diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
commit | 43a97878ce14b72f0981164f87f2e35e14151312 (patch) | |
tree | 620249daf56c0258faa40cbdcf9cfba06de2a846 /browser/components/sessionstore/test/browser_459906.js | |
parent | Initial commit. (diff) | |
download | firefox-upstream.tar.xz firefox-upstream.zip |
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'browser/components/sessionstore/test/browser_459906.js')
-rw-r--r-- | browser/components/sessionstore/test/browser_459906.js | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/browser/components/sessionstore/test/browser_459906.js b/browser/components/sessionstore/test/browser_459906.js new file mode 100644 index 0000000000..e232b59f13 --- /dev/null +++ b/browser/components/sessionstore/test/browser_459906.js @@ -0,0 +1,79 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* eslint-disable mozilla/no-arbitrary-setTimeout */ + +function test() { + /** Test for Bug 459906 **/ + + waitForExplicitFinish(); + + let testURL = + "http://mochi.test:8888/browser/" + + "browser/components/sessionstore/test/browser_459906_sample.html"; + let uniqueValue = "<b>Unique:</b> " + Date.now(); + + var frameCount = 0; + let tab = BrowserTestUtils.addTab(gBrowser, testURL); + tab.linkedBrowser.addEventListener( + "load", + function listener(aEvent) { + // wait for all frames to load completely + if (frameCount++ < 2) { + return; + } + tab.linkedBrowser.removeEventListener("load", listener, true); + + let iframes = tab.linkedBrowser.contentWindow.frames; + // eslint-disable-next-line no-unsanitized/property + iframes[1].document.body.innerHTML = uniqueValue; + + frameCount = 0; + let tab2 = gBrowser.duplicateTab(tab); + tab2.linkedBrowser.addEventListener( + "load", + function loadListener(eventTab2) { + // wait for all frames to load (and reload!) completely + if (frameCount++ < 2) { + return; + } + tab2.linkedBrowser.removeEventListener("load", loadListener, true); + + executeSoon(function innerHTMLPoller() { + let iframesTab2 = tab2.linkedBrowser.contentWindow.frames; + if (iframesTab2[1].document.body.innerHTML !== uniqueValue) { + // Poll again the value, since we can't ensure to run + // after SessionStore has injected innerHTML value. + // See bug 521802. + info("Polling for innerHTML value"); + setTimeout(innerHTMLPoller, 100); + return; + } + + is( + iframesTab2[1].document.body.innerHTML, + uniqueValue, + "rich textarea's content correctly duplicated" + ); + + let innerDomain = null; + try { + innerDomain = iframesTab2[0].document.domain; + } catch (ex) { + /* throws for chrome: documents */ + } + is(innerDomain, "mochi.test", "XSS exploit prevented!"); + + // clean up + gBrowser.removeTab(tab2); + gBrowser.removeTab(tab); + + finish(); + }); + }, + true + ); + }, + true + ); +} |