LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window3.html - WebKit - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.setCanOpenWindows();
     testRunner.setPopupBlockingEnabled(false);
     testRunner.setCloseRemainingWindowsWhenComplete(true);
     testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
     testRunner.waitUntilDone();
 }
 </script>
 </head>
 <body>
 <p id="description">This tests that a &lt;script&gt; added to an inactive document window does not execute. The test FAILED if you see &quot;XSS&quot; on this page. Popup blocking must be disabled to run this test by hand.</p>
 <script>
 var firstOpenerWindow;
 var firstOpenerDocument;
 var secondOpenerDocument;
 var intervalId;

 var ACTUALLY_ACTUALLY_ATTACK_URL = "?actually-actually-attack";

 if (!window.location.search) {
     // Initial load
     window.open('?actually-attack');
 } else if (window.location.search.indexOf("?actually-attack") !== -1) {
     // New window
     firstOpenerWindow = window.opener;
     firstOpenerDocument = firstOpenerWindow.document;

     // Reload ourself
     firstOpenerWindow.location.href = ACTUALLY_ACTUALLY_ATTACK_URL;

     function checkDidLoad()
     {
         if (window.opener.location.search.indexOf(ACTUALLY_ACTUALLY_ATTACK_URL) == -1)
             return;

         // Loaded frame.
         window.clearInterval(intervalId);

         // Update descriptive text
         document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.';

         // window.opener.document is in the page cache, has no opener, and has never called
         // window.open().
         secondOpenerDocument = window.opener.document;

         // Navigate same frame to victim.
         var link = secondOpenerDocument.createElement("a");
         link.href = "http://localhost:8000/security/resources/innocent-victim.html";
         link.click();

         intervalId = window.setInterval(checkDidLoadVictim, 100);
     }
     intervalId = window.setInterval(checkDidLoad, 100);
 }

 function checkDidLoadVictim()
 {
     if (secondOpenerDocument.location.href == "about:blank") {
         // Victim loaded.
         window.clearInterval(intervalId);

         // Run code in victim.
         var scriptToRunInVictim = secondOpenerDocument.createElement("script");
         scriptToRunInVictim.textContent = "document.writeln('XSS')";
         secondOpenerDocument.body.appendChild(scriptToRunInVictim);
         if (window.testRunner)
             window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
     }
 }
 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.setCanOpenWindows();
	testRunner.setPopupBlockingEnabled(false);
	testRunner.setCloseRemainingWindowsWhenComplete(true);
	testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
	testRunner.waitUntilDone();
	}
	</script>
	</head>
	<body>
	<p id="description">This tests that a <script> added to an inactive document window does not execute. The test FAILED if you see "XSS" on this page. Popup blocking must be disabled to run this test by hand.</p>
	<script>
	var firstOpenerWindow;
	var firstOpenerDocument;
	var secondOpenerDocument;
	var intervalId;

	var ACTUALLY_ACTUALLY_ATTACK_URL = "?actually-actually-attack";

	if (!window.location.search) {
	// Initial load
	window.open('?actually-attack');
	} else if (window.location.search.indexOf("?actually-attack") !== -1) {
	// New window
	firstOpenerWindow = window.opener;
	firstOpenerDocument = firstOpenerWindow.document;

	// Reload ourself
	firstOpenerWindow.location.href = ACTUALLY_ACTUALLY_ATTACK_URL;

	function checkDidLoad()
	{
	if (window.opener.location.search.indexOf(ACTUALLY_ACTUALLY_ATTACK_URL) == -1)
	return;

	// Loaded frame.
	window.clearInterval(intervalId);

	// Update descriptive text
	document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.';

	// window.opener.document is in the page cache, has no opener, and has never called
	// window.open().
	secondOpenerDocument = window.opener.document;

	// Navigate same frame to victim.
	var link = secondOpenerDocument.createElement("a");
	link.href = "http://localhost:8000/security/resources/innocent-victim.html";
	link.click();

	intervalId = window.setInterval(checkDidLoadVictim, 100);
	}
	intervalId = window.setInterval(checkDidLoad, 100);
	}

	function checkDidLoadVictim()
	{
	if (secondOpenerDocument.location.href == "about:blank") {
	// Victim loaded.
	window.clearInterval(intervalId);

	// Run code in victim.
	var scriptToRunInVictim = secondOpenerDocument.createElement("script");
	scriptToRunInVictim.textContent = "document.writeln('XSS')";
	secondOpenerDocument.body.appendChild(scriptToRunInVictim);
	if (window.testRunner)
	window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
	}
	}
	</script>
	</body>
	</html>