The Tor Browser / file diff

diff: dom/plugins/test/mochitest/test_bug813906.html

dom/plugins/test/mochitest/test_bug813906.html

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/dom/plugins/test/mochitest/test_bug813906.html	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,54 @@
     1.4 +<!doctype html>
     1.5 +<html>
     1.6 +<head>
     1.7 +  <title>Test for Bug 813906</title>
     1.8 +  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
     1.9 +  <script type="text/javascript" src="utils.js"></script>
    1.10 +  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
    1.11 +
    1.12 +  <meta http-equiv="content-type" content="text/html; charset=utf-8">
    1.13 +  <base href="chrome://browser/content/">
    1.14 +</head>
    1.15 +<body>
    1.16 +
    1.17 +<script type="application/javascript">
    1.18 +function f() {
    1.19 +  document.getElementsByTagName("base")[0].href = "http://www.safe.com/";
    1.20 +}
    1.21 +</script>
    1.22 +
    1.23 +<script type="application/javascript">
    1.24 +SimpleTest.waitForExplicitFinish();
    1.25 +setTestPluginEnabledState(SpecialPowers.Ci.nsIPluginTag.STATE_ENABLED);
    1.26 +
    1.27 +var frameLoadCount = 0;
    1.28 +function frameLoaded() {
    1.29 +  frameLoadCount++;
    1.30 +  if (frameLoadCount == 1) {
    1.31 +    document.getElementsByTagName("object")[0].type = "application/x-test";
    1.32 +    document.getElementsByTagName("use")[0].setAttributeNS("http://www.w3.org/1999/xlink", "href", location.href + "#a");
    1.33 +  } else if (frameLoadCount == 2) {
    1.34 +    isnot(SpecialPowers.wrap(window.frame1).location.href.indexOf('chrome://'),
    1.35 +          0, 'plugin shouldnt be able to cause navigation to chrome URLs');
    1.36 +    SimpleTest.finish();
    1.37 +  }
    1.38 +}
    1.39 +</script>
    1.40 +
    1.41 +<!-- Note that <svg:use> ends up creating an anonymous subtree, which means that the plugin
    1.42 +     reflector gets hoisted into the XBL scope, and isn't accessible to content. We pass
    1.43 +     the 'donttouchelement' parameter to the plugin to prevent it from trying to define the
    1.44 +     'pluginFoundElement' property on the plugin reflector, since doing so would throw a
    1.45 +     security exception. -->
    1.46 +<svg>
    1.47 +  <symbol id="a">
    1.48 +    <foreignObject>
    1.49 +      <object bugmode="813906" frame="frame1"><param name="donttouchelement"></param></object>
    1.50 +    </foreignObject>
    1.51 +  </symbol>
    1.52 +  <use />
    1.53 +</svg>
    1.54 +
    1.55 +<iframe name="frame1" onload="frameLoaded()"></iframe>
    1.56 +</body>
    1.57 +</html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial