tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

1326194-2.html (475B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4 <script type="application/javascript">
      5 
      6 // Crashes if 'target' doesn't get properly unlinked in FragmentOrElement::Unlink
      7 
      8 function crash() {
      9 var target = document.createElement('div');
     10 // By setting a custom prop we create a cycle between JS and C++ that requires the CC to break.
     11 target.foo = 'bar';
     12 var io = new IntersectionObserver(function () { }, { });
     13 io.observe(target);
     14 }
     15 
     16 </script>
     17 </head>
     18 <body onload="crash()">
     19 </body>
     20 </html>