The Tor Browser / file comparison
comparison: browser/components/sessionstore/test/browser_461743_sample.html
browser/components/sessionstore/test/browser_461743_sample.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:abf9dfddd5a8 |
|---|---|
| 1 <!-- Testcase originally by <moz_bug_r_a4@yahoo.com> --> | |
| 2 | |
| 3 <!DOCTYPE html> | |
| 4 <title>Test for bug 461743</title> | |
| 5 | |
| 6 <body> | |
| 7 <iframe src="data:text/html;charset=utf-8,empty"></iframe> | |
| 8 <iframe></iframe> | |
| 9 | |
| 10 <script type="application/javascript"> | |
| 11 var chromeUrl = "chrome://global/content/mozilla.xhtml"; | |
| 12 var exploitUrl = "javascript:try { document.body.innerHTML = Components.utils.reportError; } catch (ex) { }"; | |
| 13 | |
| 14 var loadCount = 0; | |
| 15 frames[0].addEventListener("DOMContentLoaded", handleLoad, false); | |
| 16 frames[1].addEventListener("DOMContentLoaded", handleLoad, false); | |
| 17 function handleLoad() { | |
| 18 if (++loadCount < 2) | |
| 19 return; | |
| 20 frames[0].removeEventListener("DOMContentLoaded", handleLoad, false); | |
| 21 frames[1].removeEventListener("DOMContentLoaded", handleLoad, false); | |
| 22 | |
| 23 var flip = 0; | |
| 24 MutationEvent.prototype.toString = function() { | |
| 25 return flip++ == 0 ? chromeUrl : exploitUrl; | |
| 26 }; | |
| 27 | |
| 28 var href = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(frames[1].location), "href").get; | |
| 29 var loadChrome = { handleEvent: href }; | |
| 30 var loadExploit = { handleEvent: href }; | |
| 31 | |
| 32 function delay() { | |
| 33 var xhr = new XMLHttpRequest(); | |
| 34 xhr.open("GET", location.href, false); | |
| 35 xhr.send(null); | |
| 36 } | |
| 37 function done() { | |
| 38 var event = new MessageEvent('461743', { bubbles: true, cancelable: false, | |
| 39 data: "done", origin: location.href, | |
| 40 source: window }); | |
| 41 document.dispatchEvent(event); | |
| 42 frames[0].document.removeEventListener("DOMNodeInserted", loadChrome, true); | |
| 43 frames[0].document.removeEventListener("DOMNodeInserted", delay, true); | |
| 44 frames[0].document.removeEventListener("DOMNodeInserted", loadExploit, true); | |
| 45 frames[0].document.removeEventListener("DOMNodeInserted", done, true); | |
| 46 } | |
| 47 | |
| 48 frames[0].document.addEventListener("DOMNodeInserted", loadChrome, true); | |
| 49 frames[0].document.addEventListener("DOMNodeInserted", delay, true); | |
| 50 frames[0].document.addEventListener("DOMNodeInserted", loadExploit, true); | |
| 51 frames[0].document.addEventListener("DOMNodeInserted", done, true); | |
| 52 | |
| 53 frames[0].document.designMode = "on"; | |
| 54 }; | |
| 55 </script> | |
| 56 </body> |
