blob: 158517e536b22c26e0c0de66c00a81f3b080ebb3 [file] [log] [blame]
<?xml-stylesheet type="text/xsl" href="xss-DENIED-xsl-document-securityOrigin.xml"?>
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<head>
<script>
<![CDATA[
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
window.onload = function()
{
if (!opener) {
victim = document.body.appendChild(document.createElement("iframe"));
wnd = victim.contentWindow.open();
victim.src = "http://localhost:8080/security/resources/innocent-victim.html";
victim.onload = function() { wnd.eval("location = '" + location + "'"); }
} else if (!location.href.includes("parent-document-open.html")) {
url = location.href;
var parentDocOpen = document.createElement("iframe");
parentDocOpen.src = "resources/parent-document-open.html";
document.body.append(parentDocOpen);
setTimeout(() => {
location = "javascript:(\"\x3C?xml-stylesheet type='text/xsl' href='" + url + "'?\x3E\x3Croot/\x3E\")";
}, 150);
} else {
try {
victim = opener;
open("javascript:void(0)", "_self");
if (victim.eval)
victim.eval("alert(document.body.innerHTML)");
} catch (e) {
console.log(e);
}
if (window.testRunner)
testRunner.notifyDone();
}
}
]]>
</script>
</head>
<body>
This test passes if it doesn't alert the contents of innocent-victim.html.
</body>
</html>
</xsl:template>
</xsl:stylesheet>