| <html> |
| <head> |
| <script src="../resources/libwrapjs.js"></script> |
| <script src="../resources/cross-frame-access.js"></script> |
| <script> |
| var code; |
| var openedWindow; |
| |
| window.onload = function() |
| { |
| if (window.testRunner) { |
| testRunner.waitUntilDone(); |
| testRunner.setCanOpenWindows(); |
| testRunner.dumpAsText(); |
| testRunner.dumpChildFrames(); |
| } |
| |
| var message_fail = 'FAIL: XSS was allowed.'; |
| var message_success = 'SUCCESS: Window remained in original SecurityOrigin.'; |
| |
| var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }'; |
| |
| var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');'; |
| var attack = 'setTimeout(function() {' + try_attack + '}, 100);'; |
| |
| var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');'; |
| var control = 'setTimeout(function() {' + try_control + '}, 200);'; |
| |
| var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'done\', \'*\'); }, 300);'; |
| |
| var payload = 'document.write(' + libwrapjs.in_string(libwrapjs.in_script_tag(write_func + attack + control + sigDone)) + ');'; |
| code = libwrapjs.in_script_tag(payload); |
| log("Code injected into window:"); |
| log(code); |
| |
| frames[0].openWindow(); |
| openedWindow = frames[0].openedWindow; |
| |
| document.getElementById('targetFrame').onload = runTest; |
| frames[0].location = 'http://localhost:8000/security/resources/innocent-victim.html'; |
| } |
| |
| runTest = function() |
| { |
| window.addEventListener('message', function () { closeWindowAndNotifyDone(openedWindow); }); |
| openedWindow.document.write(code); |
| openedWindow.document.close(); |
| } |
| </script> |
| </head> |
| <body> |
| <div>This page opens a window to "", injects malicious code, and |
| then navigates its opener to the victim. The opened window then tries to |
| scripts its opener after <code>document.write</code>ing a new document.</div> |
| <pre id="console"></pre> |
| <iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-window.html"></iframe> |
| <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe> |
| </body> |
| </html> |