spec: Should check origin before accessing window.opener

2016-11-15 16:47:28 +09:00 · 2016-11-15 16:47:28 +09:00 · a1dfdbdde4
commit a1dfdbdde4
parent 63a138b6de
2 changed files with 53 additions and 4 deletions
--- a/spec/chromium-spec.js
+++ b/spec/chromium-spec.js
@ -283,11 +283,11 @@ describe('chromium feature', function () {
  describe('window.opener', function () {
    this.timeout(10000)

-    var url = 'file://' + fixtures + '/pages/window-opener.html'
-    var w = null
+    let url = 'file://' + fixtures + '/pages/window-opener.html'
+    let w = null

    afterEach(function () {
-      w != null ? w.destroy() : void 0
+      if (w) w.destroy()
    })

    it('is null for main window', function (done) {
@ -302,7 +302,7 @@ describe('chromium feature', function () {
    })

    it('is not null for window opened by window.open', function (done) {
-      var b
+      let b
      listener = function (event) {
        assert.equal(event.data, 'object')
        b.close()
@ -313,6 +313,48 @@ describe('chromium feature', function () {
    })
  })

+  describe('window.opener security', function () {
+    this.timeout(10000)
+
+    let scheme = 'other'
+    let url = `${scheme}://${fixtures}/pages/window-opener-location.html`
+    let w = null
+
+    before(function () {
+      protocol.registerFileProtocol(scheme, function (request, callback) {
+        callback(`${fixtures}/pages/window-opener-location.html`)
+      }, function (error) {
+        if (error) done(error)
+      })
+    })
+
+    after(function() {
+      protocol.unregisterProtocol(scheme)
+    })
+
+    afterEach(function () {
+      w.close()
+    })
+
+    it('does nothing when origin of current window does not match opener', function (done) {
+      listener = function (event) {
+        assert.equal(event.data, undefined)
+        done()
+      }
+      window.addEventListener('message', listener)
+      w = window.open(url, '', 'show=no')
+    })
+
+    it('works when origin does not match opener but has node integration', function (done) {
+      listener = function (event) {
+        assert.equal(event.data, location.href)
+        done()
+      }
+      window.addEventListener('message', listener)
+      w = window.open(url, '', 'show=no,nodeIntegration=yes')
+    })
+  })
+
  describe('window.postMessage', function () {
    it('sets the source and origin correctly', function (done) {
      var b, sourceId
--- a/spec/fixtures/pages/window-opener-location.html
+++ b/spec/fixtures/pages/window-opener-location.html
@ -0,0 +1,7 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  window.opener.postMessage(window.opener.location, '*')
+</script>
+</body>
+</html>