1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/xpconnect/tests/mochitest/test_sameOriginPolicy.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,109 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<!--
1.7 +https://bugzilla.mozilla.org/show_bug.cgi?id=801576
1.8 +-->
1.9 +<head>
1.10 + <meta charset="utf-8">
1.11 + <title>Test for Bug 801576</title>
1.12 + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.13 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
1.14 +</head>
1.15 +<body>
1.16 +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
1.17 +<p id="display"></p>
1.18 +<div id="content" style="display: none">
1.19 +</div>
1.20 +<pre id="test">
1.21 +<script type="application/javascript">
1.22 +
1.23 +/** Test for the same-origin policy. **/
1.24 +SimpleTest.waitForExplicitFinish();
1.25 +
1.26 +function check(obj, prop, allowed, write) {
1.27 + var accessed = false;
1.28 + try {
1.29 + if (write) {
1.30 + try {
1.31 + obj[prop] = 2;
1.32 + accessed = true;
1.33 + } catch (e) {}
1.34 + Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
1.35 + }
1.36 + else
1.37 + obj[prop];
1.38 + accessed = true;
1.39 + } catch (e) {}
1.40 + is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
1.41 +}
1.42 +
1.43 +var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
1.44 + 'frames', 'location', 'length',
1.45 + 'opener', 'parent', 'postMessage',
1.46 + 'self', 'top', 'window',
1.47 + /* indexed and named accessors */
1.48 + '0', 'subframe'];
1.49 +
1.50 +function isCrossOriginReadable(obj, prop) {
1.51 + if (obj == "Window")
1.52 + return crossOriginReadableWindowProps.indexOf(prop) != -1;
1.53 + if (obj == "Location")
1.54 + return prop == 'replace';
1.55 + return false;
1.56 +}
1.57 +
1.58 +function isCrossOriginWritable(obj, prop) {
1.59 + if (obj == "Window")
1.60 + return prop == 'location';
1.61 + if (obj == "Location")
1.62 + return prop == 'href';
1.63 +}
1.64 +
1.65 +// NB: we don't want to succeed with writes, so we only check them when it should be denied.
1.66 +function testAll(sameOrigin) {
1.67 + var win = document.getElementById('ifr').contentWindow;
1.68 +
1.69 + // Build a list of properties to check from the properties available on our
1.70 + // window.
1.71 + var props = [];
1.72 + for (var prop in window) { props.push(prop); }
1.73 +
1.74 + // On android, this appears to be on the window but not on the iframe. It's
1.75 + // not really relevant to this test, so just skip it.
1.76 + if (props.indexOf('crypto') != -1)
1.77 + props.splice(props.indexOf('crypto'), 1);
1.78 +
1.79 + // Add the named grand-child, since that won't appear on our window.
1.80 + props.push('subframe');
1.81 +
1.82 + for (var prop of props) {
1.83 + check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
1.84 + if (!sameOrigin && !isCrossOriginWritable('Window', prop))
1.85 + check(win, prop, false, /* write = */ true);
1.86 + }
1.87 + for (var prop in window.location) {
1.88 + check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
1.89 + if (!sameOrigin && !isCrossOriginWritable('Location', prop))
1.90 + check(win.location, prop, false, /* write = */ true);
1.91 + }
1.92 +}
1.93 +
1.94 +var loadCount = 0;
1.95 +function go() {
1.96 + ++loadCount;
1.97 + if (loadCount == 1) {
1.98 + testAll(true);
1.99 + document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
1.100 + }
1.101 + else {
1.102 + is(loadCount, 2);
1.103 + testAll(false);
1.104 + SimpleTest.finish();
1.105 + }
1.106 +}
1.107 +
1.108 +</script>
1.109 +</pre>
1.110 +<iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
1.111 +</body>
1.112 +</html>
