| <!-- webkit-test-runner [ UsesBackForwardCache=true JavaScriptCanOpenWindowsAutomatically=true ] --> |
| <!DOCTYPE html> |
| <html> |
| <head> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| </script> |
| </head> |
| <body> |
| <p id="description">This tests that a <script> added to an inactive document window does not execute. The test FAILED if you see "XSS" on this page. Popup blocking must be disabled to run this test by hand.</p> |
| <script> |
| var firstOpenerWindow; |
| var firstOpenerDocument; |
| var secondOpenerDocument; |
| var intervalId; |
| |
| var ACTUALLY_ACTUALLY_ATTACK_URL = "?actually-actually-attack"; |
| |
| if (!window.location.search) { |
| // Initial load |
| window.open('?actually-attack'); |
| } else if (window.location.search.indexOf("?actually-attack") !== -1) { |
| // New window |
| firstOpenerWindow = window.opener; |
| firstOpenerDocument = firstOpenerWindow.document; |
| |
| // Reload ourself |
| firstOpenerWindow.location.href = ACTUALLY_ACTUALLY_ATTACK_URL; |
| |
| function checkDidLoad() |
| { |
| if (window.opener.location.search.indexOf(ACTUALLY_ACTUALLY_ATTACK_URL) == -1) |
| return; |
| |
| // Loaded frame. |
| window.clearInterval(intervalId); |
| |
| // Update descriptive text |
| document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.'; |
| |
| // window.opener.document is in the page cache, has no opener, and has never called |
| // window.open(). |
| secondOpenerDocument = window.opener.document; |
| |
| // Navigate same frame to victim. |
| var link = secondOpenerDocument.createElement("a"); |
| link.href = "http://localhost:8000/security/resources/innocent-victim.html"; |
| link.click(); |
| |
| intervalId = window.setInterval(checkDidLoadVictim, 100); |
| } |
| intervalId = window.setInterval(checkDidLoad, 100); |
| } |
| |
| function checkDidLoadVictim() |
| { |
| if (secondOpenerDocument.location.href == "about:blank") { |
| // Victim loaded. |
| window.clearInterval(intervalId); |
| |
| // Run code in victim. |
| var scriptToRunInVictim = secondOpenerDocument.createElement("script"); |
| scriptToRunInVictim.textContent = "document.writeln('XSS')"; |
| secondOpenerDocument.body.appendChild(scriptToRunInVictim); |
| if (window.testRunner) |
| window.setTimeout(function () { window.testRunner.notifyDone(); }, 500); |
| } |
| } |
| </script> |
| </body> |
| </html> |