diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /browser/components/sessionstore/test/browser_461743_sample.html | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'browser/components/sessionstore/test/browser_461743_sample.html')
-rw-r--r-- | browser/components/sessionstore/test/browser_461743_sample.html | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/browser/components/sessionstore/test/browser_461743_sample.html b/browser/components/sessionstore/test/browser_461743_sample.html new file mode 100644 index 0000000000..a933ec5dc9 --- /dev/null +++ b/browser/components/sessionstore/test/browser_461743_sample.html @@ -0,0 +1,56 @@ +<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> --> + +<!DOCTYPE html> +<title>Test for bug 461743</title> + +<body> +<iframe src="data:text/html;charset=utf-8,empty"></iframe> +<iframe></iframe> + +<script type="application/javascript"> + var chromeUrl = "chrome://global/content/mozilla.html"; + var exploitUrl = "javascript:try { document.body.innerHTML = Components.utils.reportError; } catch (ex) { }"; + + var loadCount = 0; + frames[0].addEventListener("DOMContentLoaded", handleLoad); + frames[1].addEventListener("DOMContentLoaded", handleLoad); + function handleLoad() { + if (++loadCount < 2) + return; + frames[0].removeEventListener("DOMContentLoaded", handleLoad); + frames[1].removeEventListener("DOMContentLoaded", handleLoad); + + var flip = 0; + MutationEvent.prototype.toString = function() { + return flip++ == 0 ? chromeUrl : exploitUrl; + }; + + var href = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(frames[1].location), "href").get; + var loadChrome = { handleEvent: href }; + var loadExploit = { handleEvent: href }; + + function delay() { + var xhr = new XMLHttpRequest(); + xhr.open("GET", location.href, false); + xhr.send(null); + } + function done() { + var event = new MessageEvent("461743", { bubbles: true, cancelable: false, + data: "done", origin: location.href, + source: window }); + document.dispatchEvent(event); + frames[0].document.removeEventListener("DOMNodeInserted", loadChrome, true); + frames[0].document.removeEventListener("DOMNodeInserted", delay, true); + frames[0].document.removeEventListener("DOMNodeInserted", loadExploit, true); + frames[0].document.removeEventListener("DOMNodeInserted", done, true); + } + + frames[0].document.addEventListener("DOMNodeInserted", loadChrome, true); + frames[0].document.addEventListener("DOMNodeInserted", delay, true); + frames[0].document.addEventListener("DOMNodeInserted", loadExploit, true); + frames[0].document.addEventListener("DOMNodeInserted", done, true); + + frames[0].document.designMode = "on"; + } +</script> +</body> |