// This code is evaluated in a sandbox courtesy of toSource(); var sandboxCode = function () { let req = new XMLHttpRequest(); req.open("GET", "http://mochi.test:8888/browser/dom/tests/browser/", true); req.onreadystatechange = function () { if (req.readyState === 4) { // If we get past the problem above, we end up with a req.status of zero // (ie, blocked due to CORS) even though we are fetching from the same // origin as the window itself. let result; if (req.status != 200) { result = "ERROR: got request status of " + req.status; } else if (!req.responseText.length) { result = "ERROR: got zero byte response text"; } else { result = "ok"; } postMessage({ result }, "*"); } }; req.send(null); }.toSource() + "();"; add_task(async function test() { await SpecialPowers.pushPrefEnv({ set: [["security.allow_unsafe_parent_loads", true]], }); let newWin = await BrowserTestUtils.openNewBrowserWindow(); let frame = newWin.document.createXULElement("iframe"); frame.setAttribute("type", "content"); frame.setAttribute( "src", "http://mochi.test:8888/browser/dom/tests/browser/browser_xhr_sandbox.js" ); newWin.document.documentElement.appendChild(frame); await BrowserTestUtils.waitForEvent(frame, "load", true); let contentWindow = frame.contentWindow; let sandbox = new Cu.Sandbox(contentWindow); // inject some functions from the window into the sandbox. // postMessage so the async code in the sandbox can report a result. sandbox.importFunction( contentWindow.postMessage.bind(contentWindow), "postMessage" ); sandbox.importFunction(contentWindow.XMLHttpRequest, "XMLHttpRequest"); Cu.evalInSandbox(sandboxCode, sandbox, "1.8"); let sandboxReply = await BrowserTestUtils.waitForEvent( contentWindow, "message", true ); is(sandboxReply.data.result, "ok", "check the sandbox code was felipe"); await BrowserTestUtils.closeWindow(newWin); });