"use strict";
const { Cc, Ci, Cu } = require('chrome');
function makeWindow() {
let html = '
' +
"" +
'' +
'' +
"";
let content =
'' +
'' +
'' +
'';
var url = "data:application/vnd.mozilla.xul+xml," +
encodeURIComponent(content);
var features = ["chrome", "width=1000", "height=1000"];
return Cc["@mozilla.org/embedcomp/window-watcher;1"].
getService(Ci.nsIWindowWatcher).
openWindow(null, url, null, features.join(","), null);
}
function testSandbox(test, createSandbox) {
let chromeWindow = makeWindow();
test.waitUntilDone();
// We need to wait for the load/unload of temporary about:blank
// or our worker is going to be automatically destroyed
chromeWindow.addEventListener("load", function onload() {
chromeWindow.removeEventListener("load", onload, true);
let contentWin = chromeWindow.document.getElementById("content").contentWindow.wrappedJSObject;
let sandbox = createSandbox(contentWin);
executeTestAgainstSandbox(test, contentWin, sandbox);
//chromeWindow.close();
test.done();
}, true);
}
function executeTestAgainstSandbox(test, win, sandbox) {
function evalInSandbox(script) {
return Cu.evalInSandbox(script, sandbox);
}
// First confirm that in our unit test, `win` object is an unwrapped one
test.assertEqual("documentGlobal" in win, true,
"`win` object behaves correctly");
// Check if we have access to document globals (should not)
test.assertEqual(evalInSandbox('window.documentGlobal'), null,
"Does not have access to early document globals");
test.assertEqual(evalInSandbox('window.lateDocumentGlobal'), null,
"Does not have access to late document globals");
// Check content script globals visibility (should not pollute document)
evalInSandbox('var scriptGlobal = true;');
test.assertEqual("scriptGlobal" in win, false,
"content script globals doesn't pollute document globals");
test.assertEqual(evalInSandbox('window.scriptGlobal'), true,
"`window` attributes and globals are the same");
// Check that content script can't pollute document
evalInSandbox('window.injectThroughWindow = true;');
test.assertEqual("injectThroughWindow" in win, false,
"we are not able to inject globals throught `window`");
// Find a way to inject JS from the content script to the document
evalInSandbox('if (typeof unsafeWindow == "object")' +
' unsafeWindow.injectThroughWrappedJSWindow = true;' +
'else if (window.wrappedJSObject)' +
' window.wrappedJSObject.injectThroughWrappedJSWindow = true;' +
'else if (window.window)' +
' window.window.injectThroughWrappedJSWindow = true;' +
'document.defaultView.injectThroughWrappedJSWindow = true;'
);
test.assertEqual("injectThroughWrappedJSWindow" in win, true,
"we can inject globals through `window.wrappedJSObject`, " +
"`window.window` or `document.defaultView'");
// Check that forms are directly accessible in `document`
test.assertEqual(evalInSandbox("typeof document.kk"), "object",
"