mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-01-12 23:12:21 +00:00
78a5768df9
We fix up the tests here to test the new behavior, and fix some bugs in the test while we're at it.
55 lines
1.9 KiB
JavaScript
55 lines
1.9 KiB
JavaScript
const Cu = Components.utils;
|
|
|
|
function run_test() {
|
|
var sb1 = Cu.Sandbox("http://www.blah.com");
|
|
var sb2 = Cu.Sandbox("http://www.blah.com");
|
|
var sb3 = Cu.Sandbox(this);
|
|
var sb4 = Cu.Sandbox("http://www.other.com");
|
|
var rv;
|
|
|
|
// Components is normally hidden from content on the XBL scope chain, but we
|
|
// expose it to content here to make sure that the security wrappers work
|
|
// regardless.
|
|
[sb1, sb2, sb4].forEach(function(x) { x.Components = Cu.getComponentsForScope(x); });
|
|
|
|
// non-chrome accessing chrome Components
|
|
sb1.C = Components;
|
|
checkThrows("C.utils", sb1);
|
|
checkThrows("C.classes", sb1);
|
|
|
|
// non-chrome accessing own Components
|
|
do_check_eq(Cu.evalInSandbox("typeof Components.interfaces", sb1), 'object');
|
|
do_check_eq(Cu.evalInSandbox("typeof Components.utils", sb1), 'undefined');
|
|
do_check_eq(Cu.evalInSandbox("typeof Components.classes", sb1), 'undefined');
|
|
|
|
// Make sure an unprivileged Components is benign.
|
|
var C2 = Cu.evalInSandbox("Components", sb2);
|
|
var whitelist = ['interfaces', 'interfacesByID', 'results', 'isSuccessCode', 'QueryInterface'];
|
|
for (var prop in Components) {
|
|
do_print("Checking " + prop);
|
|
do_check_eq((prop in C2), whitelist.indexOf(prop) != -1);
|
|
}
|
|
|
|
// non-chrome same origin
|
|
sb1.C2 = C2;
|
|
do_check_eq(Cu.evalInSandbox("typeof C2.interfaces", sb1), 'object');
|
|
do_check_eq(Cu.evalInSandbox("typeof C2.utils", sb1), 'undefined');
|
|
do_check_eq(Cu.evalInSandbox("typeof C2.classes", sb1), 'undefined');
|
|
|
|
// chrome accessing chrome
|
|
sb3.C = Components;
|
|
rv = Cu.evalInSandbox("C.utils", sb3);
|
|
do_check_eq(rv, Cu);
|
|
|
|
// non-chrome cross origin
|
|
sb4.C2 = C2;
|
|
checkThrows("C2.interfaces", sb4);
|
|
checkThrows("C2.utils", sb4);
|
|
checkThrows("C2.classes", sb4);
|
|
}
|
|
|
|
function checkThrows(expression, sb) {
|
|
var result = Cu.evalInSandbox('(function() { try { ' + expression + '; return "allowed"; } catch (e) { return e.toString(); }})();', sb);
|
|
do_check_true(!!/denied/.exec(result));
|
|
}
|