chromium/src/third_party/blink/web_tests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html - manifest_repos/chromium_src - Git at Google

 <html>
 <head>
 <script src="../resources/libwrapjs.js"></script>
 <script src="../resources/cross-frame-access.js"></script>
 <script>
     var code;
     var openedWindow;

     window.onload = function()
     {
         if (window.testRunner) {
             testRunner.waitUntilDone();
             testRunner.setCanOpenWindows();
             testRunner.dumpAsText();
             testRunner.dumpChildFrames();
         }

         var message_fail = 'FAIL: XSS was allowed.';
         var message_success = 'SUCCESS: Window remained in original SecurityOrigin.';

         var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }';

         var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');';
         var attack = 'setTimeout(function() {' + try_attack + '}, 100);';

         var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');';
         var control = 'setTimeout(function() {' + try_control + '}, 200);';

         var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'done\', \'*\'); }, 300);';

         var payload = 'window.location = ' + libwrapjs.in_javascript_document(write_func + attack + control + sigDone);
         code = libwrapjs.in_script_tag(payload);
         log("Code injected into window:");
         log(code);

         frames[0].openWindow();
         openedWindow = frames[0].openedWindow;

         document.getElementById('targetFrame').onload = runTest;
         frames[0].location = 'http://localhost:8000/security/resources/innocent-victim.html';
     }

     runTest = function()
     {
         window.addEventListener('message', function () { closeWindowAndNotifyDone(openedWindow); });
         openedWindow.document.write(code);
         openedWindow.document.close();
     }
 </script>
 </head>
 <body>
 <div>This page opens a window to &quot;&quot;, injects malicious code, and
 then navigates its opener to the victim.  The opened window then tries to
 scripts its opener after reloading itself as a <code>javascript</code>
 URL.</div>
 <pre id="console"></pre>
 <iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-window.html"></iframe>
 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe>
 </body>
 </html>
	<html>
	<head>
	<script src="../resources/libwrapjs.js"></script>
	<script src="../resources/cross-frame-access.js"></script>
	<script>
	var code;
	var openedWindow;

	window.onload = function()
	{
	if (window.testRunner) {
	testRunner.waitUntilDone();
	testRunner.setCanOpenWindows();
	testRunner.dumpAsText();
	testRunner.dumpChildFrames();
	}

	var message_fail = 'FAIL: XSS was allowed.';
	var message_success = 'SUCCESS: Window remained in original SecurityOrigin.';

	var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }';

	var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');';
	var attack = 'setTimeout(function() {' + try_attack + '}, 100);';

	var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');';
	var control = 'setTimeout(function() {' + try_control + '}, 200);';

	var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'done\', \'*\'); }, 300);';

	var payload = 'window.location = ' + libwrapjs.in_javascript_document(write_func + attack + control + sigDone);
	code = libwrapjs.in_script_tag(payload);
	log("Code injected into window:");
	log(code);

	frames[0].openWindow();
	openedWindow = frames[0].openedWindow;

	document.getElementById('targetFrame').onload = runTest;
	frames[0].location = 'http://localhost:8000/security/resources/innocent-victim.html';
	}

	runTest = function()
	{
	window.addEventListener('message', function () { closeWindowAndNotifyDone(openedWindow); });
	openedWindow.document.write(code);
	openedWindow.document.close();
	}
	</script>
	</head>
	<body>
	<div>This page opens a window to "", injects malicious code, and
	then navigates its opener to the victim. The opened window then tries to
	scripts its opener after reloading itself as a <code>javascript</code>
	URL.</div>
	<pre id="console"></pre>
	<iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-window.html"></iframe>
	<iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe>
	</body>
	</html>