| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <script> |
| if (window.testRunner) |
| testRunner.setXSSAuditorEnabled(true); |
| |
| description('Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.'); |
| debug('Two console messages should be generated, noting that JavaScript was blocked.'); |
| window.jsTestIsAsync = true; |
| |
| var frame1, frame2; |
| function frameLoaded() { |
| frame1 = document.querySelector('iframe'); |
| |
| frame2 = document.createElement('iframe'); |
| document.body.appendChild(frame2); |
| frame2.onload = checkState; |
| |
| frame2.src = frame1.src; |
| } |
| |
| function checkState() { |
| debug('Check that the nonce is the same, meaning that the document was only generated once:'); |
| |
| shouldBeTrue('frame1.contentDocument.querySelector("input").value == frame2.contentDocument.querySelector("input").value'); |
| finishJSTest(); |
| } |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </head> |
| <body> |
| <iframe src="http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e" onload="frameLoaded()"></iframe> |
| </body> |
| </html> |
