1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/browser/components/sessionstore/test/browser_463205.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,42 @@
1.4 +/* Any copyright is dedicated to the Public Domain.
1.5 + * http://creativecommons.org/publicdomain/zero/1.0/ */
1.6 +
1.7 +"use strict";
1.8 +
1.9 +const URL = ROOT + "browser_463205_sample.html";
1.10 +
1.11 +/**
1.12 + * Bug 463205 - Check URLs before restoring form data to make sure a malicious
1.13 + * website can't modify frame URLs and make us inject form data into the wrong
1.14 + * web pages.
1.15 + */
1.16 +add_task(function test_check_urls_before_restoring() {
1.17 + // Add a blank tab.
1.18 + let tab = gBrowser.addTab("about:blank");
1.19 + let browser = tab.linkedBrowser;
1.20 + yield promiseBrowserLoaded(browser);
1.21 +
1.22 + // Restore form data with a valid URL.
1.23 + ss.setTabState(tab, getState(URL));
1.24 + yield promiseTabRestored(tab);
1.25 +
1.26 + let value = yield getInputValue(browser, {id: "text"});
1.27 + is(value, "foobar", "value was restored");
1.28 +
1.29 + // Restore form data with an invalid URL.
1.30 + ss.setTabState(tab, getState("http://example.com/"));
1.31 + yield promiseTabRestored(tab);
1.32 +
1.33 + let value = yield getInputValue(browser, {id: "text"});
1.34 + is(value, "", "value was not restored");
1.35 +
1.36 + // Cleanup.
1.37 + gBrowser.removeTab(tab);
1.38 +});
1.39 +
1.40 +function getState(url) {
1.41 + return JSON.stringify({
1.42 + entries: [{url: URL}],
1.43 + formdata: {url: url, id: {text: "foobar"}}
1.44 + });
1.45 +}
