The Tor Browser / file diff

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/browser/components/sessionstore/test/browser_459906.js	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,62 @@
     1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.7 +
     1.8 +function test() {
     1.9 +  /** Test for Bug 459906 **/
    1.10 +
    1.11 +  waitForExplicitFinish();
    1.12 +
    1.13 +  let testURL = "http://mochi.test:8888/browser/" +
    1.14 +    "browser/components/sessionstore/test/browser_459906_sample.html";
    1.15 +  let uniqueValue = "<b>Unique:</b> " + Date.now();
    1.16 +
    1.17 +  var frameCount = 0;
    1.18 +  let tab = gBrowser.addTab(testURL);
    1.19 +  tab.linkedBrowser.addEventListener("load", function(aEvent) {
    1.20 +    // wait for all frames to load completely
    1.21 +    if (frameCount++ < 2)
    1.22 +      return;
    1.23 +    tab.linkedBrowser.removeEventListener("load", arguments.callee, true);
    1.24 +
    1.25 +    let iframes = tab.linkedBrowser.contentWindow.frames;
    1.26 +    iframes[1].document.body.innerHTML = uniqueValue;
    1.27 +
    1.28 +    frameCount = 0;
    1.29 +    let tab2 = gBrowser.duplicateTab(tab);
    1.30 +    tab2.linkedBrowser.addEventListener("load", function(aEvent) {
    1.31 +      // wait for all frames to load (and reload!) completely
    1.32 +      if (frameCount++ < 2)
    1.33 +        return;
    1.34 +      tab2.linkedBrowser.removeEventListener("load", arguments.callee, true);
    1.35 +
    1.36 +      executeSoon(function() {
    1.37 +        let iframes = tab2.linkedBrowser.contentWindow.frames;
    1.38 +        if (iframes[1].document.body.innerHTML !== uniqueValue) {
    1.39 +          // Poll again the value, since we can't ensure to run
    1.40 +          // after SessionStore has injected innerHTML value.
    1.41 +          // See bug 521802.
    1.42 +          info("Polling for innerHTML value");
    1.43 +          setTimeout(arguments.callee, 100);
    1.44 +          return;
    1.45 +        }
    1.46 +
    1.47 +        is(iframes[1].document.body.innerHTML, uniqueValue,
    1.48 +           "rich textarea's content correctly duplicated");
    1.49 +
    1.50 +        let innerDomain = null;
    1.51 +        try {
    1.52 +          innerDomain = iframes[0].document.domain;
    1.53 +        }
    1.54 +        catch (ex) { /* throws for chrome: documents */ }
    1.55 +        is(innerDomain, "mochi.test", "XSS exploit prevented!");
    1.56 +
    1.57 +        // clean up
    1.58 +        gBrowser.removeTab(tab2);
    1.59 +        gBrowser.removeTab(tab);
    1.60 +
    1.61 +        finish();
    1.62 +      });
    1.63 +    }, true);
    1.64 +  }, true);
    1.65 +}