blob: c0b698db69d3e28849952a39b25e0b09c706a32b [file] [log] [blame]
CONSOLE MESSAGE: line 55: SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 1: SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
This page opens a window to "", injects malicious code, and then uses window.open.call to set its opener to the victim. The opened window then tries to scripts its opener.
Code injected into window:
<script>function write(target, message) { target.document.body.innerHTML = message; }
setTimeout(function() {write(window.opener.top.frames[0], 'FAIL: XSS was allowed.');}, 100);
setTimeout(function() {write(window.opener.top.frames[1], 'SUCCESS: Window remained in original SecurityOrigin.');}, 200);
setTimeout(function() { if (window.testRunner) testRunner.globalFlag = true; }, 300);</script>
--------
Frame: '<!--frame1-->'
--------
This page doesn't do anything special.
--------
Frame: '<!--frame2-->'
--------
SUCCESS: Window remained in original SecurityOrigin.