LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml - WebKit - Git at Google

 <?xml-stylesheet type="text/xsl" href="xss-DENIED-xsl-document-securityOrigin.xml"?>
 <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
 <html>
 <head>
 <script>
 <![CDATA[
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.waitUntilDone();
  }

 window.onload = function()
 {
     if (!opener) {
         victim = document.body.appendChild(document.createElement("iframe"));
         wnd = victim.contentWindow.open();
         victim.src = "http://localhost:8080/security/resources/innocent-victim.html";
         victim.onload = function() { wnd.eval("location = '" + location + "'"); }
     } else if (!location.href.includes("parent-document-open.html")) {
         url = location.href;
         var parentDocOpen = document.createElement("iframe");
         parentDocOpen.src = "resources/parent-document-open.html";
         document.body.append(parentDocOpen);
         setTimeout(() => {
         location = "javascript:(\"\x3C?xml-stylesheet type='text/xsl' href='" + url + "'?\x3E\x3Croot/\x3E\")";
         }, 150);
     } else {
         try {
             victim = opener;
             open("javascript:void(0)", "_self");
             if (victim.eval)
                 victim.eval("alert(document.body.innerHTML)");
         } catch (e) {
              console.log(e);
         }

         if (window.testRunner)
             testRunner.notifyDone();
     }
 }
 ]]>
 </script>
 </head>
 <body>
 This test passes if it doesn't alert the contents of innocent-victim.html.
 </body>
 </html>
 </xsl:template>
 </xsl:stylesheet>
	<?xml-stylesheet type="text/xsl" href="xss-DENIED-xsl-document-securityOrigin.xml"?>
	<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<xsl:template match="/">
	<html>
	<head>
	<script>
	<![CDATA[
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.waitUntilDone();
	}

	window.onload = function()
	{
	if (!opener) {
	victim = document.body.appendChild(document.createElement("iframe"));
	wnd = victim.contentWindow.open();
	victim.src = "http://localhost:8080/security/resources/innocent-victim.html";
	victim.onload = function() { wnd.eval("location = '" + location + "'"); }
	} else if (!location.href.includes("parent-document-open.html")) {
	url = location.href;
	var parentDocOpen = document.createElement("iframe");
	parentDocOpen.src = "resources/parent-document-open.html";
	document.body.append(parentDocOpen);
	setTimeout(() => {
	location = "javascript:(\"\x3C?xml-stylesheet type='text/xsl' href='" + url + "'?\x3E\x3Croot/\x3E\")";
	}, 150);
	} else {
	try {
	victim = opener;
	open("javascript:void(0)", "_self");
	if (victim.eval)
	victim.eval("alert(document.body.innerHTML)");
	} catch (e) {
	console.log(e);
	}

	if (window.testRunner)
	testRunner.notifyDone();
	}
	}
	]]>
	</script>
	</head>
	<body>
	This test passes if it doesn't alert the contents of innocent-victim.html.
	</body>
	</html>
	</xsl:template>
	</xsl:stylesheet>