheets.Length())) {
+    MOZ_ASSERT_UNREACHABLE("Out of sync proxy");
+    return;
+  }
   Document& doc = *AsNode().OwnerDoc();
   // 1. If value’s constructed flag is not set, or its constructor document is
   // not equal to this DocumentOrShadowRoot's node document, throw a
@@ -164,7 +169,10 @@ void DocumentOrShadowRoot::OnSetAdoptedStyleSheets(StyleSheet& aSheet,
 void DocumentOrShadowRoot::OnDeleteAdoptedStyleSheets(StyleSheet& aSheet,
                                                       uint32_t aIndex,
                                                       ErrorResult&) {
-  MOZ_ASSERT(mAdoptedStyleSheets.ElementAt(aIndex) == &aSheet);
+  if (MOZ_UNLIKELY(mAdoptedStyleSheets.ElementAt(aIndex) != &aSheet)) {
+    MOZ_ASSERT_UNREACHABLE("Out of sync proxy");
+    return;
+  }
   mAdoptedStyleSheets.RemoveElementAt(aIndex);
   auto existingIndex = mAdoptedStyleSheets.LastIndexOf(&aSheet);
   if (existingIndex != mAdoptedStyleSheets.NoIndex && existingIndex >= aIndex) {

dom/base/MimeType.cpp

@@ -271,15 +271,16 @@ template <typename char_type>
     const nsTSubstring<char_type>& aMimeType,
     nsTSubstring<char_type>& aOutEssence,
     nsTSubstring<char_type>& aOutCharset) {
+  // https://fetch.spec.whatwg.org/#concept-header-extract-mime-type
   static char_type kCHARSET[] = {'c', 'h', 'a', 'r', 's', 'e', 't'};
   static nsTDependentSubstring<char_type> kCharset(kCHARSET, 7);
 
   RefPtr<TMimeType<char_type>> parsed;
   nsTAutoString<char_type> prevContentType;
   nsTAutoString<char_type> prevCharset;
 
-  prevContentType.Assign(aOutEssence);
-  prevCharset.Assign(aOutCharset);
+  aOutEssence.Truncate();
+  aOutCharset.Truncate();
 
   nsTArray<nsTDependentSubstring<char_type>> mimeTypeParts =
       SplitMimetype(aMimeType);
@@ -292,9 +293,7 @@ template <typename char_type>
     parsed = Parse(mimeTypeString);
 
     if (!parsed) {
-      aOutEssence.Truncate();
-      aOutCharset.Truncate();
-      return false;
+      continue;
     }
 
     parsed->GetEssence(aOutEssence);
@@ -322,6 +321,10 @@ template <typename char_type>
     }
   }
 
+  if (aOutEssence.IsEmpty()) {
+    return false;
+  }
+
   return true;
 }
 

dom/base/nsContentPermissionHelper.cpp

@@ -44,12 +44,15 @@ class ContentPermissionRequestParent : public PContentPermissionRequestParent {
   // @param aIsRequestDelegatedToUnsafeThirdParty see
   // mIsRequestDelegatedToUnsafeThirdParty.
   ContentPermissionRequestParent(
-      const nsTArray<PermissionRequest>& aRequests, Element* aElement,
-      nsIPrincipal* aPrincipal, nsIPrincipal* aTopLevelPrincipal,
+      Element* aElement, nsIPrincipal* aPrincipal,
+      nsIPrincipal* aTopLevelPrincipal,
       const bool aHasValidTransientUserGestureActivation,
       const bool aIsRequestDelegatedToUnsafeThirdParty);
   virtual ~ContentPermissionRequestParent();
 
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY
+  void Init(nsTArray<PermissionRequest>&& aRequests);
+
   bool IsBeingDestroyed();
 
   nsCOMPtr<nsIPrincipal> mPrincipal;
@@ -64,24 +67,20 @@ class ContentPermissionRequestParent : public PContentPermissionRequestParent {
   nsTArray<PermissionRequest> mRequests;
 
  private:
-  // Not MOZ_CAN_RUN_SCRIPT because we can't annotate the thing we override yet.
-  MOZ_CAN_RUN_SCRIPT_BOUNDARY
-  virtual mozilla::ipc::IPCResult Recvprompt() override;
   virtual mozilla::ipc::IPCResult RecvDestroy() override;
   virtual void ActorDestroy(ActorDestroyReason why) override;
 };
 
