tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

browser_461743_sample.html (2192B)

      1 <!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
      2 
      3 <!DOCTYPE html>
      4 <title>Test for bug 461743</title>
      5 
      6 <body>
      7 <iframe src="data:text/html;charset=utf-8,empty"></iframe>
      8 <iframe></iframe>
      9 
     10 <script type="application/javascript">
     11  var chromeUrl = "chrome://global/content/mozilla.html";
     12  var exploitUrl = "javascript:try { document.body.innerHTML = Components.utils.reportError; } catch (ex) { }";
     13 
     14  var loadCount = 0;
     15  frames[0].addEventListener("DOMContentLoaded", handleLoad);
     16  frames[1].addEventListener("DOMContentLoaded", handleLoad);
     17  function handleLoad() {
     18    if (++loadCount < 2)
     19      return;
     20    frames[0].removeEventListener("DOMContentLoaded", handleLoad);
     21    frames[1].removeEventListener("DOMContentLoaded", handleLoad);
     22 
     23    var flip = 0;
     24    MutationEvent.prototype.toString = function() {
     25      return flip++ == 0 ? chromeUrl : exploitUrl;
     26    };
     27 
     28    var href = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(frames[1].location), "href").get;
     29    var loadChrome = { handleEvent: href };
     30    var loadExploit = { handleEvent: href };
     31 
     32    function delay() {
     33      var xhr = new XMLHttpRequest();
     34      xhr.open("GET", location.href, false);
     35      xhr.send(null);
     36    }
     37    function done() {
     38      var event = new MessageEvent("461743", { bubbles: true, cancelable: false,
     39                                               data: "done", origin: location.href,
     40                                               source: window });
     41      document.dispatchEvent(event);
     42      frames[0].document.removeEventListener("DOMNodeInserted", loadChrome, true);
     43      frames[0].document.removeEventListener("DOMNodeInserted", delay, true);
     44      frames[0].document.removeEventListener("DOMNodeInserted", loadExploit, true);
     45      frames[0].document.removeEventListener("DOMNodeInserted", done, true);
     46    }
     47 
     48    frames[0].document.addEventListener("DOMNodeInserted", loadChrome, true);
     49    frames[0].document.addEventListener("DOMNodeInserted", delay, true);
     50    frames[0].document.addEventListener("DOMNodeInserted", loadExploit, true);
     51    frames[0].document.addEventListener("DOMNodeInserted", done, true);
     52 
     53    frames[0].document.designMode = "on";
     54  }
     55 </script>
     56 </body>