Tests for bugs 459906, 461743, 463205, and 464620 [r=dietrich]

browser/components/sessionstore/test/browser/Makefile.in

@@ -74,10 +74,23 @@ _BROWSER_TEST_FILES = \
 	browser_454908_sample.html \
 	browser_456342.js \
 	browser_456342_sample.xhtml \
+	browser_459906.js \
+	browser_459906_empty.html \
+	browser_459906_sample.html \
 	browser_461634.js \
+	browser_461743.js \
+	browser_461743_sample.html \
+	browser_463205.js \
+	browser_463205_helper.html \
+	browser_463205_sample.html \
 	browser_463206.js \
 	browser_463206_sample.html \
 	browser_464199.js \
+	browser_464620_a.html \
+	browser_464620_a.js \
+	browser_464620_b.html \
+	browser_464620_b.js \
+	browser_464620_xd.html \
 	browser_465215.js \
 	browser_465223.js \
 	browser_466937.js \

browser/components/sessionstore/test/browser/browser_459906.js

@@ -0,0 +1,89 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is sessionstore test code.
+ *
+ * The Initial Developer of the Original Code is
+ * Simon Bünzli <zeniko@gmail.com>.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function test() {
+  /** Test for Bug 459906 **/
+  
+  waitForExplicitFinish();
+  
+  let testURL = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_459906_sample.html";
+  let uniqueValue = "<b>Unique:</b> " + Date.now();
+  
+  var frameCount = 0;
+  let tab = gBrowser.addTab(testURL);
+  tab.linkedBrowser.addEventListener("load", function(aEvent) {
+    // wait for all frames to load completely
+    if (frameCount++ < 2)
+      return;
+    this.removeEventListener("load", arguments.callee, true);
+    
+    let iframes = tab.linkedBrowser.contentWindow.frames;
+    iframes[1].document.body.innerHTML = uniqueValue;
+    
+    frameCount = 0;
+    let tab2 = gBrowser.duplicateTab(tab);
+    tab2.linkedBrowser.addEventListener("load", function(aEvent) {
+      // wait for all frames to load (and reload!) completely
+      if (frameCount++ < 2)
+        return;
+      
+      let maxWait = Date.now() + 1000;
+      executeSoon(function() {
+        let iframes = tab2.linkedBrowser.contentWindow.frames;
+        if (iframes[1].document.body.innerHTML != uniqueValue && Date.now() < maxWait) {
+          executeSoon(arguments.callee);
+          return;
+        }
+        is(iframes[1].document.body.innerHTML, uniqueValue,
+           "rich textarea's content correctly duplicated");
+        
+        let innerDomain = null;
+        try {
+          innerDomain = iframes[0].document.domain;
+        }
+        catch (ex) { /* throws for chrome: documents */ }
+        is(innerDomain, "localhost", "XSS exploit prevented!");
+        
+        // clean up
+        gBrowser.removeTab(tab2);
+        gBrowser.removeTab(tab);
+        
+        finish();
+      });
+    }, true);
+  }, true);
+}

browser/components/sessionstore/test/browser/browser_459906_empty.html

@@ -0,0 +1,3 @@
+<title>Cross Domain File for bug 459906</title>
+
+cheers from localhost

browser/components/sessionstore/test/browser/browser_459906_sample.html

@@ -0,0 +1,35 @@
+<!-- Testcase originally by David Bloom <bloom@google.com> -->
+
+<!DOCTYPE html>
+<title>Test for bug 459906</title>
+
+<body>
+<iframe src="data:text/html,not_on_localhost"></iframe>
+<iframe></iframe>
+
+<script type="application/javascript">
+  frames[0].addEventListener("DOMContentLoaded", function() {
+    frames[0].document.designMode = "on";
+    frames[0].document.__defineGetter__("designMode", function() {
+      // inject a cross domain file ...
+      var documentInjected = false;
+      document.getElementsByTagName("iframe")[0].onload =
+        function() { documentInjected = true; };
+      frames[0].location = "chrome://mochikit/content/browser/" +
+        "browser/components/sessionstore/test/browser/browser_459906_empty.html";
+      
+      // ... and ensure that it has time to load
+      for (var c = 0; !documentInjected && c < 20; c++) {
+        var r = new XMLHttpRequest();
+        r.open("GET", location.href, false);
+        r.overrideMimeType("text/plain");
+        r.send(null);
+      }
+      
+      return "on";
+    });
+    
+    frames[1].document.designMode = "on";
+  }, false);
+</script>
+</body>

