| <!-- webkit-test-runner [ enablePageCache=true ] --> |
| <!DOCTYPE html> |
| <html> |
| <body> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <div id="resultDiv"></div> |
| <script> |
| description("Tests that inserting a script into newly opened window does not bypass origin checks."); |
| debug("This test passes unless you see FAIL messages below"); |
| jsTestIsAsync = true; |
| if (window.testRunner) |
| testRunner.setCanOpenWindows(); |
| |
| window.onload = function() { |
| let win = open("about:blank", "one"); |
| let otherDocument = win.document; |
| win.resultDiv = document.getElementById("resultDiv"); |
| |
| let a = otherDocument.createElement("a"); |
| a.href = "http://localhost:8000/security/resources/blank.html"; |
| a.click(); |
| |
| window.addEventListener('message', function(e) { |
| testFailed("Script executed in cross origin iframe"); |
| testFailed("Retrieved cross-origin window's URL: " + e.data); |
| }); |
| |
| it = setInterval(function() { |
| try { |
| win.location.href; |
| } catch (e) { |
| // Window has navigated to cross origin URL. |
| clearInterval(it); |
| try { |
| var script = otherDocument.createElement("script"); |
| script.innerText = "opener.postMessage(location.href, '*');"; |
| otherDocument.body.append(script); |
| } catch (e) { |
| debug(e); |
| } |
| setTimeout(finishJSTest, 0); |
| } |
| }, 10); |
| } |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |