1 files changed, 140 insertions, 0 deletions

diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html
new file mode 100644
index 0000000000..21f5f18904
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html
@@ -0,0 +1,140 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for considering form action</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 360493
+<script>
+gTestDependsOnDeprecatedLogin = true;
+runChecksAfterCommonInit(() => startTest());
+
+let DEFAULT_ORIGIN = window.location.origin;
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: 360493 (Cross-Site Forms + Password
+    Manager = Security Failure) **/
+
+// This test is designed to make sure variations on the form's |action|
+// and |method| continue to work with the fix for 360493.
+
+async function startTest() {
+  let win = window.open("about:blank");
+  SimpleTest.registerCleanupFunction(() => win.close());
+  await loadFormIntoWindow(DEFAULT_ORIGIN, `
+    <!-- normal form with normal relative action. -->
+    <form id="form1" action="formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- fully specify the action URL -->
+    <form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- fully specify the action URL, and change the path -->
+    <form id="form3" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- fully specify the action URL, and change the path and filename -->
+    <form id="form4" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/not_a_test.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- specify the action URL relative to the current document-->
+    <form id="form5" action="./formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- specify the action URL relative to the current server -->
+    <form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Change the method from get to post -->
+    <form id="form7" action="formtest.js" method="POST">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Blank action URL specified -->
+    <form id="form8" action="">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- |action| attribute entirely missing -->
+    <form id="form9" >
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- action url as javascript -->
+    <form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>`, win, 10);
+
+  // TODO: action=IP.ADDRESS instead of HOSTNAME?
+  // TODO: test with |base href="http://othersite//"| ?
+
+  for (var i = 1; i <= 9; i++) {
+    // Check form i
+    await checkLoginFormInFrameWithElementValues(win, i, "testuser", "testpass");
+  }
+
+  // The login's formActionOrigin isn't "javascript:", so don't fill it in.
+  await checkLoginFormInFrameWithElementValues(win, 10, "", "");
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>