browser/components/sessionstore/test/browser/browser_461743.js

@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is sessionstore test code.
+ *
+ * The Initial Developer of the Original Code is
+ * Simon Bünzli <zeniko@gmail.com>.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function test() {
+  /** Test for Bug 461743 **/
+  
+  waitForExplicitFinish();
+  
+  let testURL = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_461743_sample.html";
+  
+  let tab = gBrowser.addTab(testURL);
+  tab.linkedBrowser.addEventListener("load", function(aEvent) {
+    this.removeEventListener("load", arguments.callee, true);
+    executeSoon(function() {
+      let tab2 = gBrowser.duplicateTab(tab);
+      tab2.linkedBrowser.addEventListener("461743", function(aEvent) {
+        is(aEvent.data, "done", "XSS injection was attempted");
+        
+        executeSoon(function() {
+          let iframes = tab2.linkedBrowser.contentWindow.frames;
+          let innerHTML = iframes[1].document.body.innerHTML;
+          isnot(innerHTML, Components.utils.reportError.toString(),
+                "chrome access denied!");
+          
+          // clean up
+          gBrowser.removeTab(tab2);
+          gBrowser.removeTab(tab);
+          
+          finish();
+        });
+      }, true, true);
+    });
+  }, true);
+}

browser/components/sessionstore/test/browser/browser_461743_sample.html

@@ -0,0 +1,43 @@
+<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
+
+<!DOCTYPE html>
+<title>Test for bug 461743</title>
+
+<body>
+<iframe src="data:text/html,empty"></iframe>
+<iframe></iframe>
+
+<script type="application/javascript">
+  var chromeUrl = "chrome://global/content/mozilla.xhtml";
+  var exploitUrl = "javascript:try { document.body.innerHTML = Components.utils.reportError; } catch (ex) { }";
+  
+  window.onload = function() {
+    var flip = 0;
+    MutationEvent.prototype.toString = function() {
+      return flip++ == 0 ? chromeUrl : exploitUrl;
+    };
+    
+    var href = Components.lookupMethod(frames[1].location, "href");
+    var loadChrome = { handleEvent: href };
+    var loadExploit = { handleEvent: href };
+    
+    function delay() {
+      var xhr = new XMLHttpRequest();
+      xhr.open("GET", location.href, false);
+      xhr.send(null);
+    }
+    function done() {
+      var event = document.createEvent("MessageEvent");
+      event.initMessageEvent("461743", true, false, "done", location.href, "", window);
+      document.dispatchEvent(event);
+    }
+    
+    frames[0].document.addEventListener("DOMNodeInserted", loadChrome, true);
+    frames[0].document.addEventListener("DOMNodeInserted", delay, true);
+    frames[0].document.addEventListener("DOMNodeInserted", loadExploit, true);
+    frames[0].document.addEventListener("DOMNodeInserted", done, true);
+    
+    frames[0].document.designMode = "on";
+  };
+</script>
+</body>

browser/components/sessionstore/test/browser/browser_463205.js

@@ -0,0 +1,88 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is sessionstore test code.
+ *
+ * The Initial Developer of the Original Code is
+ * Simon Bünzli <zeniko@gmail.com>.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function test() {
+  /** Test for Bug 463205 **/
+  
+  waitForExplicitFinish();
+  
+  let testURL = "chrome://mochikit/content/browser/" +
+    "browser/components/sessionstore/test/browser/browser_463205_sample.html";
+  
+  var frameCount = 0;
+  let tab = gBrowser.addTab(testURL);
+  tab.linkedBrowser.addEventListener("load", function(aEvent) {
+    // wait for all frames to load completely
+    if (frameCount++ < 3)
+      return;
+    this.removeEventListener("load", arguments.callee, true);
+    
+    function typeText(aTextField, aValue) {
+      aTextField.value = aValue;
+      
+      let event = aTextField.ownerDocument.createEvent("UIEvents");
+      event.initUIEvent("input", true, true, aTextField.ownerDocument.defaultView, 0);
+      aTextField.dispatchEvent(event);
+    }
+    
+    let uniqueValue = "Unique: " + Math.random();
+    let win = tab.linkedBrowser.contentWindow;
+    typeText(win.frames[0].document.getElementById("original"), uniqueValue);
+    typeText(win.frames[1].document.getElementById("original"), uniqueValue);
+    
+    frameCount = 0;
+    let tab2 = gBrowser.duplicateTab(tab);
+    tab2.linkedBrowser.addEventListener("load", function(aEvent) {
+      // wait for all frames to load (and reload!) completely
+      if (frameCount++ < 4)
+        return;
+      
+      let win = tab2.linkedBrowser.contentWindow;
+      isnot(win.frames[0].document.getElementById("original").value, uniqueValue,
+            "subframes must match URL to get text restored");
+      is(win.frames[0].document.getElementById("original").value, "preserve me",
+         "subframes must match URL to get text restored");
+      is(win.frames[1].document.getElementById("original").value, uniqueValue,
+         "text still gets restored for all other subframes");
+      
+      // clean up
+      gBrowser.removeTab(tab2);
+      gBrowser.removeTab(tab);
+      
+      finish();
+    }, true);
+  }, true);
+}

