browser_464620_b.html (1762B)
1 <!-- Testcase originally by <moz_bug_r_a4@yahoo.com> --> 2 3 <title>Test for bug 464620 (injection on DOM node insertion)</title> 4 5 <iframe></iframe> 6 <iframe></iframe> 7 <iframe onload="setup()"></iframe> 8 9 <script> 10 var targetUrl = "http://mochi.test:8888/browser/" + 11 "browser/components/sessionstore/test/browser_464620_xd.html"; 12 var firstPass; 13 14 function setup() { 15 if (firstPass !== undefined) 16 return; 17 firstPass = frames[2].location.href == "about:blank"; 18 if (firstPass) { 19 frames[0].location = 'data:text/html;charset=utf-8,<body onload="parent.step()">a</body>'; 20 frames[1].location = 'data:text/html;charset=utf-8,<body onload="document.designMode=\'on\';">XXX</body>'; 21 } 22 frames[2].location = targetUrl; 23 } 24 25 function step() { 26 frames[0].document.designMode = "on"; 27 if (firstPass) 28 return; 29 30 var body = frames[0].document.body; 31 body.addEventListener("DOMNodeInserted", function() { 32 xss(); 33 }, {capture: true, once: true}); 34 } 35 36 function xss() { 37 var documentInjected = false; 38 document.getElementsByTagName("iframe")[1].onload = 39 function() { documentInjected = true; }; 40 frames[1].location = targetUrl; 41 42 for (var c = 0; !documentInjected && c < 20; c++) { 43 var r = new XMLHttpRequest(); 44 r.open("GET", location.href, false); 45 r.overrideMimeType("text/plain"); 46 r.send(null); 47 } 48 document.getElementById("state").textContent = "done"; 49 50 var event = new MessageEvent("464620_b", { bubbles: true, cancelable: false, 51 data: "done", origin: location.href, 52 source: window }); 53 document.dispatchEvent(event); 54 } 55 </script> 56 57 <p id="state">pending</p>