mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
d2fe9d94ec
There's really no reason to use the wishy-washy static COW Deny() here. Also, note that the xpcshell-test wasn't testing what it thought it was - interfaces is accessible from content code.
46 lines
1.4 KiB
JavaScript
46 lines
1.4 KiB
JavaScript
const Cu = Components.utils;
|
|
|
|
function run_test() {
|
|
var sb1 = Cu.Sandbox("http://www.blah.com");
|
|
var sb2 = Cu.Sandbox("http://www.blah.com");
|
|
var sb3 = Cu.Sandbox(this);
|
|
var sb4 = Cu.Sandbox("http://www.other.com");
|
|
var rv;
|
|
|
|
// Components is normally hidden from content on the XBL scope chain, but we
|
|
// expose it to content here to make sure that the security wrappers work
|
|
// regardless.
|
|
[sb1, sb2, sb4].forEach(function(x) { x.Components = Cu.getComponentsForScope(x); });
|
|
|
|
// non-chrome accessing chrome Components
|
|
sb1.C = Components;
|
|
checkThrows("C.utils", sb1);
|
|
checkThrows("C.classes", sb1);
|
|
|
|
// non-chrome accessing own Components
|
|
checkThrows("Components.utils", sb1);
|
|
checkThrows("Components.classes", sb1);
|
|
|
|
// non-chrome same origin
|
|
var C2 = Cu.evalInSandbox("Components", sb2);
|
|
do_check_neq(rv, C2.utils);
|
|
sb1.C2 = C2;
|
|
checkThrows("C2.utils", sb1);
|
|
checkThrows("C2.classes", sb1);
|
|
|
|
// chrome accessing chrome
|
|
sb3.C = Components;
|
|
rv = Cu.evalInSandbox("C.utils", sb3);
|
|
do_check_eq(rv, Cu);
|
|
|
|
// non-chrome cross origin
|
|
sb4.C2 = C2;
|
|
checkThrows("C2.utils", sb1);
|
|
checkThrows("C2.classes", sb1);
|
|
}
|
|
|
|
function checkThrows(expression, sb) {
|
|
var result = Cu.evalInSandbox('(function() { try { ' + expression + '; return "allowed"; } catch (e) { return e.toString(); }})();', sb);
|
|
do_check_true(!!/denied/.exec(result));
|
|
}
|