browser/components/sessionstore/test/browser/browser_463205_helper.html

@@ -0,0 +1,4 @@
+<!DOCTYPE html>
+<title>Test for bug 463205 (cross domain)</title>
+
+<input id="original" value="preserve me">

browser/components/sessionstore/test/browser/browser_463205_sample.html

@@ -0,0 +1,25 @@
+<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
+
+<!DOCTYPE html>
+<title>Test for bug 463205</title>
+
+<body>
+<iframe src="data:text/html,<input%20id='original'>"></iframe>
+<iframe src="browser_463205_helper.html"></iframe>
+<iframe src="data:text/html,mark1"></iframe>
+
+<script type="application/javascript">
+  frames[2].addEventListener("DOMContentLoaded", function() {
+    frames[2].removeEventListener("DOMContentLoaded", arguments.callee, false);
+    
+    if (frames[2].document.location.href == "data:text/html,mark1") {
+      frames[2].document.location = "data:text/html,mark2";
+    }
+    else {
+      frames[1].document.location.hash = "#original";
+      frames[0].document.location = "http://localhost:8888/browser/" +
+        "browser/components/sessionstore/test/browser/browser_463205_helper.html";
+    }
+  }, false);
+</script>
+</body>

browser/components/sessionstore/test/browser/browser_464620_a.html

@@ -0,0 +1,53 @@
+<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
+
+<title>Test for bug 464620 (injection on input)</title>
+
+<iframe></iframe>
+<iframe onload="setup()"></iframe>
+
+<script>
+  var targetUrl = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_464620_xd.html";
+  var firstPass;
+  
+  function setup() {
+    if (firstPass !== undefined)
+      return;
+    firstPass = frames[1].location.href == "about:blank";
+    if (firstPass) {
+      frames[0].location = 'data:text/html,<body onload="if (parent.firstPass) parent.step();"><input id="x" oninput="parent.xss()">XXX</body>';
+    }
+    frames[1].location = targetUrl;
+  }
+  
+  function step() {
+    var x = frames[0].document.getElementById("x");
+    if (x.value == "")
+      x.value = "ready";
+    x.style.display = "none";
+    frames[0].document.designMode = "on";
+  }
+  
+  function xss() {
+    step();
+    
+    var documentInjected = false;
+    document.getElementsByTagName("iframe")[0].onload =
+      function() { documentInjected = true; };
+    frames[0].location = targetUrl;
+    
+    for (var c = 0; !documentInjected && c < 20; c++) {
+      var r = new XMLHttpRequest();
+      r.open("GET", location.href, false);
+      r.overrideMimeType("text/plain");
+      r.send(null);
+    }
+    document.getElementById("state").textContent = "done";
+    
+    var event = document.createEvent("MessageEvent");
+    event.initMessageEvent("464620_a", true, false, "done", location.href, "", window);
+    document.dispatchEvent(event);
+  }
+</script>
+
+<p id="state">pending</p>

browser/components/sessionstore/test/browser/browser_464620_a.js

@@ -0,0 +1,79 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is sessionstore test code.
+ *
+ * The Initial Developer of the Original Code is
+ * Simon Bünzli <zeniko@gmail.com>.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function test() {
+  /** Test for Bug 464620 (injection on input) **/
+  
+  waitForExplicitFinish();
+  
+  let testURL = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_464620_a.html";
+  
+  var frameCount = 0;
+  let tab = gBrowser.addTab(testURL);
+  tab.linkedBrowser.addEventListener("load", function(aEvent) {
+    // wait for all frames to load completely
+    if (frameCount++ < 4)
+      return;
+    this.removeEventListener("load", arguments.callee, true);
+    
+    executeSoon(function() {
+      frameCount = 0;
+      let tab2 = gBrowser.duplicateTab(tab);
+      tab2.linkedBrowser.addEventListener("464620_a", function(aEvent) {
+        is(aEvent.data, "done", "XSS injection was attempted");
+        
+        // let form restoration complete and take into account the
+        // setTimeout(..., 0) in sss_restoreDocument_proxy
+        executeSoon(function() {
+          setTimeout(function() {
+            let win = tab2.linkedBrowser.contentWindow;
+            isnot(win.frames[0].document.location, testURL,
+                  "cross domain document was loaded");
+            ok(!/XXX/.test(win.frames[0].document.body.innerHTML),
+               "no content was injected");
+            
+            // clean up
+            gBrowser.removeTab(tab2);
+            gBrowser.removeTab(tab);
+            
+            finish();
+          }, 0);
+        });
+      }, true, true);
+    });
+  }, true);
+}

