chromium/src/third_party/blink/web_tests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html - manifest_repos/chromium_src - Git at Google

 <html>
 <head>
     <script src="../resources/cross-frame-access.js"></script>
     <script>
         window.onload = function()
         {
             if (window.testRunner) {
                 testRunner.dumpAsText();
                 testRunner.dumpChildFrames();
                 testRunner.waitUntilDone();
             }

             window.addEventListener('message', function ()
             {
                 runTest();
                 testRunner.notifyDone();
             });
         }

         runTest = function()
         {
             try {
                 window[0][0].document.getElementById('accessMe').innerHTML = "FAIL: Cross frame access to a data: URL embed in a frame on a foreign domain allowed.";
                 log("FAIL: Cross frame access to a data: URL embed in a frame on a foreign domain allowed.");
                 return;
             } catch (e) {
             }
             log("PASS: Cross frame access to a data: URL embed in a frame on a foreign domain denied!");
         }
     </script>
 </head>
 <body>
     <p>The scenario for this test is that you have an iframe with content from a foreign domain.  In that foreign content
         is an iframe which loads a data: URL.  This tests that this main document does not have access to that
         data: URL loaded iframe.</p>
     <iframe src="http://localhost:8000/security/dataURL/resources/foreign-domain-data-url-accessee-iframe.html" style="width: 400px; height:200px;"></iframe>
     <pre id="console"></pre>
 </body>
 </html>
	<html>
	<head>
	<script src="../resources/cross-frame-access.js"></script>
	<script>
	window.onload = function()
	{
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.dumpChildFrames();
	testRunner.waitUntilDone();
	}

	window.addEventListener('message', function ()
	{
	runTest();
	testRunner.notifyDone();
	});
	}

	runTest = function()
	{
	try {
	window[0][0].document.getElementById('accessMe').innerHTML = "FAIL: Cross frame access to a data: URL embed in a frame on a foreign domain allowed.";
	log("FAIL: Cross frame access to a data: URL embed in a frame on a foreign domain allowed.");
	return;
	} catch (e) {
	}
	log("PASS: Cross frame access to a data: URL embed in a frame on a foreign domain denied!");
	}
	</script>
	</head>
	<body>
	<p>The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content
	is an iframe which loads a data: URL. This tests that this main document does not have access to that
	data: URL loaded iframe.</p>
	<iframe src="http://localhost:8000/security/dataURL/resources/foreign-domain-data-url-accessee-iframe.html" style="width: 400px; height:200px;"></iframe>
	<pre id="console"></pre>
	</body>
	</html>