summaryrefslogtreecommitdiffstats
path: root/browser/components/sessionstore/test/browser_459906.js
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /browser/components/sessionstore/test/browser_459906.js
parentInitial commit. (diff)
downloadfirefox-upstream.tar.xz
firefox-upstream.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'browser/components/sessionstore/test/browser_459906.js')
-rw-r--r--browser/components/sessionstore/test/browser_459906.js79
1 files changed, 79 insertions, 0 deletions
diff --git a/browser/components/sessionstore/test/browser_459906.js b/browser/components/sessionstore/test/browser_459906.js
new file mode 100644
index 0000000000..e232b59f13
--- /dev/null
+++ b/browser/components/sessionstore/test/browser_459906.js
@@ -0,0 +1,79 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* eslint-disable mozilla/no-arbitrary-setTimeout */
+
+function test() {
+ /** Test for Bug 459906 **/
+
+ waitForExplicitFinish();
+
+ let testURL =
+ "http://mochi.test:8888/browser/" +
+ "browser/components/sessionstore/test/browser_459906_sample.html";
+ let uniqueValue = "<b>Unique:</b> " + Date.now();
+
+ var frameCount = 0;
+ let tab = BrowserTestUtils.addTab(gBrowser, testURL);
+ tab.linkedBrowser.addEventListener(
+ "load",
+ function listener(aEvent) {
+ // wait for all frames to load completely
+ if (frameCount++ < 2) {
+ return;
+ }
+ tab.linkedBrowser.removeEventListener("load", listener, true);
+
+ let iframes = tab.linkedBrowser.contentWindow.frames;
+ // eslint-disable-next-line no-unsanitized/property
+ iframes[1].document.body.innerHTML = uniqueValue;
+
+ frameCount = 0;
+ let tab2 = gBrowser.duplicateTab(tab);
+ tab2.linkedBrowser.addEventListener(
+ "load",
+ function loadListener(eventTab2) {
+ // wait for all frames to load (and reload!) completely
+ if (frameCount++ < 2) {
+ return;
+ }
+ tab2.linkedBrowser.removeEventListener("load", loadListener, true);
+
+ executeSoon(function innerHTMLPoller() {
+ let iframesTab2 = tab2.linkedBrowser.contentWindow.frames;
+ if (iframesTab2[1].document.body.innerHTML !== uniqueValue) {
+ // Poll again the value, since we can't ensure to run
+ // after SessionStore has injected innerHTML value.
+ // See bug 521802.
+ info("Polling for innerHTML value");
+ setTimeout(innerHTMLPoller, 100);
+ return;
+ }
+
+ is(
+ iframesTab2[1].document.body.innerHTML,
+ uniqueValue,
+ "rich textarea's content correctly duplicated"
+ );
+
+ let innerDomain = null;
+ try {
+ innerDomain = iframesTab2[0].document.domain;
+ } catch (ex) {
+ /* throws for chrome: documents */
+ }
+ is(innerDomain, "mochi.test", "XSS exploit prevented!");
+
+ // clean up
+ gBrowser.removeTab(tab2);
+ gBrowser.removeTab(tab);
+
+ finish();
+ });
+ },
+ true
+ );
+ },
+ true
+ );
+}