wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity
454a8e381c
gecko/browser/components/sessionstore/test/browser_461743_sample.html
Bobby Holley 8b20a9d073 Bug 774245 - Re-implement moz_bug_r_a4 trickery. r=mrbkap 
In the next patch, we drop support for lookupMethod for location objects, since the security policy there is tricky and location objects are already unshadowable Xray wrappers.
2012-07-18 13:51:28 +02:00

56 lines
2.1 KiB
HTML
Raw Blame History

<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
<!DOCTYPE html>
<title>Test for bug 461743</title>
<body>
<iframe src="data:text/html,empty"></iframe>
<iframe></iframe>
<script type="application/javascript">
var chromeUrl = "chrome://global/content/mozilla.xhtml";
var exploitUrl = "javascript:try { document.body.innerHTML = Components.utils.reportError; } catch (ex) { }";
var loadCount = 0;
frames[0].addEventListener("DOMContentLoaded", handleLoad, false);
frames[1].addEventListener("DOMContentLoaded", handleLoad, false);
function handleLoad() {
if (++loadCount < 2)
return;
frames[0].removeEventListener("DOMContentLoaded", handleLoad, false);
frames[1].removeEventListener("DOMContentLoaded", handleLoad, false);
var flip = 0;
MutationEvent.prototype.toString = function() {
return flip++ == 0 ? chromeUrl : exploitUrl;
};
var href = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(frames[1].location), "href").get;
var loadChrome = { handleEvent: href };
var loadExploit = { handleEvent: href };
function delay() {
var xhr = new XMLHttpRequest();
xhr.open("GET", location.href, false);
xhr.send(null);
}
function done() {
var event = document.createEvent("MessageEvent");
event.initMessageEvent("461743", true, false, "done", location.href, "", window);
document.dispatchEvent(event);
frames[0].document.removeEventListener("DOMNodeInserted", loadChrome, true);
frames[0].document.removeEventListener("DOMNodeInserted", delay, true);
frames[0].document.removeEventListener("DOMNodeInserted", loadExploit, true);
frames[0].document.removeEventListener("DOMNodeInserted", done, true);
}
frames[0].document.addEventListener("DOMNodeInserted", loadChrome, true);
frames[0].document.addEventListener("DOMNodeInserted", delay, true);
frames[0].document.addEventListener("DOMNodeInserted", loadExploit, true);
frames[0].document.addEventListener("DOMNodeInserted", done, true);
frames[0].document.designMode = "on";
};
</script>
</body>
Reference in New Issue View Git Blame Copy Permalink