 ContentPermissionRequestParent::ContentPermissionRequestParent(
-    const nsTArray<PermissionRequest>& aRequests, Element* aElement,
-    nsIPrincipal* aPrincipal, nsIPrincipal* aTopLevelPrincipal,
+    Element* aElement, nsIPrincipal* aPrincipal,
+    nsIPrincipal* aTopLevelPrincipal,
     const bool aHasValidTransientUserGestureActivation,
     const bool aIsRequestDelegatedToUnsafeThirdParty) {
   MOZ_COUNT_CTOR(ContentPermissionRequestParent);
 
   mPrincipal = aPrincipal;
   mTopLevelPrincipal = aTopLevelPrincipal;
   mElement = aElement;
-  mRequests = aRequests.Clone();
   mHasValidTransientUserGestureActivation =
       aHasValidTransientUserGestureActivation;
   mIsRequestDelegatedToUnsafeThirdParty = aIsRequestDelegatedToUnsafeThirdParty;
@@ -91,13 +90,14 @@ ContentPermissionRequestParent::~ContentPermissionRequestParent() {
   MOZ_COUNT_DTOR(ContentPermissionRequestParent);
 }
 
-mozilla::ipc::IPCResult ContentPermissionRequestParent::Recvprompt() {
+void ContentPermissionRequestParent::Init(
+    nsTArray<PermissionRequest>&& aRequests) {
+  mRequests = std::move(aRequests);
   mProxy = new nsContentPermissionRequestProxy(this);
   if (NS_FAILED(mProxy->Init(mRequests))) {
     RefPtr<nsContentPermissionRequestProxy> proxy(mProxy);
     proxy->Cancel();
   }
-  return IPC_OK();
 }
 
 mozilla::ipc::IPCResult ContentPermissionRequestParent::RecvDestroy() {
@@ -239,19 +239,27 @@ nsresult nsContentPermissionUtils::CreatePermissionArray(
 /* static */
 PContentPermissionRequestParent*
 nsContentPermissionUtils::CreateContentPermissionRequestParent(
-    const nsTArray<PermissionRequest>& aRequests, Element* aElement,
-    nsIPrincipal* aPrincipal, nsIPrincipal* aTopLevelPrincipal,
+    Element* aElement, nsIPrincipal* aPrincipal,
+    nsIPrincipal* aTopLevelPrincipal,
     const bool aHasValidTransientUserGestureActivation,
     const bool aIsRequestDelegatedToUnsafeThirdParty, const TabId& aTabId) {
   PContentPermissionRequestParent* parent = new ContentPermissionRequestParent(
-      aRequests, aElement, aPrincipal, aTopLevelPrincipal,
+      aElement, aPrincipal, aTopLevelPrincipal,
       aHasValidTransientUserGestureActivation,
       aIsRequestDelegatedToUnsafeThirdParty);
   ContentPermissionRequestParentMap()[parent] = aTabId;
 
   return parent;
 }
 
+/* static */
+void nsContentPermissionUtils::InitContentPermissionRequestParent(
+    PContentPermissionRequestParent* aActor,
+    nsTArray<PermissionRequest>&& aRequests) {
+  static_cast<ContentPermissionRequestParent*>(aActor)->Init(
+      std::move(aRequests));
+}
+
 /* static */
 nsresult nsContentPermissionUtils::AskPermission(
     nsIContentPermissionRequest* aRequest, nsPIDOMWindowInner* aWindow) {
@@ -301,7 +309,6 @@ nsresult nsContentPermissionUtils::AskPermission(
     }
     ContentPermissionRequestChildMap()[req.get()] = child->GetTabId();
 
