blob: 6dbc4ec0755ae1e953ec586d74d938c62eee7f0f [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<script src="/js-test-resources/js-test-pre.js"></script>
<script>
if (window.testRunner)
testRunner.setXSSAuditorEnabled(true);
description('Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.');
debug('Two console messages should be generated, noting that JavaScript was blocked.');
window.jsTestIsAsync = true;
var frame1, frame2;
function frameLoaded() {
frame1 = document.querySelector('iframe');
frame2 = document.createElement('iframe');
document.body.appendChild(frame2);
frame2.onload = checkState;
frame2.src = frame1.src;
}
function checkState() {
debug('Check that the nonce is the same, meaning that the document was only generated once:');
shouldBeTrue('frame1.contentDocument.querySelector("input").value == frame2.contentDocument.querySelector("input").value');
finishJSTest();
}
</script>
<script src="/js-test-resources/js-test-post.js"></script>
</head>
<body>
<iframe src="http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e" onload="frameLoaded()"></iframe>
</body>
</html>