3 <script src="resources/cross-frame-access.js"></script>
5 var windowConstructorPropertiesNotAllowed = [
11 "CSSStyleDeclaration",
35 "HTMLDirectoryElement",
39 "HTMLFieldSetElement",
43 "HTMLFrameSetElement",
63 "HTMLOptGroupElement",
65 "HTMLParagraphElement",
73 "HTMLTableCaptionElement",
74 "HTMLTableCellElement",
75 "HTMLTableColElement",
77 "HTMLTableRowElement",
78 "HTMLTableSectionElement",
79 "HTMLTextAreaElement",
89 "ProcessingInstruction",
105 var windowFunctionPropertiesNotAllowed = [
116 "getMatchedCSSRules",
124 "removeEventListener",
139 var windowAttributesPropertiesNotAllowed = [
158 "offscreenBuffering",
205 var windowAttributesPropertiesAllowed = [
216 window.onload = function()
218 if (window.testRunner) {
219 testRunner.dumpAsText();
220 testRunner.waitUntilDone();
223 if (window.testRunner) {
224 setTimeout(pollForTest, 1);
226 log("To run the test, click the button below when the opened window finishes loading.");
227 var button = document.createElement("button");
228 button.appendChild(document.createTextNode("Run Test"));
229 button.onclick = runTest;
230 document.body.appendChild(button);
234 pollForTest = function()
236 if (!testRunner.globalFlag) {
237 setTimeout(pollForTest, 1);
241 testRunner.notifyDone();
246 window.targetWindow = frames[0];
248 log("\n----- tests for getting of not allowed properties -----\n");
250 log("\n----- tests for getting of not allowed Constructors -----\n");
251 for (var i = 0; i < windowConstructorPropertiesNotAllowed.length; i++) {
252 var property = windowConstructorPropertiesNotAllowed[i];
253 shouldBeFalse("canGetDescriptor(targetWindow, '" + property + "')");
256 log("\n----- tests for getting of not allowed Functions -----\n");
257 for (var i = 0; i < windowFunctionPropertiesNotAllowed.length; i++) {
258 var property = windowFunctionPropertiesNotAllowed[i];
259 shouldBeFalse("canGetDescriptor(targetWindow, '" + property + "')");
262 log("\n----- tests for getting of not allowed Attributes -----\n");
263 for (var i = 0; i < windowAttributesPropertiesNotAllowed.length; i++) {
264 var property = windowAttributesPropertiesNotAllowed[i];
265 if (property == "document")
266 log("Firefox allows access to 'document' but throws an exception when you access its properties.");
267 shouldBeFalse("canGetDescriptor(targetWindow, '" + property + "')");
269 for (var i = 0; i < windowAttributesPropertiesAllowed.length; i++) {
270 var property = windowAttributesPropertiesAllowed[i];
271 shouldBeTrue("canGetDescriptor(targetWindow, '" + property + "')");
273 log("----- tests access to cross domain location object -----");
274 window.targetLocation = targetWindow.location;
275 var locationProperties = [
276 "protocol", "host", "hostname", "port", "pathname", "search", "hash", "toString", "valueOf", "customProperty", "reload"
278 for (var i = 0; i < locationProperties.length; i++)
279 shouldBeFalse("canGetDescriptor(targetLocation, '" + locationProperties[i] + "')");
280 var locationPropertiesAllowed = [
283 for (var i = 0; i < locationPropertiesAllowed.length; i++)
284 shouldBeTrue("canGetDescriptor(targetLocation, '" + locationPropertiesAllowed[i] + "')");
286 log("----- tests access to cross domain history object -----");
287 shouldThrowException("targetWindow.history");
292 <p>This test checks cross-frame access security of getOwnPropertyDescriptor (https://bugs.webkit.org/show_bug.cgi?id=32119).</p>
293 <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html" style=""></iframe>
294 <pre id="console"></pre>