summaryrefslogtreecommitdiffstats
path: root/js/xpconnect/tests/unit/test_components.js
diff options
context:
space:
mode:
Diffstat (limited to 'js/xpconnect/tests/unit/test_components.js')
-rw-r--r--js/xpconnect/tests/unit/test_components.js54
1 files changed, 54 insertions, 0 deletions
diff --git a/js/xpconnect/tests/unit/test_components.js b/js/xpconnect/tests/unit/test_components.js
new file mode 100644
index 000000000..623a365c0
--- /dev/null
+++ b/js/xpconnect/tests/unit/test_components.js
@@ -0,0 +1,54 @@
+const Cu = Components.utils;
+
+function run_test() {
+ var sb1 = Cu.Sandbox("http://www.blah.com");
+ var sb2 = Cu.Sandbox("http://www.blah.com");
+ var sb3 = Cu.Sandbox(this);
+ var sb4 = Cu.Sandbox("http://www.other.com");
+ var rv;
+
+ // Components is normally hidden from content on the XBL scope chain, but we
+ // expose it to content here to make sure that the security wrappers work
+ // regardless.
+ [sb1, sb2, sb4].forEach(function(x) { x.Components = Cu.getComponentsForScope(x); });
+
+ // non-chrome accessing chrome Components
+ sb1.C = Components;
+ checkThrows("C.utils", sb1);
+ checkThrows("C.classes", sb1);
+
+ // non-chrome accessing own Components
+ do_check_eq(Cu.evalInSandbox("typeof Components.interfaces", sb1), 'object');
+ do_check_eq(Cu.evalInSandbox("typeof Components.utils", sb1), 'undefined');
+ do_check_eq(Cu.evalInSandbox("typeof Components.classes", sb1), 'undefined');
+
+ // Make sure an unprivileged Components is benign.
+ var C2 = Cu.evalInSandbox("Components", sb2);
+ var whitelist = ['interfaces', 'interfacesByID', 'results', 'isSuccessCode', 'QueryInterface'];
+ for (var prop in Components) {
+ do_print("Checking " + prop);
+ do_check_eq((prop in C2), whitelist.indexOf(prop) != -1);
+ }
+
+ // non-chrome same origin
+ sb1.C2 = C2;
+ do_check_eq(Cu.evalInSandbox("typeof C2.interfaces", sb1), 'object');
+ do_check_eq(Cu.evalInSandbox("typeof C2.utils", sb1), 'undefined');
+ do_check_eq(Cu.evalInSandbox("typeof C2.classes", sb1), 'undefined');
+
+ // chrome accessing chrome
+ sb3.C = Components;
+ rv = Cu.evalInSandbox("C.utils", sb3);
+ do_check_eq(rv, Cu);
+
+ // non-chrome cross origin
+ sb4.C2 = C2;
+ checkThrows("C2.interfaces", sb4);
+ checkThrows("C2.utils", sb4);
+ checkThrows("C2.classes", sb4);
+}
+
+function checkThrows(expression, sb) {
+ var result = Cu.evalInSandbox('(function() { try { ' + expression + '; return "allowed"; } catch (e) { return e.toString(); }})();', sb);
+ do_check_true(!!/denied/.exec(result));
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 01:28:00 +0000