michael@0: /* Any copyright is dedicated to the Public Domain.
michael@0:  * http://creativecommons.org/publicdomain/zero/1.0/ */
michael@0: 
michael@0: "use strict";
michael@0: 
michael@0: const URL = ROOT + "browser_463205_sample.html";
michael@0: 
michael@0: /**
michael@0:  * Bug 463205 - Check URLs before restoring form data to make sure a malicious
michael@0:  * website can't modify frame URLs and make us inject form data into the wrong
michael@0:  * web pages.
michael@0:  */
michael@0: add_task(function test_check_urls_before_restoring() {
michael@0:   // Add a blank tab.
michael@0:   let tab = gBrowser.addTab("about:blank");
michael@0:   let browser = tab.linkedBrowser;
michael@0:   yield promiseBrowserLoaded(browser);
michael@0: 
michael@0:   // Restore form data with a valid URL.
michael@0:   ss.setTabState(tab, getState(URL));
michael@0:   yield promiseTabRestored(tab);
michael@0: 
michael@0:   let value = yield getInputValue(browser, {id: "text"});
michael@0:   is(value, "foobar", "value was restored");
michael@0: 
michael@0:   // Restore form data with an invalid URL.
michael@0:   ss.setTabState(tab, getState("http://example.com/"));
michael@0:   yield promiseTabRestored(tab);
michael@0: 
michael@0:   let value = yield getInputValue(browser, {id: "text"});
michael@0:   is(value, "", "value was not restored");
michael@0: 
michael@0:   // Cleanup.
michael@0:   gBrowser.removeTab(tab);
michael@0: });
michael@0: 
michael@0: function getState(url) {
michael@0:   return JSON.stringify({
michael@0:     entries: [{url: URL}],
michael@0:     formdata: {url: url, id: {text: "foobar"}}
michael@0:   });
michael@0: }