palemoon-dev/platform/js/xpconnect/tests/chrome/test_bug792280.xul

<?xml version="1.0"?>
<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=792280
-->
<window title="Mozilla Bug 792280"
        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>

  <!-- test results are displayed in the html:body -->
  <body xmlns="http://www.w3.org/1999/xhtml">
  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=792280"
     target="_blank">Mozilla Bug 792280</a>
  </body>

  <!-- test code goes here -->
  <script type="application/javascript">
  <![CDATA[
  /** Test for Bug 792280 **/
  const Cu = Components.utils;

  function checkSb(sb, expect) {
    var target = new Cu.Sandbox('http://www.example.com');
    Cu.evalInSandbox('function fun() { return arguments.callee.caller; };', target);
    sb.fun = target.fun;
    let allowed = false;
    try {
      allowed = Cu.evalInSandbox('function doTest() { return fun() == doTest; }; doTest()', sb);
      isnot(expect, "throw", "Should have thrown");
    } catch (e) {
      is(expect, "throw", "Should expect exception");
      ok(/denied|insecure/.test(e), "Should be a security exception: " + e);
    }
    is(allowed, expect == "allow", "should censor appropriately");
  }

  // Note that COWs are callable, but XOWs are not.
  checkSb(new Cu.Sandbox('http://www.example.com'), "allow");
  checkSb(new Cu.Sandbox('http://www.example.org'), "throw");
  checkSb(new Cu.Sandbox(window), "censor");

  ]]>
  </script>
</window>