1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=801576
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 801576</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
<script type="application/javascript">
/** Test for the same-origin policy. **/
SimpleTest.waitForExplicitFinish();
function check(obj, prop, allowed, write) {
var accessed = false;
try {
if (write) {
try {
obj[prop] = 2;
accessed = true;
} catch (e) {}
Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
}
else
obj[prop];
accessed = true;
} catch (e) {}
is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
}
var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
'frames', 'location', 'length',
'opener', 'parent', 'postMessage',
'self', 'top', 'window',
/* indexed and named accessors */
'0', 'subframe'];
function isCrossOriginReadable(obj, prop) {
if (obj == "Window")
return crossOriginReadableWindowProps.includes(prop);
if (obj == "Location")
return prop == 'replace';
return false;
}
function isCrossOriginWritable(obj, prop) {
if (obj == "Window")
return prop == 'location';
if (obj == "Location")
return prop == 'href';
}
// NB: we don't want to succeed with writes, so we only check them when it should be denied.
function testAll(sameOrigin) {
var win = document.getElementById('ifr').contentWindow;
// Build a list of properties to check from the properties available on our
// window.
var props = [];
for (var prop in window) { props.push(prop); }
// On android, this appears to be on the window but not on the iframe. It's
// not really relevant to this test, so just skip it.
if (props.includes('crypto'))
props.splice(props.indexOf('crypto'), 1);
// Add the named grand-child, since that won't appear on our window.
props.push('subframe');
for (var prop of props) {
check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
if (!sameOrigin && !isCrossOriginWritable('Window', prop))
check(win, prop, false, /* write = */ true);
}
for (var prop in window.location) {
check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
if (!sameOrigin && !isCrossOriginWritable('Location', prop))
check(win.location, prop, false, /* write = */ true);
}
}
var loadCount = 0;
function go() {
++loadCount;
if (loadCount == 1) {
testAll(true);
document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
}
else {
is(loadCount, 2);
testAll(false);
SimpleTest.finish();
}
}
</script>
</pre>
<iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
</body>
</html>
|