4 window.onload = function()
6 if (window.testRunner) {
7 testRunner.dumpAsText();
10 function alertMsg(msg) {
11 return "javascript:alert(\"FAIL: " + msg +
12 "\");document.body.innerHTML=\"<p style='font-weight:bold;color:red'>Failure testing " + msg + "</p>\";//";
14 // Test different ways of setting iframe.src
16 // Attr/Node attributes
17 function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;},
18 function(iFrame) { iFrame.attributes['src'].textContent = alertMsg("textContent");},
19 function(iFrame) { iFrame.attributes['src'].nodeValue = alertMsg("nodeValue");},
21 // Text Node Manipulation
22 function(iFrame) { iFrame.attributes['src'].firstChild.replaceWholeText(alertMsg("nodeValue"));},
23 function(iFrame) { iFrame.attributes['src'].firstChild.data = alertMsg("nodeValue");},
25 // Node attribute manipulation functions
26 function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));},
27 function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));},
29 var a = document.createAttribute('src');
30 a.nodeValue = alertMsg("setAttributeNode");
31 iFrame.setAttributeNode(a);
33 // Child manipulation methods
35 var src = iFrame.attributes['src'];
36 src.appendChild(document.createTextNode(alertMsg("appendChild() + removeChild()")));
37 src.removeChild(src.firstChild);
40 var src = iFrame.attributes['src'];
41 src.replaceChild(document.createTextNode(alertMsg("replaceChild()")), src.firstChild);
44 var src = iFrame.attributes['src'];
45 while (src.firstChild)
46 src.removeChild(src.firstChild);
47 src.appendChild(document.createTextNode(alertMsg("removeChild() + appendChild()")));
50 var src = iFrame.attributes['src'];
51 while (src.firstChild)
52 src.removeChild(src.firstChild);
53 var msg = alertMsg("removeChild() + appendChild() + appendChild()");
54 src.appendChild(document.createTextNode(msg.slice(0,4)));
55 src.appendChild(document.createTextNode(msg.slice(4)));
58 var src = iFrame.attributes['src'];
59 src.insertBefore(document.createTextNode(alertMsg("insertBefore()")), src.firstChild);
63 var a = document.createAttribute('src');
64 a.nodeValue = alertMsg("setNamedItem()");
65 iFrame.attributes.setNamedItem(a);
68 var a = document.createAttribute('src');
69 a.nodeValue = alertMsg("setNamedItemNS()");
70 iFrame.attributes.setNamedItemNS(a);
74 function makeOnloadHandler (idx, tgtFrame) {
76 tgtFrame.onload = null;
78 aliasTests[idx](tgtFrame);
83 for (var i = 0; i < aliasTests.length; i++) {
84 aFrame = document.createElement('iframe');
85 aFrame.src = 'http://localhost:8080/security/resources/innocent-victim.html';
86 aFrame.onload = makeOnloadHandler(i, aFrame);
89 document.body.appendChild(aFrame);
90 document.body.appendChild(document.createElement('br'));
97 <p>This script tests if iframe.src can be set to a JavaScript URL via alternate
98 DOM interfaces (such as Node.textContent or NamedNode.setNamedItem).
99 The test is successful if no alerts appear and the page finishes loading.</p>