tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_sameOriginPolicy.html (3355B)


      1 <!DOCTYPE HTML>
      2 <html>
      3 <!--
      4 https://bugzilla.mozilla.org/show_bug.cgi?id=801576
      5 -->
      6 <head>
      7  <meta charset="utf-8">
      8  <title>Test for Bug 801576</title>
      9  <script src="/tests/SimpleTest/SimpleTest.js"></script>
     10  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
     11 </head>
     12 <body>
     13 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
     14 <p id="display"></p>
     15 <div id="content" style="display: none">
     16 </div>
     17 <pre id="test">
     18 <script type="application/javascript">
     19 
     20 /** Test for the same-origin policy. **/
     21 SimpleTest.waitForExplicitFinish();
     22 
     23 function check(obj, prop, allowed, write) {
     24  var accessed = false;
     25  try {
     26    if (write) {
     27      try {
     28        obj[prop] = 2;
     29        accessed = true;
     30      } catch (e) {}
     31      Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
     32    }
     33    else
     34      obj[prop];
     35    accessed = true;
     36  } catch (e) {}
     37  is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
     38 }
     39 
     40 var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
     41                                      'frames', 'location', 'length',
     42                                      'opener', 'parent', 'postMessage',
     43                                      'self', 'top', 'window',
     44                                      /* indexed and named accessors */
     45                                      '0', 'subframe'];
     46 
     47 function isCrossOriginReadable(obj, prop) {
     48  if (obj == "Window")
     49    return crossOriginReadableWindowProps.includes(prop);
     50  if (obj == "Location")
     51    return prop == 'replace';
     52  return false;
     53 }
     54 
     55 function isCrossOriginWritable(obj, prop) {
     56  if (obj == "Window")
     57    return prop == 'location';
     58  if (obj == "Location")
     59    return prop == 'href';
     60 }
     61 
     62 // NB: we don't want to succeed with writes, so we only check them when it should be denied.
     63 function testAll(sameOrigin) {
     64  var win = document.getElementById('ifr').contentWindow;
     65 
     66  // Build a list of properties to check from the properties available on our
     67  // window.
     68  var props = [];
     69  for (var prop in window) { props.push(prop); }
     70 
     71  // On android, this appears to be on the window but not on the iframe. It's
     72  // not really relevant to this test, so just skip it.
     73  if (props.includes('crypto'))
     74    props.splice(props.indexOf('crypto'), 1);
     75 
     76  // Add the named grand-child, since that won't appear on our window.
     77  props.push('subframe');
     78 
     79  for (var prop of props) {
     80    check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
     81    if (!sameOrigin && !isCrossOriginWritable('Window', prop))
     82      check(win, prop, false, /* write = */ true);
     83  }
     84  for (var prop in window.location) {
     85    check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
     86    if (!sameOrigin && !isCrossOriginWritable('Location', prop))
     87      check(win.location, prop, false, /* write = */ true);
     88  }
     89 }
     90 
     91 var loadCount = 0;
     92 function go() {
     93  ++loadCount;
     94  if (loadCount == 1) {
     95    testAll(true);
     96    document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
     97  }
     98  else {
     99    is(loadCount, 2);
    100    testAll(false);
    101    SimpleTest.finish();
    102  }
    103 }
    104 
    105 </script>
    106 </pre>
    107 <iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
    108 </body>
    109 </html>