From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 19:32:43 +0200 Subject: Adding upstream version 1:115.7.0. Signed-off-by: Daniel Baumann --- .../components/sessionstore/test/browser_463205.js | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 browser/components/sessionstore/test/browser_463205.js (limited to 'browser/components/sessionstore/test/browser_463205.js') diff --git a/browser/components/sessionstore/test/browser_463205.js b/browser/components/sessionstore/test/browser_463205.js new file mode 100644 index 0000000000..797425ab05 --- /dev/null +++ b/browser/components/sessionstore/test/browser_463205.js @@ -0,0 +1,40 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const URL = ROOT + "browser_463205_sample.html"; + +/** + * Bug 463205 - Check URLs before restoring form data to make sure a malicious + * website can't modify frame URLs and make us inject form data into the wrong + * web pages. + */ +add_task(async function test_check_urls_before_restoring() { + // Add a blank tab. + let tab = BrowserTestUtils.addTab(gBrowser, "about:blank"); + let browser = tab.linkedBrowser; + await promiseBrowserLoaded(browser); + + // Restore form data with a valid URL. + await promiseTabState(tab, getState(URL)); + + let value = await getPropertyOfFormField(browser, "#text", "value"); + is(value, "foobar", "value was restored"); + + // Restore form data with an invalid URL. + await promiseTabState(tab, getState("http://example.com/")); + + value = await getPropertyOfFormField(browser, "#text", "value"); + is(value, "", "value was not restored"); + + // Cleanup. + gBrowser.removeTab(tab); +}); + +function getState(url) { + return JSON.stringify({ + entries: [{ url: URL, triggeringPrincipal_base64 }], + formdata: { url, id: { text: "foobar" } }, + }); +} -- cgit v1.2.3