LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html

<html>
<head>
<script src="../resources/libwrapjs.js"></script>
<script src="../resources/cross-frame-access.js"></script>
<script>
    var code;
    var openedWindow;

    window.onload = function()
    {
        if (window.testRunner) {
            testRunner.waitUntilDone();
            testRunner.dumpAsText();
            testRunner.dumpChildFramesAsText();
        }

        var message_fail = 'FAIL: XSS was allowed.';
        var message_success = 'SUCCESS: Window remained in original SecurityOrigin.';

        var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }';

        var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');';
        var attack = 'setTimeout(function() {' + try_attack + '}, 100);';

        var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');';
        var control = 'setTimeout(function() {' + try_control + '}, 200);';

        var sigDone = 'setTimeout(function() { if (window.testRunner) testRunner.globalFlag = true; }, 300);';

        var payload = 'window.location = ' + libwrapjs.in_javascript_document(write_func + attack + control + sigDone);
        code = libwrapjs.in_script_tag(payload);
        log("Code injected into window:");
        log(code);

        if (window.testRunner) {
            setTimeout(pollForTest1, 1);
        } else {
            log("To run the test, click the button below when the frames finish loading.");
            var button = document.createElement("button");
            button.appendChild(document.createTextNode("Run Test"));
            button.onclick = runTest;
            document.body.appendChild(button);
        }
    }
    
    pollForTest1 = function()
    {
        if (!testRunner.globalFlag) {
            setTimeout(pollForTest1, 1);
            return;
        }
        runTest1();
    }

    runTest1 = function() {
        frames[0].openWindow();
        openedWindow = frames[0].openedWindow;

        if (window.testRunner)
            testRunner.globalFlag = false;

        frames[0].location = 'http://localhost:8000/security/resources/innocent-victim-with-notify.html';

        setTimeout(pollForTest2, 1);
    }

    pollForTest2 = function()
    {
        if (!testRunner.globalFlag) {
            setTimeout(pollForTest2, 1);
            return;
        }
        runTest2();
    }

    runTest2 = function()
    {
        openedWindow.document.write(code);
        openedWindow.document.close();
        if (window.testRunner) {
            testRunner.globalFlag = false;
            setTimeout(pollForDone, 1);
        }
    }

    pollForDone = function()
    {
        if (!testRunner.globalFlag) {
            setTimeout(pollForDone, 1);
            return;
        }
        closeWindowAndNotifyDone(openedWindow);
    }
</script>
</head>
<body>
<div>This page opens a window to &quot;&quot;, injects malicious code, and
then navigates its opener to the victim.  The opened window then tries to
scripts its opener after reloading itself as a <code>javascript</code>
URL.</div>
<pre id="console"></pre>
<iframe style="border: solid 3px red;" src="../resources/open-window.html"></iframe>
<iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe>
</body>
</html>