LayoutTests/http/tests/security/cross-origin-window-property-access.html - WebKit - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
 <script src="../../resources/js-test-pre.js"></script>
 </head>
 <body onload="runTest()">
 <iframe src="http://localhost:8000/security/resources/blank.html"></iframe>
 <script>
 description("Tests that using another window's property getter does not bypass cross-origin checks.");
 jsTestIsAsync = true;

 function shouldThrowOrReturnUndefined(expression)
 {
     try {
         result = eval(expression);
     } catch (e) {
         testPassed(expression + " threw exception " + e + ".");
         return;
     }
     if (result === undefined)
         testPassed(expression + " returned undefined.");
     else
         testFailed(expression + " returned " + result);
 }

 function runTest()
 {
     crossOriginWindow = frames[0];
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "document").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "name").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "menubar").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "scrollbars").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "navigator").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "screenX").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow.__proto__)');
     shouldThrowOrReturnUndefined('crossOriginWindow.constructor');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(crossOriginWindow.__proto__, "constructor").value');
     shouldBeTrue('Object.getOwnPropertyDescriptor(window, "location").get.call(crossOriginWindow) === crossOriginWindow.location');
     finishJSTest();
 }
 </script>
 </body>
 <script src="../../resources/js-test-post.js"></script>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script src="../../resources/js-test-pre.js"></script>
	</head>
	<body onload="runTest()">
	<iframe src="http://localhost:8000/security/resources/blank.html"></iframe>
	<script>
	description("Tests that using another window's property getter does not bypass cross-origin checks.");
	jsTestIsAsync = true;

	function shouldThrowOrReturnUndefined(expression)
	{
	try {
	result = eval(expression);
	} catch (e) {
	testPassed(expression + " threw exception " + e + ".");
	return;
	}
	if (result === undefined)
	testPassed(expression + " returned undefined.");
	else
	testFailed(expression + " returned " + result);
	}

	function runTest()
	{
	crossOriginWindow = frames[0];
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "document").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "name").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "menubar").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "scrollbars").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "navigator").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "screenX").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow)');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow.__proto__)');
	shouldThrowOrReturnUndefined('crossOriginWindow.constructor');
	shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(crossOriginWindow.__proto__, "constructor").value');
	shouldBeTrue('Object.getOwnPropertyDescriptor(window, "location").get.call(crossOriginWindow) === crossOriginWindow.location');
	finishJSTest();
	}
	</script>
	</body>
	<script src="../../resources/js-test-post.js"></script>
	</html>