Commits

ms2ger committed cf0c5e9

Add a test for window.location in the face of an iframe with name location (CVE-2011-2999), and add notes to probably-incorrect tests.

  • Participants
  • Parent commits 1c60fd6

Comments (0)

Files changed (2)

 table-border
 window-props
 namedItem
+window-location
+From: Ms2ger <ms2ger@gmail.com>
+
+diff --git a/html/browsers/the-window-object/named-access-on-the-window-object/window-constructor.html b/html/browsers/the-window-object/named-access-on-the-window-object/window-constructor.html
+--- a/html/browsers/the-window-object/named-access-on-the-window-object/window-constructor.html
++++ b/html/browsers/the-window-object/named-access-on-the-window-object/window-constructor.html
+@@ -17,15 +17,16 @@ test(function() {
+   assert_false(window.hasOwnProperty("constructor"), "window.constructor should not be an own property.");
+ 
+   var proto = Object.getPrototypeOf(window);
+   assert_equals(proto.constructor, Window);
+   assert_true("constructor" in proto, "constructor in proto");
+   assert_data_propdesc(Object.getOwnPropertyDescriptor(proto, "constructor"),
+                        true, false, true);
+ 
++  // XXX: named property visibility algorithm probably breaks this
+   var gsp = Object.getPrototypeOf(proto);
+   assert_true("constructor" in gsp, "constructor in gsp");
+   assert_true(gsp.hasOwnProperty("constructor"), "gsp.hasOwnProperty(\"constructor\")");
+   assert_data_propdesc(Object.getOwnPropertyDescriptor(gsp, "constructor"),
+                        false, true, true);
+ }, "constructor should be an own property of the interface prototype object");
+ </script>
+diff --git a/html/browsers/the-window-object/named-access-on-the-window-object/window-location.html b/html/browsers/the-window-object/named-access-on-the-window-object/window-location.html
+new file mode 100644
+--- /dev/null
++++ b/html/browsers/the-window-object/named-access-on-the-window-object/window-location.html
+@@ -0,0 +1,37 @@
++<!doctype html>
++<meta charset=utf-8>
++<title>window.location</title>
++<link rel="author" title="Ms2ger" href="ms2ger@gmail.com">
++<link rel="help" href="http://www.whatwg.org/html/#window">
++<link rel="help" href="http://www.whatwg.org/html/#dom-window-nameditem">
++<link rel="help" href="http://dev.w3.org/2006/webapi/WebIDL/#named-properties-object">
++<link rel="help" href="http://dev.w3.org/2006/webapi/WebIDL/#interface-prototype-object">
++<script src="/resources/testharness.js"></script>
++<script src="/resources/testharnessreport.js"></script>
++<script src="../../../../common/propdesc.js"></script>
++<div id=log></div>
++<iframe name="location"></iframe>
++<script>
++test(function() {
++  var iframe = document.getElementsByTagName("iframe")[0];
++  assert_equals(iframe.name, "location");
++
++  assert_equals(window.location, document.location);
++  assert_equals(location, document.location);
++  assert_not_equals(window.location, iframe);
++  assert_not_equals(location, iframe);
++  assert_true(window.hasOwnProperty("location"), "location should be an own property of the window.");
++
++  // XXX: named property visibility algorithm probably breaks this
++  var proto = Object.getPrototypeOf(window);
++  assert_true("location" in proto, "location in proto");
++  assert_false(window.hasOwnProperty("location"), "location should not be an own property of the proto.");
++  assert_equals(proto.location, iframe);
++
++  var gsp = Object.getPrototypeOf(proto);
++  assert_true("location" in proto, "location in gsp");
++  assert_true(gsp.hasOwnProperty("location"), "location should be an own property of the gsp.");
++  assert_data_propdesc(Object.getOwnPropertyDescriptor(gsp, "constructor"),
++                       false, true, true);
++}, "location should be an own property of the interface prototype object");
++</script>