From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <mattatobin@localhost.localdomain>
Date: Fri, 2 Feb 2018 04:16:08 -0500
Subject: Add m-esr52 at 52.6.0

---
 .../components/sessionstore/test/browser_463205.js | 40 ++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 browser/components/sessionstore/test/browser_463205.js

(limited to 'browser/components/sessionstore/test/browser_463205.js')

diff --git a/browser/components/sessionstore/test/browser_463205.js b/browser/components/sessionstore/test/browser_463205.js
new file mode 100644
index 000000000..ad3f22794
--- /dev/null
+++ b/browser/components/sessionstore/test/browser_463205.js
@@ -0,0 +1,40 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const URL = ROOT + "browser_463205_sample.html";
+
+/**
+ * Bug 463205 - Check URLs before restoring form data to make sure a malicious
+ * website can't modify frame URLs and make us inject form data into the wrong
+ * web pages.
+ */
+add_task(function test_check_urls_before_restoring() {
+  // Add a blank tab.
+  let tab = gBrowser.addTab("about:blank");
+  let browser = tab.linkedBrowser;
+  yield promiseBrowserLoaded(browser);
+
+  // Restore form data with a valid URL.
+  yield promiseTabState(tab, getState(URL));
+
+  let value = yield getInputValue(browser, {id: "text"});
+  is(value, "foobar", "value was restored");
+
+  // Restore form data with an invalid URL.
+  yield promiseTabState(tab, getState("http://example.com/"));
+
+  value = yield getInputValue(browser, {id: "text"});
+  is(value, "", "value was not restored");
+
+  // Cleanup.
+  gBrowser.removeTab(tab);
+});
+
+function getState(url) {
+  return JSON.stringify({
+    entries: [{url: URL}],
+    formdata: {url: url, id: {text: "foobar"}}
+  });
+}
-- 
cgit v1.2.3