summaryrefslogtreecommitdiffstats
path: root/dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html')
-rw-r--r--dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html211
1 files changed, 211 insertions, 0 deletions
diff --git a/dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html b/dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html
new file mode 100644
index 000000000..b2e36dbbf
--- /dev/null
+++ b/dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html
@@ -0,0 +1,211 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Setting document.domain and IDN</title>
+ <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+
+<!--
+
+This testing all gets a bit complicated here; the problem is that our
+document.domain implementation will do a suffix comparison of the value to which
+it's being set against the current URI's base domain (where "base domain" is
+defined as the effective TLD plus one; see nsIEffectiveTLDService.idl). Seems
+simple enough, right? Wrong.
+
+The problem, as usual, is IDN. Our current, wholly-inadequate solution to
+preventing Unicode domain-name spoofing is done at the level of the URL
+implementation, not at the presentation level. However, the value of the
+base domain for the current URI is always calculated in punycode; if the
+provided domain is one which is whitelisted, we'll get an IDN name and the
+suffix-comparison will fail. Nice great big mess, huh?
+
+Anyway: "test" currently fits the bill as a TLD which is not whitelisted, while
+"δοκιμή" (the Greek IDN TLD for "test") fits the bill as a TLD which is
+whitelisted. RFC 2606 reserves "test" for DNS testing, so nobody's going to
+clamor for it to be whitelisted any time soon. The latter is as of February
+2008 undergoing testing for IDN TLDs, and it's at least temporarily whitelisted
+for now. Once the testing period ends the latter's probably going to be
+un-whitelisted, so we're going to have to do a careful bit of stepping to ensure
+that in the future this test tests what it was intended to test (and, until
+bug 414090 is fixed, that it doesn't break when the Greek TLD is
+un-whitelisted).
+
+After bug 722299 the IDN whitelist is expected to go away (bug
+843689), but bug 414090 still applies, mutatis mutandis. The test has
+been changed to use exaмple.test instead (with a Cyrillic м), which
+will fail the mixed-script tests and use punycode.
+-->
+
+<div>
+<h2>Whitelisted</h2>
+<iframe name="idnKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-whitelist"></iframe>
+<iframe name="punycodeKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-whitelist"></iframe>
+</div>
+
+<div>
+<h2>Not whitelisted</h2>
+<iframe name="idnKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-nowhitelist"></iframe>
+<iframe name="punycodeKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-nowhitelist"></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="application/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+var gotIDNNoWhitelist = false;
+var gotPunycodeNoWhitelist = false;
+var gotIDNWhitelist = false;
+var gotPunycodeWhitelist = false;
+
+var whitelistRegex =
+ new RegExp("^http://sub1\\.παράδειγμα\\.δοκιμή/tests/dom/tests/" +
+ "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
+
+var noWhitelistRegex =
+ new RegExp("^http://sub1\\.exaмple\\.test/tests/dom/tests/" +
+ "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
+
+var state = 0;
+
+var messages =
+ [
+ "idn-whitelist",
+ "punycode-whitelist",
+ "idn-nowhitelist",
+ "punycode-nowhitelist",
+ ];
+
+
+function receiveMessage(evt)
+{
+ var origin = evt.origin;
+ var match;
+ if (/test$/.test(origin))
+ {
+ // XXX bug 414090
+ // The value of MessageEvent.origin with postMessage *should* always be IDN;
+ // unfortunately, given our current setup for dealing with Unicode-based
+ // domain-name spoofing, whether a domain is in the safe-for-IDN whitelist
+ // affects the value of this property (likewise for window.location,
+ // document.location, document.domain, and probably a slew of other
+ // things). :-(
+ //
+ // These two tests should illustrate what currently happens and what should
+ // happen once bug 414090 is fixed.
+ todo_is(evt.origin, "http://sub1.exaмple.test", "wrong sender");
+ todo_isnot(evt.origin, "http://sub1.xn--exaple-kqf.test", "wrong sender");
+ }
+ else
+ {
+ // We're receiving data from the Greek IDN name; since that TLD is
+ // whitelisted for now, the domain we get isn't going to be punycoded.
+ is(evt.origin, "http://sub1.παράδειγμα.δοκιμή", "wrong sender");
+ }
+
+ is(messages[state] + "-response", evt.data.split(" ")[0],
+ "unexpected data: " + evt.data);
+
+ switch (messages[state])
+ {
+ case "idn-whitelist":
+ gotIDNWhitelist = true;
+ ok(evt.source === window.frames.idnKidWhitelist, "wrong source");
+ is(evt.data, "idn-whitelist-response", "wrong response for IDN");
+ break;
+
+ case "punycode-whitelist":
+ gotPunycodeWhitelist = true;
+ ok(evt.source === window.frames.punycodeKidWhitelist, "wrong source");
+ is(evt.data, "punycode-whitelist-response", "wrong response for punycode");
+ break;
+
+ case "idn-nowhitelist":
+ gotIDNNoWhitelist = true;
+ ok(evt.source === window.frames.idnKidNoWhitelist, "wrong source");
+ is(evt.data, "idn-nowhitelist-response", "wrong response for IDN");
+ break;
+
+ case "punycode-nowhitelist":
+ gotPunycodeNoWhitelist = true;
+ ok(evt.source === window.frames.punycodeKidNoWhitelist, "wrong source");
+ is(evt.data, "punycode-nowhitelist-response", "wrong response for punycode");
+ break;
+
+ default:
+ ok(false, "unreached");
+ break;
+ }
+
+ state++;
+}
+
+function run()
+{
+ var target = window.frames.idnKidWhitelist;
+ target.postMessage("idn-whitelist", "http://sub1.παράδειγμα.δοκιμή");
+
+ // Double-timeouts account for 1) delay for message to be received by target
+ // window and 2) delay for response from target window to be received by this
+ // window.
+
+ setTimeout(function()
+ {
+ setTimeout(function()
+ {
+ ok(gotIDNWhitelist, "IDN whitelist message not received");
+
+ var target = window.frames.punycodeKidWhitelist;
+ target.postMessage("punycode-whitelist", "http://sub1.παράδειγμα.δοκιμή");
+
+ setTimeout(function()
+ {
+ setTimeout(function()
+ {
+ ok(gotPunycodeWhitelist, "punycode whitelist message not received");
+
+ var target = window.frames.idnKidNoWhitelist;
+ target.postMessage("idn-nowhitelist", "http://sub1.exaмple.test");
+
+ setTimeout(function()
+ {
+ setTimeout(function()
+ {
+ ok(gotIDNNoWhitelist, "IDN no-whitelist message not received");
+
+ var target = window.frames.punycodeKidNoWhitelist;
+ target.postMessage("punycode-nowhitelist",
+ "http://sub1.exaмple.test");
+
+ setTimeout(function()
+ {
+ setTimeout(function()
+ {
+ ok(gotPunycodeNoWhitelist,
+ "punycode no-whitelist message not received");
+
+ SimpleTest.finish();
+ }, 0);
+ }, 0);
+ }, 0);
+ }, 0);
+ }, 0);
+ }, 0);
+ }, 0);
+ }, 0);
+}
+
+window.addEventListener("message", receiveMessage, false);
+window.addEventListener("load", run, false);
+</script>
+</pre>
+</body>
+</html>