diff options
author | Matt A. Tobin <email@mattatobin.com> | 2020-02-25 15:07:00 -0500 |
---|---|---|
committer | Matt A. Tobin <email@mattatobin.com> | 2020-02-25 15:07:00 -0500 |
commit | 0ddd00f1959c78ce37c14fef3c83401408fca3bf (patch) | |
tree | d408e02767c86cf8aac3acbb86722b03c77ede6f /toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html | |
parent | 20f0905b33cbb18d1caa80c55e2f552c2e18957b (diff) | |
download | UXP-0ddd00f1959c78ce37c14fef3c83401408fca3bf.tar UXP-0ddd00f1959c78ce37c14fef3c83401408fca3bf.tar.gz UXP-0ddd00f1959c78ce37c14fef3c83401408fca3bf.tar.lz UXP-0ddd00f1959c78ce37c14fef3c83401408fca3bf.tar.xz UXP-0ddd00f1959c78ce37c14fef3c83401408fca3bf.zip |
Issue #439 - Remove tests from toolkit/
Diffstat (limited to 'toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html')
-rw-r--r-- | toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html deleted file mode 100644 index 0f0056de0..000000000 --- a/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html +++ /dev/null @@ -1,170 +0,0 @@ -<!DOCTYPE HTML> -<html> -<head> - <meta charset="utf-8"> - <title>Test for considering form action</title> - <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> - <script type="text/javascript" src="pwmgr_common.js"></script> - <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> -</head> -<body> -Login Manager test: Bug 360493 -<script> -runChecksAfterCommonInit(() => startTest()); -</script> -<p id="display"></p> -<div id="content" style="display: none"> - - <!-- The tests in this page exercise things that shouldn't work. --> - - <!-- Change port # of action URL from 8888 to 7777 --> - <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- No port # in action URL --> - <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Change protocol from http:// to ftp://, include the expected 8888 port # --> - <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Change protocol from http:// to ftp://, no port # specified --> - <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Try a weird URL. --> - <form id="form5" action="about:blank"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) --> - <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Try a weird URL. --> - <form id="form7" action="view-source:formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Action URL points to a different host (this is the archetypical exploit) --> - <form id="form8" action="http://www.cnn.com/"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Action URL points to a different host, user field prefilled --> - <form id="form9" action="http://www.cnn.com/"> - <input type="text" name="uname" value="testuser"> - <input type="password" name="pword"> - - <button type="submit">Submit</button> - <button type="reset"> Reset </button> - </form> - - <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. --> - <form id="form10-A" action="http://www.cnn.com/"> - <form id="form10-B" action="formtest.js"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit (inner)</button> - <button type="reset"> Reset (inner)</button> - </form> - <button type="submit" id="neutered_submit10">Submit (outer)</button> - <button type="reset">Reset (outer)</button> - </form> - - <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. --> - <form id="form11-A" action="formtest.js"> - <form id="form11-B" action="http://www.cnn.com/"> - <input type="text" name="uname"> - <input type="password" name="pword"> - - <button type="submit">Submit (inner)</button> - <button type="reset"> Reset (inner)</button> - </form> - <button type="submit" id="neutered_submit11">Submit (outer)</button> - <button type="reset">Reset (outer)</button> - </form> - -<!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. --> -<!-- TODO: www.site.com vs. site.com? --> -<!-- TODO: foo.site.com vs. bar.site.com? --> - -</div> -<pre id="test"> -<script class="testbody" type="text/javascript"> - -/** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/ - -function startTest() { - for (var i = 1; i <= 8; i++) { - // Check form i - is($_(i, "uname").value, "", "Checking for unfilled username " + i); - is($_(i, "pword").value, "", "Checking for unfilled password " + i); - } - - is($_(9, "uname").value, "testuser", "Checking for unmodified username 9"); - is($_(9, "pword").value, "", "Checking for unfilled password 9"); - - is($_("10-A", "uname").value, "", "Checking for unfilled username 10A"); - is($_("10-A", "pword").value, "", "Checking for unfilled password 10A"); - - // The DOM indicates this form could be filled, as the evil inner form - // is discarded. And yet pwmgr seems not to fill it. Not sure why. - todo(false, "Mangled form combo not being filled when maybe it could be?"); - is($_("11-A", "uname").value, "testuser", "Checking filled username 11A"); - is($_("11-A", "pword").value, "testpass", "Checking filled password 11A"); - - // Verify this by making sure there are no extra forms in the document, and - // that the submit button for the neutered forms don't do anything. - // If the test finds extra forms the submit() causes the test to timeout, then - // there may be a security issue. - is(document.forms.length, 11, "Checking for unexpected forms"); - $("neutered_submit10").click(); - $("neutered_submit11").click(); - - SimpleTest.finish(); -} -</script> -</pre> -</body> -</html> - |