3 <script src="../resources/libwrapjs.js"></script>
4 <script src="../resources/cross-frame-access.js"></script>
9 window.onload = function()
11 if (window.testRunner) {
12 testRunner.waitUntilDone();
13 testRunner.setCanOpenWindows();
14 testRunner.dumpAsText();
15 testRunner.dumpChildFramesAsText();
18 var message_fail = 'FAIL: XSS was allowed.';
19 var message_success = 'SUCCESS: Window remained in original SecurityOrigin.';
21 var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }';
23 var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');';
24 var attack = 'setTimeout(function() {' + try_attack + '}, 100);';
26 var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');';
27 var control = 'setTimeout(function() {' + try_control + '}, 200);';
29 var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'done\', \'*\'); }, 300);';
31 var payload = 'window.location = ' + libwrapjs.in_javascript_document(write_func + attack + control + sigDone);
32 code = libwrapjs.in_script_tag(payload);
33 log("Code injected into window:");
36 frames[0].openWindow();
37 openedWindow = frames[0].openedWindow;
39 document.getElementById('targetFrame').onload = runTest;
40 frames[0].location = 'http://localhost:8000/security/resources/innocent-victim.html';
45 window.addEventListener('message', function () { closeWindowAndNotifyDone(openedWindow); });
46 openedWindow.document.write(code);
47 openedWindow.document.close();
52 <div>This page opens a window to "", injects malicious code, and
53 then navigates its opener to the victim. The opened window then tries to
54 scripts its opener after reloading itself as a <code>javascript</code>
56 <pre id="console"></pre>
57 <iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-window.html"></iframe>
58 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe>