test_sameOriginPolicy.html (3355B)
1 <!DOCTYPE HTML> 2 <html> 3 <!-- 4 https://bugzilla.mozilla.org/show_bug.cgi?id=801576 5 --> 6 <head> 7 <meta charset="utf-8"> 8 <title>Test for Bug 801576</title> 9 <script src="/tests/SimpleTest/SimpleTest.js"></script> 10 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> 11 </head> 12 <body> 13 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a> 14 <p id="display"></p> 15 <div id="content" style="display: none"> 16 </div> 17 <pre id="test"> 18 <script type="application/javascript"> 19 20 /** Test for the same-origin policy. **/ 21 SimpleTest.waitForExplicitFinish(); 22 23 function check(obj, prop, allowed, write) { 24 var accessed = false; 25 try { 26 if (write) { 27 try { 28 obj[prop] = 2; 29 accessed = true; 30 } catch (e) {} 31 Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null}); 32 } 33 else 34 obj[prop]; 35 accessed = true; 36 } catch (e) {} 37 is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read')); 38 } 39 40 var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus', 41 'frames', 'location', 'length', 42 'opener', 'parent', 'postMessage', 43 'self', 'top', 'window', 44 /* indexed and named accessors */ 45 '0', 'subframe']; 46 47 function isCrossOriginReadable(obj, prop) { 48 if (obj == "Window") 49 return crossOriginReadableWindowProps.includes(prop); 50 if (obj == "Location") 51 return prop == 'replace'; 52 return false; 53 } 54 55 function isCrossOriginWritable(obj, prop) { 56 if (obj == "Window") 57 return prop == 'location'; 58 if (obj == "Location") 59 return prop == 'href'; 60 } 61 62 // NB: we don't want to succeed with writes, so we only check them when it should be denied. 63 function testAll(sameOrigin) { 64 var win = document.getElementById('ifr').contentWindow; 65 66 // Build a list of properties to check from the properties available on our 67 // window. 68 var props = []; 69 for (var prop in window) { props.push(prop); } 70 71 // On android, this appears to be on the window but not on the iframe. It's 72 // not really relevant to this test, so just skip it. 73 if (props.includes('crypto')) 74 props.splice(props.indexOf('crypto'), 1); 75 76 // Add the named grand-child, since that won't appear on our window. 77 props.push('subframe'); 78 79 for (var prop of props) { 80 check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false); 81 if (!sameOrigin && !isCrossOriginWritable('Window', prop)) 82 check(win, prop, false, /* write = */ true); 83 } 84 for (var prop in window.location) { 85 check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop)); 86 if (!sameOrigin && !isCrossOriginWritable('Location', prop)) 87 check(win.location, prop, false, /* write = */ true); 88 } 89 } 90 91 var loadCount = 0; 92 function go() { 93 ++loadCount; 94 if (loadCount == 1) { 95 testAll(true); 96 document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html'; 97 } 98 else { 99 is(loadCount, 2); 100 testAll(false); 101 SimpleTest.finish(); 102 } 103 } 104 105 </script> 106 </pre> 107 <iframe id="ifr" onload="go();" src="file_empty.html"></iframe> 108 </body> 109 </html>