toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Test for considering form action</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="text/javascript" src="pwmgr_common.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
Login Manager test: Bug 360493
<script>
gTestDependsOnDeprecatedLogin = true;
runChecksAfterCommonInit(() => startTest());

let DEFAULT_ORIGIN = window.location.origin;
</script>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
<script class="testbody" type="text/javascript">

/** Test for Login Manager: 360493 (Cross-Site Forms + Password
    Manager = Security Failure) **/

// This test is designed to make sure variations on the form's |action|
// and |method| continue to work with the fix for 360493.

async function startTest() {
  let win = window.open("about:blank");
  SimpleTest.registerCleanupFunction(() => win.close());
  await loadFormIntoWindow(DEFAULT_ORIGIN, `
    <!-- normal form with normal relative action. -->
    <form id="form1" action="formtest.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- fully specify the action URL -->
    <form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- fully specify the action URL, and change the path -->
    <form id="form3" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/formtest.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- fully specify the action URL, and change the path and filename -->
    <form id="form4" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/not_a_test.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- specify the action URL relative to the current document-->
    <form id="form5" action="./formtest.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- specify the action URL relative to the current server -->
    <form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- Change the method from get to post -->
    <form id="form7" action="formtest.js" method="POST">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- Blank action URL specified -->
    <form id="form8" action="">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- |action| attribute entirely missing -->
    <form id="form9" >
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>

    <!-- action url as javascript -->
    <form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
      <input  type="text"       name="uname">
      <input  type="password"   name="pword">

      <button type="submit">Submit</button>
      <button type="reset"> Reset </button>
    </form>`, win, 10);

  // TODO: action=IP.ADDRESS instead of HOSTNAME?
  // TODO: test with |base href="http://othersite//"| ?

  for (var i = 1; i <= 9; i++) {
    // Check form i
    await checkLoginFormInFrameWithElementValues(win, i, "testuser", "testpass");
  }

  // The login's formActionOrigin isn't "javascript:", so don't fill it in.
  await checkLoginFormInFrameWithElementValues(win, 10, "", "");

  SimpleTest.finish();
}
</script>
</pre>
</body>
</html>