| OLD | NEW |
|---|
| 1 <html> | 1 <html> |
| 2 <head> | 2 <head> |
| 3 <script src="../resources/libwrapjs.js"></script> | 3 <script src="../resources/libwrapjs.js"></script> |
| 4 <script src="../resources/cross-frame-access.js"></script> | 4 <script src="../resources/cross-frame-access.js"></script> |
| 5 <script> | 5 <script> |
| 6 var code; | 6 var code; |
| 7 var openedWindow; | 7 var openedWindow; |
| 8 | 8 |
| 9 window.onload = function() | 9 window.onload = function() |
| 10 { | 10 { |
| 11 if (window.testRunner) { | 11 if (window.testRunner) { |
| 12 testRunner.waitUntilDone(); | 12 testRunner.waitUntilDone(); |
| 13 testRunner.setCanOpenWindows(); | 13 testRunner.setCanOpenWindows(); |
| 14 testRunner.dumpAsText(); | 14 testRunner.dumpAsText(); |
| 15 testRunner.dumpChildFramesAsText(); | 15 testRunner.dumpChildFramesAsText(); |
| 16 } | 16 } |
| 17 | 17 |
| 18 var message_fail = 'FAIL: XSS was allowed.'; | 18 var message_fail = 'FAIL: XSS was allowed.'; |
| 19 var message_success = 'SUCCESS: Window remained in original SecurityOrig
in.'; | 19 var message_success = 'SUCCESS: Window remained in original SecurityOrig
in.'; |
| 20 | 20 |
| 21 var write_func = 'function write(target, message) { target.document.body
.innerHTML = message; }\n'; | 21 var write_func = 'function write(target, message) { target.document.body
.innerHTML = message; }\n'; |
| 22 | 22 |
| 23 var try_attack = 'write(window.opener.top.frames[0], ' + libwrapjs.in_st
ring(message_fail) + ');'; | 23 var try_attack = 'write(window.opener.top.frames[0], ' + libwrapjs.in_st
ring(message_fail) + ');'; |
| 24 var attack = 'setTimeout(function() {' + try_attack + '}, 100);\n'; | 24 var attack = 'setTimeout(function() {' + try_attack + '}, 100);\n'; |
| 25 | 25 |
| 26 var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_s
tring(message_success) + ');'; | 26 var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_s
tring(message_success) + ');'; |
| 27 var control = 'setTimeout(function() {' + try_control + '}, 200);\n'; | 27 var control = 'setTimeout(function() {' + try_control + '}, 200);\n'; |
| 28 | 28 |
| 29 var sigDone = 'setTimeout(function() { if (window.testRunner) testRunner
.globalFlag = true; }, 300);'; | 29 var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'d
one\', \'*\'); }, 300);'; |
| 30 | 30 |
| 31 var payload = write_func + attack + control + sigDone; | 31 var payload = write_func + attack + control + sigDone; |
| 32 code = libwrapjs.in_script_tag(payload); | 32 code = libwrapjs.in_script_tag(payload); |
| 33 log("Code injected into window:"); | 33 log("Code injected into window:"); |
| 34 log(code); | 34 log(code); |
| 35 | 35 |
| 36 if (window.testRunner) { | 36 if (window.testRunner) { |
| 37 runTest(); | 37 runTest(); |
| 38 } else { | 38 } else { |
| 39 log("To run the test, click the button below when the frames finish
loading."); | 39 log("To run the test, click the button below when the frames finish
loading."); |
| 40 var button = document.createElement("button"); | 40 var button = document.createElement("button"); |
| 41 button.appendChild(document.createTextNode("Run Test")); | 41 button.appendChild(document.createTextNode("Run Test")); |
| 42 button.onclick = runTest; | 42 button.onclick = runTest; |
| 43 document.body.appendChild(button); | 43 document.body.appendChild(button); |
| 44 } | 44 } |
| 45 } | 45 } |
| 46 | 46 |
| 47 runTest = function() | 47 runTest = function() |
| 48 { | 48 { |
| 49 window.addEventListener('message', function () { closeWindowAndNotifyDon
e(openedWindow); }); |
| 49 openedWindow = window.open('', 'attacker'); | 50 openedWindow = window.open('', 'attacker'); |
| 50 openedWindow.document.write(code); | 51 openedWindow.document.write(code); |
| 51 openedWindow.document.close(); | 52 openedWindow.document.close(); |
| 52 | 53 |
| 53 setTimeout(pollForDone, 1); | |
| 54 | |
| 55 try { | 54 try { |
| 56 window.open.call(frames[0], '', 'attacker'); | 55 window.open.call(frames[0], '', 'attacker'); |
| 57 log("FAIL: 'window.open' called on another frame should throw."); | 56 log("FAIL: 'window.open' called on another frame should throw."); |
| 58 } catch (e) { | 57 } catch (e) { |
| 59 log("PASS: 'window.open' called on another frame threw: " + e); | 58 log("PASS: 'window.open' called on another frame threw: " + e); |
| 60 } | 59 } |
| 61 } | 60 } |
| 62 | |
| 63 pollForDone = function() | |
| 64 { | |
| 65 if (!testRunner.globalFlag) { | |
| 66 setTimeout(pollForDone, 1); | |
| 67 return; | |
| 68 } | |
| 69 closeWindowAndNotifyDone(openedWindow); | |
| 70 } | |
| 71 </script> | 61 </script> |
| 72 </head> | 62 </head> |
| 73 <body> | 63 <body> |
| 74 <div>This page opens a window to "", injects malicious code, and | 64 <div>This page opens a window to "", injects malicious code, and |
| 75 then uses <code>window.open.call</code> to set its opener to the victim. | 65 then uses <code>window.open.call</code> to set its opener to the victim. |
| 76 The opened window then tries to scripts its opener.</div> | 66 The opened window then tries to scripts its opener.</div> |
| 77 <pre id="console"></pre> | 67 <pre id="console"></pre> |
| 78 <iframe style="border: solid 3px red;" src="http://localhost:8000/security/resou
rces/innocent-victim.html"></iframe> | 68 <iframe style="border: solid 3px red;" src="http://localhost:8000/security/resou
rces/innocent-victim.html"></iframe> |
| 79 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"
></iframe> | 69 <iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"
></iframe> |
| 80 </body> | 70 </body> |
| 81 </html> | 71 </html> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 494343003:
Eliminate globalFlag usage from http security layout tests. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk