js/xpconnect/crashtests/509075-1.html@129ffea94266 (annotated)
js/xpconnect/crashtests/509075-1.html
Sat, 03 Jan 2015 20:18:00 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Sat, 03 Jan 2015 20:18:00 +0100
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
- permissions
- -rw-r--r--
Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.
| michael@0 | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <script> |
| michael@0 | 4 | |
| michael@0 | 5 | var txt = document.createTextNode(""); |
| michael@0 | 6 | var b = document.createElement("b"); |
| michael@0 | 7 | var w = b["watch"]; |
| michael@0 | 8 | var txtdg = txt["__lookupGetter__"]; |
| michael@0 | 9 | w["__defineGetter__"]("toString",txtdg); |
| michael@0 | 10 | var obj = { |
| michael@0 | 11 | variable: 910, |
| michael@0 | 12 | fun: function() { |
| michael@0 | 13 | w["toString"](); |
| michael@0 | 14 | } |
| michael@0 | 15 | }; |
| michael@0 | 16 | |
| michael@0 | 17 | function vuln() |
| michael@0 | 18 | { |
| michael@0 | 19 | window.status = "" + obj.variable; |
| michael@0 | 20 | try{ |
| michael@0 | 21 | obj.fun(); |
| michael@0 | 22 | }catch(er){} |
| michael@0 | 23 | return obj; |
| michael@0 | 24 | } |
| michael@0 | 25 | |
| michael@0 | 26 | var ret = vuln(); |
| michael@0 | 27 | </script> |
| michael@0 | 28 | </html> |
