| OLD | NEW |
|---|
| 1 <html> | 1 <html> |
| 2 <head> | 2 <head> |
| 3 <script src="../resources/libwrapjs.js"></script> | 3 <script src="../resources/libwrapjs.js"></script> |
| 4 <script src="../resources/cross-frame-access.js"></script> | 4 <script src="../resources/cross-frame-access.js"></script> |
| 5 <script> | 5 <script> |
| 6 var code; | 6 var code; |
| 7 var openedWindow; | 7 var openedWindow; |
| 8 | 8 |
| 9 window.onload = function() | 9 window.onload = function() |
| 10 { | 10 { |
| 11 if (window.testRunner) { | 11 if (window.testRunner) { |
| 12 testRunner.waitUntilDone(); | 12 testRunner.waitUntilDone(); |
| 13 testRunner.setCanOpenWindows(); | 13 testRunner.setCanOpenWindows(); |
| 14 testRunner.dumpAsText(); | 14 testRunner.dumpAsText(); |
| 15 testRunner.dumpChildFramesAsText(); | 15 testRunner.dumpChildFramesAsText(); |
| 16 } | 16 } |
| 17 | 17 |
| 18 var message_fail = 'FAIL: XSS was allowed.'; | 18 var message_fail = 'FAIL: XSS was allowed.'; |
| 19 var message_success = 'SUCCESS: Window remained in original SecurityOrig
in.'; | 19 var message_success = 'SUCCESS: Window remained in original SecurityOrig
in.'; |
| 20 | 20 |
| 21 var write_func = 'function write(target, message) { target.document.body
.innerHTML = message; }'; | 21 var write_func = 'function write(target, message) { target.document.body
.innerHTML = message; }'; |
| 22 | 22 |
| 23 var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_f
ail) + ');'; | 23 var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_f
ail) + ');'; |
| 24 var attack = 'setTimeout(function() {' + try_attack + '}, 100);'; | 24 var attack = 'setTimeout(function() {' + try_attack + '}, 100);'; |
| 25 | 25 |
| 26 var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_s
tring(message_success) + ');'; | 26 var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_s
tring(message_success) + ');'; |
| 27 var control = 'setTimeout(function() {' + try_control + '}, 200);'; | 27 var control = 'setTimeout(function() {' + try_control + '}, 200);'; |
| 28 | 28 |
| 29 var sigDone = 'setTimeout(function() { if (window.testRunner) testRunner
.globalFlag = true; }, 300);'; | 29 var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'d
one\', \'*\'); }, 300);'; |
| 30 | 30 |
| 31 var payload = 'window.location = ' + libwrapjs.in_javascript_document(wr
ite_func + attack + control + sigDone); | 31 var payload = 'window.location = ' + libwrapjs.in_javascript_document(wr
ite_func + attack + control + sigDone); |
| 32 code = libwrapjs.in_script_tag(payload); | 32 code = libwrapjs.in_script_tag(payload); |
| 33 log("Code injected into window:"); | 33 log("Code injected into window:"); |
| 34 log(code); | 34 log(code); |
| 35 | 35 |
| 36 if (window.testRunner) { | |
| 37 setTimeout(pollForTest1, 1); | |
| 38 } else { | |
| 39 log("To run the test, click the button below when the frames finish
loading."); | |
| 40 var button = document.createElement("button"); | |
| 41 button.appendChild(document.createTextNode("Run Test")); | |
| 42 button.onclick = runTest; | |
| 43 document.body.appendChild(button); | |
| 44 } | |
| 45 } | |
| 46 | |
| 47 pollForTest1 = function() | |
| 48 { | |
| 49 if (!testRunner.globalFlag) { | |
| 50 setTimeout(pollForTest1, 1); | |
| 51 return; | |
| 52 } | |
| 53 runTest1(); | |
| 54 } | |
| 55 | |
| 56 runTest1 = function() { | |
| 57 frames[0].openWindow(); | 36 frames[0].openWindow(); |
| 58 openedWindow = frames[0].openedWindow; | 37 openedWindow = frames[0].openedWindow; |
| 59 | 38 |
| 60 if (window.testRunner) | 39 document.getElementById('targetFrame').onload = runTest; |
| 61 testRunner.globalFlag = false; | 40 frames[0].location = 'http://localhost:8000/security/resources/innocent-
victim.html'; |
| 62 | |
| 63 frames[0].location = 'http://localhost:8000/security/resources/innocent-
victim-with-notify.html'; | |
| 64 | |
| 65 setTimeout(pollForTest2, 1); | |
| 66 } | 41 } |
| 67 | 42 |
| 68 pollForTest2 = function() | 43 runTest = function() |
| 69 { | 44 { |
| 70 if (!testRunner.globalFlag) { | 45 window.addEventListener('message', function () { closeWindowAndNotifyDon
e(openedWindow); }); |
| 71 setTimeout(pollForTest2, 1); | |
| 72 return; | |
| 73 } | |
| 74 runTest2(); | |
| 75 } | |
| 76 | |
| 77 runTest2 = function() | |
| 78 { | |
| 79 openedWindow.document.write(code); | 46 openedWindow.document.write(code); |
| 80 openedWindow.document.close(); | 47 openedWindow.document.close(); |
| 81 if (window.testRunner) { | |
| 82 testRunner.globalFlag = false; | |
| 83 setTimeout(pollForDone, 1); | |
| 84 } | |
| 85 } | |
| 86 | |
| 87 pollForDone = function() | |
| 88 { | |
| 89 if (!testRunner.globalFlag) { | |
| 90 setTimeout(pollForDone, 1); | |
| 91 return; | |
| 92 } | |
| 93 closeWindowAndNotifyDone(openedWindow); | |
| 94 } | 48 } |
| 95 </script> | 49 </script> |
| 96 </head> | 50 </head> |
| 97 <body> | 51 <body> |
| 98 <div>This page opens a window to "", injects malicious code, and | 52 <div>This page opens a window to "", injects malicious code, and |
| 99 then navigates its opener to the victim. The opened window then tries to | 53 then navigates its opener to the victim. The opened window then tries to |
| 100 scripts its opener after reloading itself as a <code>javascript</code> | 54 scripts its opener after reloading itself as a <code>javascript</code> |
| 101 URL.</div> | 55 URL.</div> |
| 102 <pre id="console"></pre> | 56 <pre id="console"></pre> |
| 103 <iframe style="border: solid 3px red;" src="../resources/open-window.html"></ifr
ame> | 57 <iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-w
indow.html"></iframe> |
| 104 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"
></iframe> | 58 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"
></iframe> |
| 105 </body> | 59 </body> |
| 106 </html> | 60 </html> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 494343003:
Eliminate globalFlag usage from http security layout tests. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk