LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html - WebKit - Git at Google

 <!-- webkit-test-runner [ enableBackForwardCache=true ] -->
 <!DOCTYPE html>
 <html>
 <head>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.setCanOpenWindows();
     testRunner.setPopupBlockingEnabled(false);
     testRunner.setCloseRemainingWindowsWhenComplete(true);
     testRunner.waitUntilDone();
 }
 </script>
 </head>
 <body>
 <p id="description">This tests that a &lt;script&gt; added to an inactive document window does not execute. The test FAILED if you see &quot;XSS&quot; on this page. Popup blocking must be disabled to run this test by hand.</p>
 <script>
 // Idea: Open a new window and have it navigate its opener to the victim site while holding a reference to the opener document.
 var openerDocument;
 var intervalId;
 if (document.location.search.indexOf("?actually-attack") !== -1) {
     document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.';

     // Case: New window
     openerDocument = window.opener.document;

     // Navigate same frame to victim.
     var link = openerDocument.createElement("a");
     link.target = "_self";
     link.href = "http://localhost:8000/security/resources/innocent-victim.html";
     link.click();

     intervalId = window.setInterval(checkDidLoadVictim, 100);
 } else {
     // Case: Initial load
     var link = document.createElement("a");
     link.target = "_blank";
     link.rel = "opener";
     link.href = "?actually-attack";
     link.click(); // Open a new window.
 }

 function checkDidLoadVictim()
 {
     if (openerDocument.location.href == "about:blank") {
         // Victim loaded.
         window.clearInterval(intervalId);

         // Run code in victim.
         var scriptToRunInVictim = openerDocument.createElement("script");
         scriptToRunInVictim.textContent = "document.writeln('XSS')";
         openerDocument.body.appendChild(scriptToRunInVictim);
         if (window.testRunner)
             window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
     }
 }
 </script>
 </body>
 </html>
	<!-- webkit-test-runner [ enableBackForwardCache=true ] -->
	<!DOCTYPE html>
	<html>
	<head>
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.setCanOpenWindows();
	testRunner.setPopupBlockingEnabled(false);
	testRunner.setCloseRemainingWindowsWhenComplete(true);
	testRunner.waitUntilDone();
	}
	</script>
	</head>
	<body>
	<p id="description">This tests that a <script> added to an inactive document window does not execute. The test FAILED if you see "XSS" on this page. Popup blocking must be disabled to run this test by hand.</p>
	<script>
	// Idea: Open a new window and have it navigate its opener to the victim site while holding a reference to the opener document.
	var openerDocument;
	var intervalId;
	if (document.location.search.indexOf("?actually-attack") !== -1) {
	document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.';

	// Case: New window
	openerDocument = window.opener.document;

	// Navigate same frame to victim.
	var link = openerDocument.createElement("a");
	link.target = "_self";
	link.href = "http://localhost:8000/security/resources/innocent-victim.html";
	link.click();

	intervalId = window.setInterval(checkDidLoadVictim, 100);
	} else {
	// Case: Initial load
	var link = document.createElement("a");
	link.target = "_blank";
	link.rel = "opener";
	link.href = "?actually-attack";
	link.click(); // Open a new window.
	}

	function checkDidLoadVictim()
	{
	if (openerDocument.location.href == "about:blank") {
	// Victim loaded.
	window.clearInterval(intervalId);

	// Run code in victim.
	var scriptToRunInVictim = openerDocument.createElement("script");
	scriptToRunInVictim.textContent = "document.writeln('XSS')";
	openerDocument.body.appendChild(scriptToRunInVictim);
	if (window.testRunner)
	window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
	}
	}
	</script>
	</body>
	</html>