blob: 037430a5ac24d608da8e62288c29e0d9351a524e [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.setCanOpenWindows();
testRunner.setPopupBlockingEnabled(false);
testRunner.setCloseRemainingWindowsWhenComplete(true);
testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
testRunner.waitUntilDone();
}
</script>
</head>
<body>
<p>This page opens an about:blank window and navigates it to a victim page such that the about:blank page
is put into the page cache. Once the victim page is loaded it tries to navigate to a <code>javascript</code>
URL. Ensure that popup-blocking is disabled when running this test by hand. This test PASSED if no JavaScript
alert dialogs are shown. Otherwise, it FAILED.</p>
<script>
function testClickAnchorElement(aDocument)
{
var link = aDocument.createElement("a");
link.href = "javascript:alert('FAIL clicked HTML anchor element.')";
link.click();
}
function testClickLinkElement(aDocument)
{
var link = aDocument.createElement("link");
link.href = "javascript:alert('FAIL clicked HTML link element.')";
link.click();
}
function testSubmitForm(aDocument)
{
var form = aDocument.createElement("form");
form.action = "javascript:alert('FAIL submitted form.')";
form.submit();
}
function createClickEvent(aDocument)
{
var mouseEventInitDict = {
bubbles: true,
cancelable: false,
view: aDocument.defaultView,
detail: 1,
screenX: 10,
screenY: 10,
clientX: 10,
clientY: 10,
ctrlKey: false,
shiftKey: false,
altKey: false,
metaKey: false,
button: 1,
relatedTarget: null
};
return new MouseEvent("click", mouseEventInitDict)
}
function testClickSVGAnchorElement(aDocument)
{
var link = aDocument.createElementNS("http://www.w3.org/2000/svg", "svg:a");
link.setAttributeNS("http://www.w3.org/1999/xlink", "xlink:href", "javascript:alert('FAIL clicked SVG anchor element.')");
link.dispatchEvent(createClickEvent(aDocument));
}
function testClickMathElement(aDocument)
{
var link = aDocument.createElementNS("http://www.w3.org/1998/Math/MathML", "math");
link.setAttribute("href", "javascript:alert('FAIL clicked Math element.')");
link.dispatchEvent(createClickEvent(aDocument));
}
function runTests()
{
var childWindow = window.open("about:blank", "one");
var childDocument = childWindow.document;
var link = childDocument.createElement("a");
link.href = "http://localhost:8000/security/resources/innocent-victim.html";
link.click(); // Navigate window; moves about:blank into the page cache.
function checkDidNavigate()
{
try {
childWindow.location.href.toString;
} catch (e) {
// Victim page did load.
clearInterval(intervalID);
testClickAnchorElement(childDocument);
testClickLinkElement(childDocument);
testClickSVGAnchorElement(childDocument);
testClickMathElement(childDocument);
testSubmitForm(childDocument);
if (window.testRunner)
testRunner.notifyDone();
}
}
var intervalID = window.setInterval(checkDidNavigate, 0);
}
runTests();
</script>
</body>
</html>