From f8bec8609f185c139612e076367a99e973bb388a Mon Sep 17 00:00:00 2001 From: weizman Date: Mon, 17 Jul 2023 15:32:34 +0300 Subject: [PATCH] Fix multiple document.write calls (#126) --- test/html.js | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/test/html.js b/test/html.js index de3d22f..56a0e4a 100644 --- a/test/html.js +++ b/test/html.js @@ -173,6 +173,39 @@ describe('test HTML injections', async function () { expect(['V', 'CSP-script-src-elem']).toContain(result); }); + it('should fail to use atob of an iframe introduced via multiple document.write args', async function () { + if (global.BROWSER === 'FIREFOX') { + this.skip(); // requires a fix #58 + } + const result = await browser.executeAsync(function(done) { + if (top.TEST_UTILS.bailOnCorrectUnsafeCSP(done)) return; + top.bypass = (wins) => top.TEST_UTILS.bypass(wins, done); + (function(){ + var f = document.createElement('iframe'); + testdiv.appendChild(f); + f.contentDocument.write(''); + }()); + }); + expect(['V', 'CSP-script-src-elem']).toContain(result); + }); + + it('should fail to use atob of an iframe introduced via multiple document.write calls', async function () { + if (global.BROWSER === 'FIREFOX') { + this.skip(); // requires a fix #58 + } + const result = await browser.executeAsync(function(done) { + if (top.TEST_UTILS.bailOnCorrectUnsafeCSP(done)) return; + top.bypass = (wins) => top.TEST_UTILS.bypass(wins, done); + (function(){ + var f = document.createElement('iframe'); + testdiv.appendChild(f); + f.contentDocument.write(''); + }()); + }); + expect(['V', 'CSP-script-src-elem']).toContain(result); + }); + it('should fail to use atob of an object through onload as html', async function () { const result = await browser.executeAsync(function(done) { top.bypass = (wins) => top.TEST_UTILS.bypass(wins, done);