summaryrefslogtreecommitdiff
path: root/dom/plugins/test/mochitest/test_bug813906.html
blob: d18dbbff2f84232ac99b2baf6ea4e84b0a90cdc8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<!doctype html>
<html>
<head>
  <title>Test for Bug 813906</title>
  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="text/javascript" src="plugin-utils.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>

  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <base href="chrome://browser/content/">
</head>
<body>

<script type="application/javascript">
function f() {
  document.getElementsByTagName("base")[0].href = "http://www.safe.com/";
}
</script>

<script type="application/javascript">
SimpleTest.requestFlakyTimeout(
  "Blocking an iframe does not cause the onerror event to be fired");

SimpleTest.waitForExplicitFinish();
setTestPluginEnabledState(SpecialPowers.Ci.nsIPluginTag.STATE_ENABLED);

var frameLoadCount = 0;

function frameNavBlocked() {
  isnot(SpecialPowers.wrap(window.frame1).location.href.indexOf('chrome://'),
        0, 'plugin shouldnt be able to cause navigation to chrome URLs');
  SimpleTest.finish();
}

function frameLoaded() {
  frameLoadCount++;
  if (frameLoadCount == 1) {
    document.getElementsByTagName("object")[0].type = "application/x-test";
    document.getElementsByTagName("use")[0].setAttributeNS("http://www.w3.org/1999/xlink", "href", location.href + "#a");

    // wait two seconds and verify that frame navigation did not succeed
    setTimeout(frameNavBlocked, 2000);
    return;
  }
  // we should never get here, but just in case, make sure the test fails in that case.
  ok(false, "onload() event should not fire for blocked navigation");
  SimpleTest.finish();
}

</script>

<!-- Note that <svg:use> ends up creating an anonymous subtree, which means that the plugin
     reflector gets hoisted into the XBL scope, and isn't accessible to content. We pass
     the 'donttouchelement' parameter to the plugin to prevent it from trying to define the
     'pluginFoundElement' property on the plugin reflector, since doing so would throw a
     security exception. -->
<svg>
  <symbol id="a">
    <foreignObject>
      <object bugmode="813906" frame="frame1"><param name="donttouchelement"></param></object>
    </foreignObject>
  </symbol>
  <use />
</svg>

<iframe name="frame1" onload="frameLoaded()"></iframe>
</body>
</html>