js/xpconnect/tests/mochitest/test_sameOriginPolicy.html@6474c204b198
js/xpconnect/tests/mochitest/test_sameOriginPolicy.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <!DOCTYPE HTML>
2 <html>
3 <!--
4 https://bugzilla.mozilla.org/show_bug.cgi?id=801576
5 -->
6 <head>
7 <meta charset="utf-8">
8 <title>Test for Bug 801576</title>
9 <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
10 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
11 </head>
12 <body>
13 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
14 <p id="display"></p>
15 <div id="content" style="display: none">
16 </div>
17 <pre id="test">
18 <script type="application/javascript">
20 /** Test for the same-origin policy. **/
21 SimpleTest.waitForExplicitFinish();
23 function check(obj, prop, allowed, write) {
24 var accessed = false;
25 try {
26 if (write) {
27 try {
28 obj[prop] = 2;
29 accessed = true;
30 } catch (e) {}
31 Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
32 }
33 else
34 obj[prop];
35 accessed = true;
36 } catch (e) {}
37 is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
38 }
40 var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
41 'frames', 'location', 'length',
42 'opener', 'parent', 'postMessage',
43 'self', 'top', 'window',
44 /* indexed and named accessors */
45 '0', 'subframe'];
47 function isCrossOriginReadable(obj, prop) {
48 if (obj == "Window")
49 return crossOriginReadableWindowProps.indexOf(prop) != -1;
50 if (obj == "Location")
51 return prop == 'replace';
52 return false;
53 }
55 function isCrossOriginWritable(obj, prop) {
56 if (obj == "Window")
57 return prop == 'location';
58 if (obj == "Location")
59 return prop == 'href';
60 }
62 // NB: we don't want to succeed with writes, so we only check them when it should be denied.
63 function testAll(sameOrigin) {
64 var win = document.getElementById('ifr').contentWindow;
66 // Build a list of properties to check from the properties available on our
67 // window.
68 var props = [];
69 for (var prop in window) { props.push(prop); }
71 // On android, this appears to be on the window but not on the iframe. It's
72 // not really relevant to this test, so just skip it.
73 if (props.indexOf('crypto') != -1)
74 props.splice(props.indexOf('crypto'), 1);
76 // Add the named grand-child, since that won't appear on our window.
77 props.push('subframe');
79 for (var prop of props) {
80 check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
81 if (!sameOrigin && !isCrossOriginWritable('Window', prop))
82 check(win, prop, false, /* write = */ true);
83 }
84 for (var prop in window.location) {
85 check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
86 if (!sameOrigin && !isCrossOriginWritable('Location', prop))
87 check(win.location, prop, false, /* write = */ true);
88 }
89 }
91 var loadCount = 0;
92 function go() {
93 ++loadCount;
94 if (loadCount == 1) {
95 testAll(true);
96 document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
97 }
98 else {
99 is(loadCount, 2);
100 testAll(false);
101 SimpleTest.finish();
102 }
103 }
105 </script>
106 </pre>
107 <iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
108 </body>
109 </html>
