blob: 79edaa5856c5fc927f90d60782b04d96b2b79424 [file] [log] [blame]
<!-- webkit-test-runner [ UsesBackForwardCache=true JavaScriptCanOpenWindowsAutomatically=true ] -->
<!DOCTYPE html>
<html>
<head>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
</script>
</head>
<body>
<p id="description">This tests that a &lt;script&gt; added to an inactive document window does not execute. The test FAILED if you see &quot;XSS&quot; on this page. Popup blocking must be disabled to run this test by hand.</p>
<script>
var firstOpenerWindow;
var firstOpenerDocument;
var secondOpenerDocument;
var intervalId;
var ACTUALLY_ACTUALLY_ATTACK_URL = "?actually-actually-attack";
if (!window.location.search) {
// Initial load
window.open('?actually-attack');
} else if (window.location.search.indexOf("?actually-attack") !== -1) {
// New window
firstOpenerWindow = window.opener;
firstOpenerDocument = firstOpenerWindow.document;
// Reload ourself
firstOpenerWindow.location.href = ACTUALLY_ACTUALLY_ATTACK_URL;
function checkDidLoad()
{
if (window.opener.location.search.indexOf(ACTUALLY_ACTUALLY_ATTACK_URL) == -1)
return;
// Loaded frame.
window.clearInterval(intervalId);
// Update descriptive text
document.getElementById("description").textContent = 'Check the original window. The test FAILED if you see "XSS" on the page. Otherwise, it PASSED.';
// window.opener.document is in the page cache, has no opener, and has never called
// window.open().
secondOpenerDocument = window.opener.document;
// Navigate same frame to victim.
var link = secondOpenerDocument.createElement("a");
link.href = "http://localhost:8000/security/resources/innocent-victim.html";
link.click();
intervalId = window.setInterval(checkDidLoadVictim, 100);
}
intervalId = window.setInterval(checkDidLoad, 100);
}
function checkDidLoadVictim()
{
if (secondOpenerDocument.location.href == "about:blank") {
// Victim loaded.
window.clearInterval(intervalId);
// Run code in victim.
var scriptToRunInVictim = secondOpenerDocument.createElement("script");
scriptToRunInVictim.textContent = "document.writeln('XSS')";
secondOpenerDocument.body.appendChild(scriptToRunInVictim);
if (window.testRunner)
window.setTimeout(function () { window.testRunner.notifyDone(); }, 500);
}
}
</script>
</body>
</html>