browser/components/sessionstore/test/browser_459906.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* eslint-disable mozilla/no-arbitrary-setTimeout */

function test() {
  /** Test for Bug 459906 **/

  waitForExplicitFinish();

  let testURL =
    "http://mochi.test:8888/browser/" +
    "browser/components/sessionstore/test/browser_459906_sample.html";
  let uniqueValue = "<b>Unique:</b> " + Date.now();

  var frameCount = 0;
  let tab = BrowserTestUtils.addTab(gBrowser, testURL);
  tab.linkedBrowser.addEventListener(
    "load",
    function listener(aEvent) {
      // wait for all frames to load completely
      if (frameCount++ < 2) {
        return;
      }
      tab.linkedBrowser.removeEventListener("load", listener, true);

      let iframes = tab.linkedBrowser.contentWindow.frames;
      // eslint-disable-next-line no-unsanitized/property
      iframes[1].document.body.innerHTML = uniqueValue;

      frameCount = 0;
      let tab2 = gBrowser.duplicateTab(tab);
      tab2.linkedBrowser.addEventListener(
        "load",
        function loadListener(eventTab2) {
          // wait for all frames to load (and reload!) completely
          if (frameCount++ < 2) {
            return;
          }
          tab2.linkedBrowser.removeEventListener("load", loadListener, true);

          executeSoon(function innerHTMLPoller() {
            let iframesTab2 = tab2.linkedBrowser.contentWindow.frames;
            if (iframesTab2[1].document.body.innerHTML !== uniqueValue) {
              // Poll again the value, since we can't ensure to run
              // after SessionStore has injected innerHTML value.
              // See bug 521802.
              info("Polling for innerHTML value");
              setTimeout(innerHTMLPoller, 100);
              return;
            }

            is(
              iframesTab2[1].document.body.innerHTML,
              uniqueValue,
              "rich textarea's content correctly duplicated"
            );

            let innerDomain = null;
            try {
              innerDomain = iframesTab2[0].document.domain;
            } catch (ex) {
              /* throws for chrome: documents */
            }
            is(innerDomain, "mochi.test", "XSS exploit prevented!");

            // clean up
            gBrowser.removeTab(tab2);
            gBrowser.removeTab(tab);

            finish();
          });
        },
        true
      );
    },
    true
  );
}