| <html> |
| <body> |
| <p>Frame on a foreign domain (opened using window.open).</p> |
| <iframe id="aFrame"></iframe> |
| <script> |
| var url = "data:text/html,<html>" |
| + "<body>" |
| + "<p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access" |
| + " the main frame. It should not have access to it.</p>" |
| + "<pre id='console'></pre>" |
| + "<scr" + "ipt>" |
| + "try {" |
| + "parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';" |
| + "alert('FAIL: No exception thrown.');" |
| + "} catch (e) {" |
| + "alert('PASS: Exception thrown successfully.');" |
| + "}" |
| + "</scri" + "pt>" |
| + "<iframe id='flag'></iframe>" |
| + "</body>" |
| + "</html>"; |
| |
| var frame = document.getElementById('aFrame'); |
| frame.src = url; |
| </script> |
| </body> |
| </html> |