-    req->Sendprompt();
     return NS_OK;
   }
 

dom/base/nsContentPermissionHelper.h

@@ -63,11 +63,15 @@ class nsContentPermissionUtils {
   // @param aIsRequestDelegatedToUnsafeThirdParty see
   // ContentPermissionRequestParent.
   static PContentPermissionRequestParent* CreateContentPermissionRequestParent(
-      const nsTArray<PermissionRequest>& aRequests, Element* aElement,
-      nsIPrincipal* aPrincipal, nsIPrincipal* aTopLevelPrincipal,
+      Element* aElement, nsIPrincipal* aPrincipal,
+      nsIPrincipal* aTopLevelPrincipal,
       const bool aHasValidTransientUserGestureActivation,
       const bool aIsRequestDelegatedToUnsafeThirdParty, const TabId& aTabId);
 
+  static void InitContentPermissionRequestParent(
+      PContentPermissionRequestParent* aActor,
+      nsTArray<PermissionRequest>&& aRequests);
+
   static nsresult AskPermission(nsIContentPermissionRequest* aRequest,
                                 nsPIDOMWindowInner* aWindow);
 

dom/base/test/gtest/TestMimeType.cpp

@@ -821,8 +821,8 @@ TEST(MimeTypeParsing, contentTypes1)
 
   bool parsed = CMimeType::Parse(val, contentType, contentCharset);
 
-  ASSERT_FALSE(parsed);
-  ASSERT_TRUE(contentType.EqualsLiteral(""));
+  ASSERT_TRUE(parsed);
+  ASSERT_TRUE(contentType.EqualsLiteral("text/plain"));
   ASSERT_TRUE(contentCharset.EqualsLiteral(""));
 }
 
@@ -1074,3 +1074,43 @@ TEST(MimeTypeParsing, contentTypes20)
   ASSERT_TRUE(contentType.EqualsLiteral("text/plain"));
   ASSERT_TRUE(contentCharset.EqualsLiteral(""));
 }
+
+// U+002F(/) is not a valid HTTP token code point
+// https://mimesniff.spec.whatwg.org/#http-token-code-point
+TEST(MimeTypeParsing, invalidSubtype1)
+{
+  const nsAutoCString val("text/json/");
+  RefPtr<CMimeType> parsed = CMimeType::Parse(val);
+  ASSERT_TRUE(!parsed);
+}
+
+TEST(MimeTypeParsing, invalidSubtype2)
+{
+  const nsAutoCString val("text/json/bad");
+  RefPtr<CMimeType> parsed = CMimeType::Parse(val);
+  ASSERT_TRUE(!parsed);
+}
+
+TEST(MimeTypeParsing, EmptyParsing)
+{
+  constexpr nsLiteralCString val("");
+  nsCString contentType;
+  nsCString contentCharset;
+  bool parsed = CMimeType::Parse(val, contentType, contentCharset);
+
+  ASSERT_FALSE(parsed);
+  ASSERT_TRUE(contentType.EqualsLiteral(""));
+  ASSERT_TRUE(contentCharset.EqualsLiteral(""));
+}
+
+TEST(MimeTypeParsing, EmptySubtype)
+{
+  constexpr nsLiteralCString val("audio/");
+  nsCString contentType;
+  nsCString contentCharset;
+  bool parsed = CMimeType::Parse(val, contentType, contentCharset);
+
+  ASSERT_FALSE(parsed);
+  ASSERT_TRUE(contentType.EqualsLiteral(""));
+  ASSERT_TRUE(contentCharset.EqualsLiteral(""));
+}

dom/events/GlobalKeyListener.cpp

@@ -418,6 +418,11 @@ GlobalKeyListener::WalkHandlersResult GlobalKeyListener::WalkHandlersAndExecute(
 
 bool GlobalKeyListener::IsReservedKey(WidgetKeyboardEvent* aKeyEvent,
                                       KeyEventHandler* aHandler) {
+  // If the event is a reply event, it means that we've already sent the event
+  // to the remote process because of not reserved.
+  if (aKeyEvent->IsHandledInRemoteProcess()) {
+    return false;
+  }
   ReservedKey reserved = aHandler->GetIsReserved();
   // reserved="true" means that the key is always reserved. reserved="false"
   // means that the key is never reserved. Otherwise, we check site-specific

