summaryrefslogtreecommitdiffstats
path: root/caps/tests/mochitest/test_bug292789.html
blob: cd177dfd5be0d14ca1bcb47a783982439758dd6a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=292789
-->
<head>
  <title>Test for Bug 292789</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=292789">Mozilla Bug 292789</a>
<p id="display"></p>
<div id="content" style="display: none">
  <script src="chrome://global/content/treeUtils.js"></script>
  <script type="application/javascript" src="chrome://mozapps/content/update/history.js"></script>
  <script id="resjs" type="application/javascript"></script>
</div>
<pre id="test">
<script class="testbody" type="text/javascript">

/** Test for Bug 292789
 *
 * Selectively allow access to allowlisted chrome packages
 * even for ALLOW_CHROME mechanisms (<script>, <img> etc)
 */

/* import-globals-from ../../../toolkit/content/treeUtils.js */
/* import-globals-from ../../../toolkit/mozapps/update/content/history.js */

SimpleTest.waitForExplicitFinish();

let ChromeUtils = {
  import() { return {}; },
};

/** <script src=""> test */
function testScriptSrc(aCallback) {
    is(typeof gTreeUtils.sort, "function",
       "content can still load <script> from chrome://global");

    /** Try to find an export from history.js.  We will find it if it is
     *  improperly not blocked, otherwise it will be "undefined".
     */
    is(typeof gUpdateHistory, "undefined",
       "content should not be able to load <script> from chrome://mozapps");

    /** make sure the last one didn't pass because someone
     *  moved history.js
     */
    var resjs = document.getElementById("resjs");
    resjs.onload = scriptOnload;
    resjs.src = "resource://gre/chrome/toolkit/content/mozapps/update/history.js";
    document.getElementById("content").appendChild(resjs);

    function scriptOnload() {
      is(typeof gUpdateHistory.onLoad, "function",
         "history.js has not moved unexpectedly");

      // trigger the callback
      if (aCallback)
        aCallback();
    }
}

/** <img src=""> tests */
var img_global = "chrome://global/skin/media/error.png";
var img_mozapps = "chrome://mozapps/skin/extensions/extensionGeneric.svg";
var res_mozapps = "resource://gre/chrome/toolkit/skin/classic/mozapps/extensions/extensionGeneric.svg";

var imgTests = [[img_global, "success"],
                [img_mozapps, "fail"],
                [res_mozapps, "success"]];

var curImgTest = 0;

function runImgTest() {
    var test = imgTests[curImgTest++];
    var callback = curImgTest == imgTests.length ? finishTest : runImgTest;
    loadImage(test[0], test[1], callback);
}

function finishTest() {
  SimpleTest.finish();
}

function fail(event) {
    is("fail", event.target.expected,
       "content should not be allowed to load " + event.target.src);
    if (event.target.callback)
      event.target.callback();
}

function success(event) {
    is("success", event.target.expected,
       "content should be able to load " + event.target.src);
    if (event.target.callback)
      event.target.callback();
}

function loadImage(uri, expect, callback) {
    var img = document.createElement("img");
    img.onerror = fail;
    img.onload = success;
    img.expected = expect;
    img.callback = callback;
    img.src = uri;
    // document.getElementById("content").appendChild(img);
}

// Start off the script src test, and have it start the img tests when complete.
// Temporarily allow content to access all resource:// URIs.
SpecialPowers.pushPrefEnv({
  set: [
    ["security.all_resource_uri_content_accessible", true],
  ],
}, () => testScriptSrc(runImgTest));
</script>
</pre>
</body>
</html>