LayoutTests/http/tests/security/xss-DENIED-object-element.html - Issue 8206005: Merge 96826 - Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: LayoutTests/http/tests/security/xss-DENIED-object-element.html

Issue 8206005: Merge 96826 - Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/874/

Patch Set: Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 <html>	1 <html>

2 <head>	2 <head>

3 <script>	3 <script>

4 if (window.layoutTestController) {	4 if (window.layoutTestController) {

5 layoutTestController.waitUntilDone();	5 layoutTestController.waitUntilDone();

6 layoutTestController.dumpAsText();	6 layoutTestController.dumpAsText();

7 }	7 }

8	8

9 window.onload = function()	9 window.onload = function()

10 {	10 {

11 object = document.createElement("object");	11 object = document.createElement("object");

12 object.data = "http://localhost:8000/security/resources/innocent-victim.html ";	12 object.data = "http://localhost:8000/security/resources/innocent-victim.html ";

13 document.body.appendChild(object);	13 document.body.appendChild(object);

14 object.onload = function() {	14 object.onload = function() {

15 object.onload = null;	15 object.onload = null;

16 object.data = "javascript:alert(document.body.innerHTML)";	16 object.data = "javascript:alert(document.body.innerHTML)";

17 object.innerHTML = "foo";	17 object.innerHTML = "foo";

18	18

19 if (window.layoutTestController)	19 if (window.layoutTestController)

20 setTimeout("layoutTestController.notifyDone()", 50);	20 setTimeout("layoutTestController.notifyDone()", 50);

21 }	21 }

22 }	22 }

23 </script>	23 </script>

24 </head>	24 </head>

25 <body>	25 <body>

26 There should be no alert displayed.	26 There should be no alert displayed.

27 </body>	27 </body>

28 </html>	28 </html>

OLD	NEW

« no previous file with comments | « no previous file | LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt » ('j') | no next file with comments »