dom/ipc/BrowserChild.cpp

@@ -2440,6 +2440,10 @@ mozilla::ipc::IPCResult BrowserChild::RecvRealKeyEvent(
   // we need to clear the flag explicitly here because ParamTraits should
   // keep checking the flag for avoiding regression.
   localEvent.mFlags.mNoRemoteProcessDispatch = false;
+  // The parent process won't use the native key bindings of the reply event
+  // anymore. To save the IPC cost, let's clear the edit commands before sending
+  // the event back to the parent process.
+  localEvent.PreventNativeKeyBindings();
   SendReplyKeyEvent(localEvent, aUUID);
 
   return IPC_OK();

dom/ipc/BrowserParent.cpp

@@ -2782,7 +2782,10 @@ mozilla::ipc::IPCResult BrowserParent::RecvReplyKeyEvent(
             NS_WARN_IF(data.mPseudoCharCode != aEvent.mPseudoCharCode) ||
             NS_WARN_IF(data.mKeyNameIndex != aEvent.mKeyNameIndex) ||
             NS_WARN_IF(data.mCodeNameIndex != aEvent.mCodeNameIndex) ||
-            NS_WARN_IF(data.mModifiers != aEvent.mModifiers)) {
+            NS_WARN_IF(data.mModifiers != aEvent.mModifiers) ||
+            // The child process should've already cleared the editor commands
+            // because we don't use them.
+            NS_WARN_IF(aEvent.HasEditCommands())) {
           // Got different event data from what we stored before dispatching an
           // event with the ID.
           return Nothing();

dom/ipc/ContentParent.cpp

@@ -5130,8 +5130,18 @@ ContentParent::AllocPContentPermissionRequestParent(
     topPrincipal = principal;
   }
   return nsContentPermissionUtils::CreateContentPermissionRequestParent(
-      aRequests, tp->GetOwnerElement(), aPrincipal, topPrincipal,
-      aIsHandlingUserInput, aMaybeUnsafePermissionDelegate, aTabId);
+      tp->GetOwnerElement(), aPrincipal, topPrincipal, aIsHandlingUserInput,
+      aMaybeUnsafePermissionDelegate, aTabId);
+}
+
+mozilla::ipc::IPCResult ContentParent::RecvPContentPermissionRequestConstructor(
+    PContentPermissionRequestParent* aActor,
+    nsTArray<PermissionRequest>&& aRequests, nsIPrincipal* aPrincipal,
+    nsIPrincipal* aTopLevelPrincipal, const bool& aIsHandlingUserInput,
+    const bool& aMaybeUnsafePermissionDelegate, const TabId& tabId) {
+  nsContentPermissionUtils::InitContentPermissionRequestParent(
+      aActor, std::move(aRequests));
+  return IPC_OK();
 }
 
 bool ContentParent::DeallocPContentPermissionRequestParent(

dom/ipc/ContentParent.h

@@ -538,6 +538,12 @@ class ContentParent final : public PContentParent,
       nsIPrincipal* aTopLevelPrincipal, const bool& aIsHandlingUserInput,
       const bool& aMaybeUnsafePermissionDelegate, const TabId& aTabId);
 
+  mozilla::ipc::IPCResult RecvPContentPermissionRequestConstructor(
+      PContentPermissionRequestParent* aActor,
+      nsTArray<PermissionRequest>&& aRequests, nsIPrincipal* aPrincipal,
+      nsIPrincipal* aTopLevelPrincipal, const bool& aIsHandlingUserInput,
+      const bool& aMaybeUnsafePermissionDelegate, const TabId& tabId) override;
+
   bool DeallocPContentPermissionRequestParent(
       PContentPermissionRequestParent* actor);
 

dom/ipc/PContentPermissionRequest.ipdl

@@ -16,7 +16,6 @@ protocol PContentPermissionRequest
   manager PContent;
 
 parent:
-  async prompt();
   async Destroy();
 
 child: