js/xpconnect/tests/mochitest/test_sameOriginPolicy.html

   1 <!DOCTYPE HTML>
   2 <html>
   3 <!--
   4 https://bugzilla.mozilla.org/show_bug.cgi?id=801576
   5 -->
   6 <head>
   7   <meta charset="utf-8">
   8   <title>Test for Bug 801576</title>
   9   <script src="/tests/SimpleTest/SimpleTest.js"></script>
  10   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
  11 </head>
  12 <body>
  13 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
  14 <p id="display"></p>
  15 <div id="content" style="display: none">
  16 </div>
  17 <pre id="test">
  18 <script type="application/javascript">
  19
  20 /** Test for the same-origin policy. **/
  21 SimpleTest.waitForExplicitFinish();
  22
  23 function check(obj, prop, allowed, write) {
  24   var accessed = false;
  25   try {
  26     if (write) {
  27       try {
  28         obj[prop] = 2;
  29         accessed = true;
  30       } catch (e) {}
  31       Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
  32     }
  33     else
  34       obj[prop];
  35     accessed = true;
  36   } catch (e) {}
  37   is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
  38 }
  39
  40 var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
  41                                       'frames', 'location', 'length',
  42                                       'opener', 'parent', 'postMessage',
  43                                       'self', 'top', 'window',
  44                                       /* indexed and named accessors */
  45                                       '0', 'subframe'];
  46
  47 function isCrossOriginReadable(obj, prop) {
  48   if (obj == "Window")
  49     return crossOriginReadableWindowProps.includes(prop);
  50   if (obj == "Location")
  51     return prop == 'replace';
  52   return false;
  53 }
  54
  55 function isCrossOriginWritable(obj, prop) {
  56   if (obj == "Window")
  57     return prop == 'location';
  58   if (obj == "Location")
  59     return prop == 'href';
  60 }
  61
  62 // NB: we don't want to succeed with writes, so we only check them when it should be denied.
  63 function testAll(sameOrigin) {
  64   var win = document.getElementById('ifr').contentWindow;
  65
  66   // Build a list of properties to check from the properties available on our
  67   // window.
  68   var props = [];
  69   for (var prop in window) { props.push(prop); }
  70
  71   // On android, this appears to be on the window but not on the iframe. It's
  72   // not really relevant to this test, so just skip it.
  73   if (props.includes('crypto'))
  74     props.splice(props.indexOf('crypto'), 1);
  75
  76   // Add the named grand-child, since that won't appear on our window.
  77   props.push('subframe');
  78
  79   for (var prop of props) {
  80     check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
  81     if (!sameOrigin && !isCrossOriginWritable('Window', prop))
  82       check(win, prop, false, /* write = */ true);
  83   }
  84   for (var prop in window.location) {
  85     check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
  86     if (!sameOrigin && !isCrossOriginWritable('Location', prop))
  87       check(win.location, prop, false, /* write = */ true);
  88   }
  89 }
  90
  91 var loadCount = 0;
  92 function go() {
  93   ++loadCount;
  94   if (loadCount == 1) {
  95     testAll(true);
  96     document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
  97   }
  98   else {
  99     is(loadCount, 2);
 100     testAll(false);
 101     SimpleTest.finish();
 102   }
 103 }
 104
 105 </script>
 106 </pre>
 107 <iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
 108 </body>
 109 </html>