Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: os == 'android'
- Manifest: toolkit/components/passwordmgr/test/mochitest/mochitest.toml
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Test for considering form action</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="text/javascript" src="pwmgr_common.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script>
gTestDependsOnDeprecatedLogin = true;
runChecksAfterCommonInit(() => startTest());
let DEFAULT_ORIGIN = window.location.origin;
</script>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
<script class="testbody" type="text/javascript">
/** Test for Login Manager: 360493 (Cross-Site Forms + Password
Manager = Security Failure) **/
// This test is designed to make sure variations on the form's |action|
// and |method| continue to work with the fix for 360493.
async function startTest() {
let win = window.open("about:blank");
SimpleTest.registerCleanupFunction(() => win.close());
await loadFormIntoWindow(DEFAULT_ORIGIN, `
<!-- normal form with normal relative action. -->
<form id="form1" action="formtest.js">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- fully specify the action URL -->
<form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- fully specify the action URL, and change the path -->
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- fully specify the action URL, and change the path and filename -->
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- specify the action URL relative to the current document-->
<form id="form5" action="./formtest.js">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- specify the action URL relative to the current server -->
<form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- Change the method from get to post -->
<form id="form7" action="formtest.js" method="POST">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- Blank action URL specified -->
<form id="form8" action="">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- |action| attribute entirely missing -->
<form id="form9" >
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>
<!-- action url as javascript -->
<form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
<input type="text" name="uname">
<input type="password" name="pword">
<button type="submit">Submit</button>
<button type="reset"> Reset </button>
</form>`, win, 10);
// TODO: action=IP.ADDRESS instead of HOSTNAME?
for (var i = 1; i <= 9; i++) {
// Check form i
await checkLoginFormInFrameWithElementValues(win, i, "testuser", "testpass");
}
// The login's formActionOrigin isn't "javascript:", so don't fill it in.
await checkLoginFormInFrameWithElementValues(win, 10, "", "");
SimpleTest.finish();
}
</script>
</pre>
</body>
</html>