toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Test for considering form action</title>
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="text/javascript" src="pwmgr_common.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
Login Manager test: Bug 360493
<script>
runChecksAfterCommonInit(() => startTest());
</script>
<p id="display"></p>
<div id="content" style="display: none">

  <!-- normal form with normal relative action. -->
  <form id="form1" action="formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL -->
  <form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL, and change the path -->
  <form id="form3" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL, and change the path and filename -->
  <form id="form4" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/not_a_test.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- specify the action URL relative to the current document-->
  <form id="form5" action="./formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- specify the action URL relative to the current server -->
  <form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- Change the method from get to post -->
  <form id="form7" action="formtest.js" method="POST">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- Blank action URL specified -->
  <form id="form8" action="">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- |action| attribute entirely missing -->
  <form id="form9" >
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- action url as javascript -->
  <form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- TODO: action=IP.ADDRESS instead of HOSTNAME? -->
  <!-- TODO: test with |base href="http://othersite//"| ? -->
</div>
<pre id="test">
<script class="testbody" type="text/javascript">

/** Test for Login Manager: 360493 (Cross-Site Forms + Password
    Manager = Security Failure) **/

// This test is designed to make sure variations on the form's |action|
// and |method| continue to work with the fix for 360493.

function startTest() {
  for (var i = 1; i <= 9; i++) {
    // Check form i
    is($_(i, "uname").value, "testuser", "Checking for filled username " + i);
    is($_(i, "pword").value, "testpass", "Checking for filled password " + i);
  }

  // The login's formSubmitURL isn't "javascript:", so don't fill it in.
  isnot($_(10, "uname"), "testuser", "Checking username w/ JS action URL");
  isnot($_(10, "pword"), "testpass", "Checking password w/ JS action URL");

  SimpleTest.finish();
}
</script>
</pre>
</body>
</html>