| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/resources/js-test-pre.js"></script> |
| <script> |
| if (window.testRunner) |
| testRunner.setXSSAuditorEnabled(true); |
| |
| window.jsTestIsAsync = true; |
| |
| function checkFrames() { |
| shouldBeNull('xssed.contentDocument'); |
| shouldBe('xssed.contentDocument', 'crossorigin.contentDocument'); |
| shouldThrowErrorName('xssed.contentWindow.location.href', 'SecurityError'); |
| shouldThrowErrorName('crossorigin.contentWindow.location.href', 'SecurityError'); |
| finishJSTest(); |
| } |
| |
| var xssed; |
| var crossorigin; |
| window.onload = function () { |
| xssed = document.getElementById('xssed'); |
| crossorigin = document.getElementById('crossorigin'); |
| xssed.onload = checkFrames; |
| xssed.src = 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/block-does-not-leak-location.html&enable-full-block=1&q=<script>alert(String.fromCharCode(0x58,0x53,0x53));<' + '/script>'; |
| }; |
| </script> |
| <script src='/resources/js-test-post.js'></script> |
| </head> |
| <body> |
| <iframe id='xssed'></iframe> |
| <iframe id='crossorigin' src='http://localhost:8000/security/resources/innocent-victim.html'></iframe> |
| </body> |
| </html> |
