spec: Should check origin before accessing window.opener
This commit is contained in:
Cheng Zhao
Kevin Sawicki
parent
63a138b6de
commit
a1dfdbdde4
2 changed files with 53 additions and 4 deletions
|
|
@ -283,11 +283,11 @@ describe('chromium feature', function () {
|
||||||
describe('window.opener', function () {
|
describe('window.opener', function () {
|
||||||
this.timeout(10000)
|
this.timeout(10000)
|
||||||
|
|
||||||
var url = 'file://' + fixtures + '/pages/window-opener.html'
|
let url = 'file://' + fixtures + '/pages/window-opener.html'
|
||||||
var w = null
|
let w = null
|
||||||
|
|
||||||
afterEach(function () {
|
afterEach(function () {
|
||||||
w != null ? w.destroy() : void 0
|
if (w) w.destroy()
|
||||||
})
|
})
|
||||||
|
|
||||||
it('is null for main window', function (done) {
|
it('is null for main window', function (done) {
|
||||||
|
|
@ -302,7 +302,7 @@ describe('chromium feature', function () {
|
||||||
})
|
})
|
||||||
|
|
||||||
it('is not null for window opened by window.open', function (done) {
|
it('is not null for window opened by window.open', function (done) {
|
||||||
var b
|
let b
|
||||||
listener = function (event) {
|
listener = function (event) {
|
||||||
assert.equal(event.data, 'object')
|
assert.equal(event.data, 'object')
|
||||||
b.close()
|
b.close()
|
||||||
|
|
@ -313,6 +313,48 @@ describe('chromium feature', function () {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('window.opener security', function () {
|
||||||
|
this.timeout(10000)
|
||||||
|
|
||||||
|
let scheme = 'other'
|
||||||
|
let url = `${scheme}://${fixtures}/pages/window-opener-location.html`
|
||||||
|
let w = null
|
||||||
|
|
||||||
|
before(function () {
|
||||||
|
protocol.registerFileProtocol(scheme, function (request, callback) {
|
||||||
|
callback(`${fixtures}/pages/window-opener-location.html`)
|
||||||
|
}, function (error) {
|
||||||
|
if (error) done(error)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
after(function() {
|
||||||
|
protocol.unregisterProtocol(scheme)
|
||||||
|
})
|
||||||
|
|
||||||
|
afterEach(function () {
|
||||||
|
w.close()
|
||||||
|
})
|
||||||
|
|
||||||
|
it('does nothing when origin of current window does not match opener', function (done) {
|
||||||
|
listener = function (event) {
|
||||||
|
assert.equal(event.data, undefined)
|
||||||
|
done()
|
||||||
|
}
|
||||||
|
window.addEventListener('message', listener)
|
||||||
|
w = window.open(url, '', 'show=no')
|
||||||
|
})
|
||||||
|
|
||||||
|
it('works when origin does not match opener but has node integration', function (done) {
|
||||||
|
listener = function (event) {
|
||||||
|
assert.equal(event.data, location.href)
|
||||||
|
done()
|
||||||
|
}
|
||||||
|
window.addEventListener('message', listener)
|
||||||
|
w = window.open(url, '', 'show=no,nodeIntegration=yes')
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
describe('window.postMessage', function () {
|
describe('window.postMessage', function () {
|
||||||
it('sets the source and origin correctly', function (done) {
|
it('sets the source and origin correctly', function (done) {
|
||||||
var b, sourceId
|
var b, sourceId
|
||||||
|
|
|
||||||
7
spec/fixtures/pages/window-opener-location.html
vendored
Normal file
7
spec/fixtures/pages/window-opener-location.html
vendored
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<script type="text/javascript" charset="utf-8">
|
||||||
|
window.opener.postMessage(window.opener.location, '*')
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
Loading…
Add table
Add a link
Reference in a new issue