The Tor Browser / file diff

diff: browser/components/sessionstore/test/browser_464620_b.html

browser/components/sessionstore/test/browser_464620_b.html

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/browser/components/sessionstore/test/browser_464620_b.html	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,58 @@
     1.4 +<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
     1.5 +
     1.6 +<title>Test for bug 464620 (injection on DOM node insertion)</title>
     1.7 +
     1.8 +<iframe></iframe>
     1.9 +<iframe></iframe>
    1.10 +<iframe onload="setup()"></iframe>
    1.11 +
    1.12 +<script>
    1.13 +  var targetUrl = "http://mochi.test:8888/browser/" +
    1.14 +    "browser/components/sessionstore/test/browser_464620_xd.html";
    1.15 +  var firstPass;
    1.16 +
    1.17 +  function setup() {
    1.18 +    if (firstPass !== undefined)
    1.19 +      return;
    1.20 +    firstPass = frames[2].location.href == "about:blank";
    1.21 +    if (firstPass) {
    1.22 +      frames[0].location = 'data:text/html;charset=utf-8,<body onload="parent.step()">a</body>';
    1.23 +      frames[1].location = 'data:text/html;charset=utf-8,<body onload="document.designMode=\'on\';">XXX</body>';
    1.24 +    }
    1.25 +    frames[2].location = targetUrl;
    1.26 +  }
    1.27 +
    1.28 +  function step() {
    1.29 +    frames[0].document.designMode = "on";
    1.30 +    if (firstPass)
    1.31 +      return;
    1.32 +
    1.33 +    var body = frames[0].document.body;
    1.34 +    body.addEventListener("DOMNodeInserted", function() {
    1.35 +      body.removeEventListener("DOMNodeInserted", arguments.callee, true);
    1.36 +      xss();
    1.37 +    }, true);
    1.38 +  }
    1.39 +
    1.40 +  function xss() {
    1.41 +    var documentInjected = false;
    1.42 +    document.getElementsByTagName("iframe")[1].onload =
    1.43 +      function() { documentInjected = true; };
    1.44 +    frames[1].location = targetUrl;
    1.45 +
    1.46 +    for (var c = 0; !documentInjected && c < 20; c++) {
    1.47 +      var r = new XMLHttpRequest();
    1.48 +      r.open("GET", location.href, false);
    1.49 +      r.overrideMimeType("text/plain");
    1.50 +      r.send(null);
    1.51 +    }
    1.52 +    document.getElementById("state").textContent = "done";
    1.53 +
    1.54 +    var event = new MessageEvent('464620_b', { bubbles: true, cancelable: false,
    1.55 +                                               data: "done", origin: location.href,
    1.56 +                                               source: window });
    1.57 +    document.dispatchEvent(event);
    1.58 +  }
    1.59 +</script>
    1.60 +
    1.61 +<p id="state">pending</p>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial