| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| </script> |
| <body> |
| This passes if it doesn't alert the contents of innocent-victim. |
| <script> |
| window.onload = function() |
| { |
| frame = document.body.appendChild(document.createElement("iframe")); |
| frame.src = "http://localhost:8080/security/resources/innocent-victim-with-iframe.html"; |
| frame.onload = function() { |
| frame.onload = null; |
| |
| frame.contentWindow[0].location = "data:text/html,<script>(" + function() { |
| try { |
| window.name = "valueOf"; |
| obj = window.open(); |
| obj.__proto__.__proto__ = parent; |
| alert(obj.valueOf.constructor("return document.body.innerHTML")()); |
| } catch(ex) { |
| console.log("Threw exception: " + ex) |
| } |
| if (window.testRunner) |
| testRunner.notifyDone(); |
| } + ")()</scr" + "ipt>"; |
| } |
| } |
| </script> |