1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
<?xml version="1.0"?>
<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=792280
-->
<window title="Mozilla Bug 792280"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
<!-- test results are displayed in the html:body -->
<body xmlns="http://www.w3.org/1999/xhtml">
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=792280"
target="_blank">Mozilla Bug 792280</a>
</body>
<!-- test code goes here -->
<script type="application/javascript">
<![CDATA[
/** Test for Bug 792280 **/
const Cu = Components.utils;
function checkSb(sb, expect) {
var target = new Cu.Sandbox('http://www.example.com');
Cu.evalInSandbox('function fun() { return arguments.callee.caller; };', target);
sb.fun = target.fun;
let allowed = false;
try {
allowed = Cu.evalInSandbox('function doTest() { return fun() == doTest; }; doTest()', sb);
isnot(expect, "throw", "Should have thrown");
} catch (e) {
is(expect, "throw", "Should expect exception");
ok(/denied|insecure/.test(e), "Should be a security exception: " + e);
}
is(allowed, expect == "allow", "should censor appropriately");
}
// Note that COWs are callable, but XOWs are not.
checkSb(new Cu.Sandbox('http://www.example.com'), "allow");
checkSb(new Cu.Sandbox('http://www.example.org'), "throw");
checkSb(new Cu.Sandbox(window), "censor");
]]>
</script>
</window>
|