| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/js-test-resources/js-test.js"></script> |
| </head> |
| <body> |
| <iframe src="http://localhost:8080/security/resources/innocent-victim.html"></iframe> |
| <script> |
| window.jsTestIsAsync = true; |
| description("Certain window properties are readable cross-origin, but ought not be writable."); |
| |
| var iWindow; |
| window.onload = function () { |
| iWindow = document.querySelector('iframe').contentWindow; |
| |
| var ex = '"SecurityError: Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a cross-origin frame."'; |
| |
| // 'DoNotCheckSecurity' methods. |
| var DoNotCheckSecurityMethods = [ |
| 'focus', |
| 'blur', |
| 'close', |
| 'postMessage', |
| 'toString' |
| ]; |
| for (var i = 0; i < DoNotCheckSecurityMethods.length; i++) { |
| shouldThrow('iWindow.' + DoNotCheckSecurityMethods[i] + ' = function () {};', ex); |
| } |
| |
| // 'Replacable' properties (not an exhaustive list). |
| var ReplaceableProperties = [ |
| 'clientInformation', |
| 'devicePixelRatio', |
| 'event', |
| 'frames', |
| 'history', |
| 'innerHeight', |
| 'innerWidth', |
| 'length', |
| 'locationbar', |
| 'menubar', |
| 'navigator', |
| 'offscreenBuffering', |
| 'opener', |
| 'outerHeight', |
| 'outerWidth', |
| 'parent', |
| 'personalbar', |
| 'screen', |
| 'screenLeft', |
| 'screenTop', |
| 'screenX', |
| 'screenY', |
| 'scrollX', |
| 'scrollY', |
| 'scrollbars', |
| 'self', |
| 'statusbar', |
| 'toolbar' |
| ]; |
| for (var i = 0; i < ReplaceableProperties.length; i++) { |
| shouldThrow('iWindow.' + ReplaceableProperties[i] + ' = 1;'); |
| } |
| |
| finishJSTest(); |
| }; |
| </script> |
| </body> |
| </html> |