browser/components/sessionstore/test/browser/browser_464620_b.html

@@ -0,0 +1,57 @@
+<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
+
+<title>Test for bug 464620 (injection on DOM node insertion)</title>
+
+<iframe></iframe>
+<iframe></iframe>
+<iframe onload="setup()"></iframe>
+
+<script>
+  var targetUrl = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_464620_xd.html";
+  var firstPass;
+  
+  function setup() {
+    if (firstPass !== undefined)
+      return;
+    firstPass = frames[2].location.href == "about:blank";
+    if (firstPass) {
+      frames[0].location = 'data:text/html,<body onload="parent.step()">a</body>';
+      frames[1].location = 'data:text/html,<body onload="document.designMode=\'on\';">XXX</body>';
+    }
+    frames[2].location = targetUrl;
+  }
+  
+  function step() {
+    frames[0].document.designMode = "on";
+    if (firstPass)
+      return;
+    
+    var body = frames[0].document.body;
+    body.addEventListener("DOMNodeInserted", function() {
+      body.removeEventListener("DOMNodeInserted", arguments.callee, true);
+      xss();
+    }, true);
+  }
+  
+  function xss() {
+    var documentInjected = false;
+    document.getElementsByTagName("iframe")[1].onload =
+      function() { documentInjected = true; };
+    frames[1].location = targetUrl;
+    
+    for (var c = 0; !documentInjected && c < 20; c++) {
+      var r = new XMLHttpRequest();
+      r.open("GET", location.href, false);
+      r.overrideMimeType("text/plain");
+      r.send(null);
+    }
+    document.getElementById("state").textContent = "done";
+    
+    var event = document.createEvent("MessageEvent");
+    event.initMessageEvent("464620_b", true, false, "done", location.href, "", window);
+    document.dispatchEvent(event);
+  }
+</script>
+
+<p id="state">pending</p>

browser/components/sessionstore/test/browser/browser_464620_b.js

@@ -0,0 +1,79 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is sessionstore test code.
+ *
+ * The Initial Developer of the Original Code is
+ * Simon Bünzli <zeniko@gmail.com>.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function test() {
+  /** Test for Bug 464620 (injection on DOM node insertion) **/
+  
+  waitForExplicitFinish();
+  
+  let testURL = "http://localhost:8888/browser/" +
+    "browser/components/sessionstore/test/browser/browser_464620_b.html";
+  
+  var frameCount = 0;
+  let tab = gBrowser.addTab(testURL);
+  tab.linkedBrowser.addEventListener("load", function(aEvent) {
+    // wait for all frames to load completely
+    if (frameCount++ < 6)
+      return;
+    this.removeEventListener("load", arguments.callee, true);
+    
+    executeSoon(function() {
+      frameCount = 0;
+      let tab2 = gBrowser.duplicateTab(tab);
+      tab2.linkedBrowser.addEventListener("464620_b", function(aEvent) {
+        is(aEvent.data, "done", "XSS injection was attempted");
+        
+        // let form restoration complete and take into account the
+        // setTimeout(..., 0) in sss_restoreDocument_proxy
+        executeSoon(function() {
+          setTimeout(function() {
+            let win = tab2.linkedBrowser.contentWindow;
+            isnot(win.frames[1].document.location, testURL,
+                  "cross domain document was loaded");
+            ok(!/XXX/.test(win.frames[1].document.body.innerHTML),
+               "no content was injected");
+            
+            // clean up
+            gBrowser.removeTab(tab2);
+            gBrowser.removeTab(tab);
+            
+            finish();
+          }, 0);
+        });
+      }, true, true);
+    });
+  }, true);
+}

browser/components/sessionstore/test/browser/browser_464620_xd.html

@@ -0,0 +1,5 @@
+<title>Cross Document File for bug 464620</title>
+
+<body onload="document.designMode='on';" bgcolor="red">
+  This document is editable.
+</body>