js/xpconnect/tests/mochitest/test_sameOriginPolicy.html@129ffea94266 (annotated)
js/xpconnect/tests/mochitest/test_sameOriginPolicy.html
Sat, 03 Jan 2015 20:18:00 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Sat, 03 Jan 2015 20:18:00 +0100
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
- permissions
- -rw-r--r--
Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <!-- |
| michael@0 | 4 | https://bugzilla.mozilla.org/show_bug.cgi?id=801576 |
| michael@0 | 5 | --> |
| michael@0 | 6 | <head> |
| michael@0 | 7 | <meta charset="utf-8"> |
| michael@0 | 8 | <title>Test for Bug 801576</title> |
| michael@0 | 9 | <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 10 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> |
| michael@0 | 11 | </head> |
| michael@0 | 12 | <body> |
| michael@0 | 13 | <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a> |
| michael@0 | 14 | <p id="display"></p> |
| michael@0 | 15 | <div id="content" style="display: none"> |
| michael@0 | 16 | </div> |
| michael@0 | 17 | <pre id="test"> |
| michael@0 | 18 | <script type="application/javascript"> |
| michael@0 | 19 | |
| michael@0 | 20 | /** Test for the same-origin policy. **/ |
| michael@0 | 21 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 22 | |
| michael@0 | 23 | function check(obj, prop, allowed, write) { |
| michael@0 | 24 | var accessed = false; |
| michael@0 | 25 | try { |
| michael@0 | 26 | if (write) { |
| michael@0 | 27 | try { |
| michael@0 | 28 | obj[prop] = 2; |
| michael@0 | 29 | accessed = true; |
| michael@0 | 30 | } catch (e) {} |
| michael@0 | 31 | Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null}); |
| michael@0 | 32 | } |
| michael@0 | 33 | else |
| michael@0 | 34 | obj[prop]; |
| michael@0 | 35 | accessed = true; |
| michael@0 | 36 | } catch (e) {} |
| michael@0 | 37 | is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read')); |
| michael@0 | 38 | } |
| michael@0 | 39 | |
| michael@0 | 40 | var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus', |
| michael@0 | 41 | 'frames', 'location', 'length', |
| michael@0 | 42 | 'opener', 'parent', 'postMessage', |
| michael@0 | 43 | 'self', 'top', 'window', |
| michael@0 | 44 | /* indexed and named accessors */ |
| michael@0 | 45 | '0', 'subframe']; |
| michael@0 | 46 | |
| michael@0 | 47 | function isCrossOriginReadable(obj, prop) { |
| michael@0 | 48 | if (obj == "Window") |
| michael@0 | 49 | return crossOriginReadableWindowProps.indexOf(prop) != -1; |
| michael@0 | 50 | if (obj == "Location") |
| michael@0 | 51 | return prop == 'replace'; |
| michael@0 | 52 | return false; |
| michael@0 | 53 | } |
| michael@0 | 54 | |
| michael@0 | 55 | function isCrossOriginWritable(obj, prop) { |
| michael@0 | 56 | if (obj == "Window") |
| michael@0 | 57 | return prop == 'location'; |
| michael@0 | 58 | if (obj == "Location") |
| michael@0 | 59 | return prop == 'href'; |
| michael@0 | 60 | } |
| michael@0 | 61 | |
| michael@0 | 62 | // NB: we don't want to succeed with writes, so we only check them when it should be denied. |
| michael@0 | 63 | function testAll(sameOrigin) { |
| michael@0 | 64 | var win = document.getElementById('ifr').contentWindow; |
| michael@0 | 65 | |
| michael@0 | 66 | // Build a list of properties to check from the properties available on our |
| michael@0 | 67 | // window. |
| michael@0 | 68 | var props = []; |
| michael@0 | 69 | for (var prop in window) { props.push(prop); } |
| michael@0 | 70 | |
| michael@0 | 71 | // On android, this appears to be on the window but not on the iframe. It's |
| michael@0 | 72 | // not really relevant to this test, so just skip it. |
| michael@0 | 73 | if (props.indexOf('crypto') != -1) |
| michael@0 | 74 | props.splice(props.indexOf('crypto'), 1); |
| michael@0 | 75 | |
| michael@0 | 76 | // Add the named grand-child, since that won't appear on our window. |
| michael@0 | 77 | props.push('subframe'); |
| michael@0 | 78 | |
| michael@0 | 79 | for (var prop of props) { |
| michael@0 | 80 | check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false); |
| michael@0 | 81 | if (!sameOrigin && !isCrossOriginWritable('Window', prop)) |
| michael@0 | 82 | check(win, prop, false, /* write = */ true); |
| michael@0 | 83 | } |
| michael@0 | 84 | for (var prop in window.location) { |
| michael@0 | 85 | check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop)); |
| michael@0 | 86 | if (!sameOrigin && !isCrossOriginWritable('Location', prop)) |
| michael@0 | 87 | check(win.location, prop, false, /* write = */ true); |
| michael@0 | 88 | } |
| michael@0 | 89 | } |
| michael@0 | 90 | |
| michael@0 | 91 | var loadCount = 0; |
| michael@0 | 92 | function go() { |
| michael@0 | 93 | ++loadCount; |
| michael@0 | 94 | if (loadCount == 1) { |
| michael@0 | 95 | testAll(true); |
| michael@0 | 96 | document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html'; |
| michael@0 | 97 | } |
| michael@0 | 98 | else { |
| michael@0 | 99 | is(loadCount, 2); |
| michael@0 | 100 | testAll(false); |
| michael@0 | 101 | SimpleTest.finish(); |
| michael@0 | 102 | } |
| michael@0 | 103 | } |
| michael@0 | 104 | |
| michael@0 | 105 | </script> |
| michael@0 | 106 | </pre> |
| michael@0 | 107 | <iframe id="ifr" onload="go();" src="file_empty.html"></iframe> |
| michael@0 | 108 | </body> |
| michael@0 | 109 | </html> |
