diff options
Diffstat (limited to 'Source/WebCore/manual-tests/inspector-wrappers')
10 files changed, 175 insertions, 0 deletions
diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-alert-document-body.html b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-document-body.html new file mode 100644 index 0000000..a177834 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-document-body.html @@ -0,0 +1,14 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.alert = function(msg) { + msg.titleInfo = doAttack; + return msg; +} +</script> +</head> +<body> +<script>instructions({console: true, trigger: "alert(document.body)"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-alert-object.html b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-object.html new file mode 100644 index 0000000..5caab2b --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-object.html @@ -0,0 +1,14 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.alert = function(msg) { + msg.__proto__.toString = doAttack; + return msg; +} +</script> +</head> +<body> +<script>instructions({console: true, trigger: "alert({})"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-alert-this.html b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-this.html new file mode 100644 index 0000000..4b80326 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-alert-this.html @@ -0,0 +1,17 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.alert = function(consolePanel) { + var _addMessage = consolePanel.addMessage; + consolePanel.addMessage = function() { + doAttack(consolePanel.addMessage); + consolePanel.addMessage = _addMessage; + } +} +</script> +</head> +<body> +<script>instructions({console: true, trigger: "alert(this)"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-eval.html b/Source/WebCore/manual-tests/inspector-wrappers/console-eval.html new file mode 100644 index 0000000..9274cea --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-eval.html @@ -0,0 +1,11 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.eval = function() { doAttack(eval); } +</script> +</head> +<body> +<script>instructions({console: true, trigger: "something"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-str-alert-object.html b/Source/WebCore/manual-tests/inspector-wrappers/console-str-alert-object.html new file mode 100644 index 0000000..d146663 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-str-alert-object.html @@ -0,0 +1,15 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.str = window.expression = "alert({})"; +window.alert = function(msg) { + msg.__proto__.toString = doAttack; + return msg; +} +</script> +</head> +<body> +<script>instructions({console: true, trigger: "something"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/console-str-getter.html b/Source/WebCore/manual-tests/inspector-wrappers/console-str-getter.html new file mode 100644 index 0000000..31f8907 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/console-str-getter.html @@ -0,0 +1,12 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +window.__defineGetter__("str", doAttack); +window.__defineGetter__("expression", doAttack); +</script> +</head> +<body> +<script>instructions({console: true, trigger: "something"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/inspector-evaluate.html b/Source/WebCore/manual-tests/inspector-wrappers/inspector-evaluate.html new file mode 100644 index 0000000..cc00c3b --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/inspector-evaluate.html @@ -0,0 +1,11 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +<script> +document.evaluate = doAttack; +</script> +</head> +<body> +<script>instructions({trigger: "Type something into the search box"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/inspector-hasAttributes.html b/Source/WebCore/manual-tests/inspector-wrappers/inspector-hasAttributes.html new file mode 100644 index 0000000..1fdf51a --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/inspector-hasAttributes.html @@ -0,0 +1,18 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +</head> +<body> +<script>instructions({trigger: "Collapse and expand the <body/> tag"});</script> +<script> + _hasAttributes = document.body.hasAttributes; + attackfunc = function() { + try { doAttack(); } catch(ex) { } + return _hasAttributes.call(this); + } + document.body.firstChild.hasAttributes = attackfunc; + document.body.hasAttributes = attackfunc; + document.body.parentNode.hasAttributes = attackfunc; +</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/inspector-treeElementIdentifier.html b/Source/WebCore/manual-tests/inspector-wrappers/inspector-treeElementIdentifier.html new file mode 100644 index 0000000..288edc7 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/inspector-treeElementIdentifier.html @@ -0,0 +1,17 @@ +<html> +<head> +<script src="inspector-wrappers-test-utils.js"></script> +</head> +<body> +<script> + document.body.__defineGetter__("__treeElementIdentifier", function() { + try { doAttack(); } catch(ex) { } + return this.___treeElementIdentifier; + }); + document.body.__defineSetter__("__treeElementIdentifier", function(val) { + this.___treeElementIdentifier = val; + }); +</script> +<script>instructions({trigger: "Collapse and expand the <body/> tag"});</script> +</body> +</html> diff --git a/Source/WebCore/manual-tests/inspector-wrappers/inspector-wrappers-test-utils.js b/Source/WebCore/manual-tests/inspector-wrappers/inspector-wrappers-test-utils.js new file mode 100644 index 0000000..2666167 --- /dev/null +++ b/Source/WebCore/manual-tests/inspector-wrappers/inspector-wrappers-test-utils.js @@ -0,0 +1,46 @@ +var truealert = window.alert; // we overwrite window.alert sometimes + +// Walk up the caller chain and try to find a reference to the Inspector's window +function doAttack() { + var obj = doAttack.caller; + for (var i = 0; + i < 1000 && (obj.arguments.length == 0 || !obj.arguments[0].target); + i++) { + obj = obj.caller; + } + if (i == 1000) return; + var win = obj.arguments[0].target.ownerDocument.defaultView; + xhr(win); +} + +function xhr(win) { + var xhr = new win.XMLHttpRequest(); + var url = prompt("Test failed. To prove it, I'm going " + + "to make a cross-domain XMLHttpRequest. Where " + + "would you like me to send it?\n\nHint: You can " + + "also try a file:// URL.", "http://www.example.com/"); + xhr.open("GET", url, false); + xhr.send(); + truealert("Result:\n\n" + xhr.responseText); +} + +function instructions(params) { + var str = "<p>This test tries to make a cross-domain XMLHttpRequest to " + + "check whether JavaScript object wrappers are working (bug 16837, bug 16011).</p>" + + "<p>View this page from an http:// URL to ensure that it's in a different " + + "origin from the Inspector.</p>" + + "<p>Instructions:</p>" + + "<ol>" + + "<li>Right click the box" + + "<img id=logo src='../resources/webkit-background.png'" + + "style='border: 1px solid black; display: block; margin: 1em;'>" + + "<li>Choose \"Inspect Element\" from the context menu"; + if (params.console) { + str += "<li>Select the Console"; + str += "<li>Type " + params.trigger + " into the console and hit Enter"; + } else { + str += "<li>" + params.trigger; + } + str += "<li>If the test failed, a prompt will appear.</ol>"; + document.write(str); +} |