LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window.html - WebKit - Git at Google

 <!-- webkit-test-runner [ enableBackForwardCache=true ] -->
 <!DOCTYPE html>
 <html>
 <body>
 <head>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.setCanOpenWindows();
     testRunner.setPopupBlockingEnabled(false);
     testRunner.setCloseRemainingWindowsWhenComplete(true);
     testRunner.waitUntilDone();
 }

 var intervalId;

 function checkDidLoadVictim()
 {
     // Document.defaultView becomes null when a Document no longer has a browsing context.
     if (!_openedWindowDocument.defaultView) {
         // Victim loaded; |_openedWindowDocument| is an inactive document.
         window.clearInterval(intervalId);

         // Run code in victim.
         var scriptToRunInVictim = _openedWindowDocument.createElement("script");
         scriptToRunInVictim.textContent = "alert('XSS')";
         _openedWindowDocument.body.appendChild(scriptToRunInVictim);
         if (window.testRunner)
             window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
     }
 }

 function attack()
 {
     var iframe = document.querySelector("iframe");
     iframe.contentWindow.openVictimInNewWindow();

     document.body.removeChild(iframe); // Clear _openedWindow.opener.
     document.getElementById("description").textContent = 'Check the child window. The test FAILED if you see a JavaScript alert() dialog. Otherwise, it PASSED.';

     intervalId = window.setInterval(checkDidLoadVictim, 100);
 }
 </script>
 </head>
 <p id="description">This tests that a &lt;script&gt; added to an inactive document window does not execute. The test FAILED if you see JavaScript alert() dialog. Otherwise, it PASSED. Popup blocking must be disabled to run this test by hand.</p>
 <iframe onload="attack()" srcdoc='
 <body>
 <script>
 function openVictimInNewWindow()
 {
     var childWindow = window.open("about:blank");
     var childWindowDocument = childWindow.document;
     window.parent._openedWindow = childWindow;
     window.parent._openedWindowDocument = childWindowDocument;

     var link = childWindowDocument.createElement("a");
     link.href = "http://localhost:8000/security/resources/innocent-victim.html";
     link.click(); // Navigate to victim
 }
 </script>
 </body>
 '></iframe>
 </body>
 </html>
	<!-- webkit-test-runner [ enableBackForwardCache=true ] -->
	<!DOCTYPE html>
	<html>
	<body>
	<head>
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.setCanOpenWindows();
	testRunner.setPopupBlockingEnabled(false);
	testRunner.setCloseRemainingWindowsWhenComplete(true);
	testRunner.waitUntilDone();
	}

	var intervalId;

	function checkDidLoadVictim()
	{
	// Document.defaultView becomes null when a Document no longer has a browsing context.
	if (!_openedWindowDocument.defaultView) {
	// Victim loaded; \|_openedWindowDocument\| is an inactive document.
	window.clearInterval(intervalId);

	// Run code in victim.
	var scriptToRunInVictim = _openedWindowDocument.createElement("script");
	scriptToRunInVictim.textContent = "alert('XSS')";
	_openedWindowDocument.body.appendChild(scriptToRunInVictim);
	if (window.testRunner)
	window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
	}
	}

	function attack()
	{
	var iframe = document.querySelector("iframe");
	iframe.contentWindow.openVictimInNewWindow();

	document.body.removeChild(iframe); // Clear _openedWindow.opener.
	document.getElementById("description").textContent = 'Check the child window. The test FAILED if you see a JavaScript alert() dialog. Otherwise, it PASSED.';

	intervalId = window.setInterval(checkDidLoadVictim, 100);
	}
	</script>
	</head>
	<p id="description">This tests that a <script> added to an inactive document window does not execute. The test FAILED if you see JavaScript alert() dialog. Otherwise, it PASSED. Popup blocking must be disabled to run this test by hand.</p>
	<iframe onload="attack()" srcdoc='
	<body>
	<script>
	function openVictimInNewWindow()
	{
	var childWindow = window.open("about:blank");
	var childWindowDocument = childWindow.document;
	window.parent._openedWindow = childWindow;
	window.parent._openedWindowDocument = childWindowDocument;

	var link = childWindowDocument.createElement("a");
	link.href = "http://localhost:8000/security/resources/innocent-victim.html";
	link.click(); // Navigate to victim
	}
	</script>
	</body>
	'></iframe>
	</body>
	</html>