summaryrefslogtreecommitdiffstats
path: root/browser/components/sessionstore/test/browser_463205.js
diff options
context:
space:
mode:
Diffstat (limited to 'browser/components/sessionstore/test/browser_463205.js')
-rw-r--r--browser/components/sessionstore/test/browser_463205.js40
1 files changed, 40 insertions, 0 deletions
diff --git a/browser/components/sessionstore/test/browser_463205.js b/browser/components/sessionstore/test/browser_463205.js
new file mode 100644
index 0000000000..797425ab05
--- /dev/null
+++ b/browser/components/sessionstore/test/browser_463205.js
@@ -0,0 +1,40 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const URL = ROOT + "browser_463205_sample.html";
+
+/**
+ * Bug 463205 - Check URLs before restoring form data to make sure a malicious
+ * website can't modify frame URLs and make us inject form data into the wrong
+ * web pages.
+ */
+add_task(async function test_check_urls_before_restoring() {
+ // Add a blank tab.
+ let tab = BrowserTestUtils.addTab(gBrowser, "about:blank");
+ let browser = tab.linkedBrowser;
+ await promiseBrowserLoaded(browser);
+
+ // Restore form data with a valid URL.
+ await promiseTabState(tab, getState(URL));
+
+ let value = await getPropertyOfFormField(browser, "#text", "value");
+ is(value, "foobar", "value was restored");
+
+ // Restore form data with an invalid URL.
+ await promiseTabState(tab, getState("http://example.com/"));
+
+ value = await getPropertyOfFormField(browser, "#text", "value");
+ is(value, "", "value was not restored");
+
+ // Cleanup.
+ gBrowser.removeTab(tab);
+});
+
+function getState(url) {
+ return JSON.stringify({
+ entries: [{ url: URL, triggeringPrincipal_base64 }],
+ formdata: { url, id: { text: "foobar" } },
+ });
+}