Testing that an inactive closure cannot access new page in a frame.

Review URL: http://codereview.chromium.org/8037 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@3813 0039d316-1c4b-4281-b951-d872f2087c98
author: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-10-23 15:42:29 +0000
committer: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-10-23 15:42:29 +0000
commit: 4b2170afea2d38cd98c7ea0e25a5c45151f7471e (patch)
tree: 01e1dd00ee8b62570afedd9a7ffad86d72a331fe /webkit
parent: 604c0baa92f88b29cbccb4728203410ffff802ab (diff)
download: chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.zip
chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.tar.gz
chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.tar.bz2
5 files changed, 69 insertions, 0 deletions
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html
new file mode 100644
index 0000000..246a70d
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html
@@ -0,0 +1,6 @@
+<html>
+<body>
+    <p>Other Child</p>
+    <button id="button">I am a button</button>
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html
new file mode 100644
index 0000000..9b575d3
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html
@@ -0,0 +1,8 @@
+<html>
+<body>
+A new child window. My bar is 100.
+<script>
+  document.bar = 100;
+</script>
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html
new file mode 100644
index 0000000..0e76619b
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+    <p>Target Child</p>
+    <script>
+        window.parent.frames[1].document.getElementById('button').addEventListener("click", function() {
+           parent.log("FAILED: document.bar = " + document.bar);
+        }, false);
+
+        window.location = "http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html";
+    </script> 
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt
new file mode 100644
index 0000000..b68d599
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html from frame with URL http://127.0.0.1:8081/chrome/http/tests/security/listener/resources/childWithButton.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 6: Uncaught TypeError: Cannot read property 'bar' of undefined
+This tests that when a frame navigates to a new page, closures in the old page cannot access page content of the new page if there are from different domains.
+
+You should see PASSSED at the end of page if the test passes.
+
+  
+PASSED
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html
new file mode 100644
index 0000000..6f513a4
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html
@@ -0,0 +1,34 @@
+<html>
+<head>
+    <script>
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+
+        function onloadForButtonChild() { 
+            var targetChild = document.getElementById('targetChild');
+            targetChild.src = "resources/xss-inactive-closure-child.html";
+            targetChild.onload = start;
+        }
+
+        function start() {
+            var buttonChild = window.frames[1];
+            buttonChild.document.getElementById('button').click();
+
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+        function log(msg) {
+            document.getElementById('result').innerHTML = msg;
+        }
+    </script>
+</head>
+<body>
+    <p>This tests that when a frame navigates to a new page, closures in the old page cannot access page content of the new page if there are from different domains.</p>
+    <p>You should see PASSSED at the end of page if the test passes.</p>
+    <iframe id="targetChild" src=""></iframe>
+    <iframe src="resources/childWithButton.html" onload="onloadForButtonChild();"></iframe>
+    <div id="result">PASSED</div>
+</body>
+</html>
author	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-10-23 15:42:29 +0000
committer	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-10-23 15:42:29 +0000
commit	4b2170afea2d38cd98c7ea0e25a5c45151f7471e (patch)
tree	01e1dd00ee8b62570afedd9a7ffad86d72a331fe /webkit
parent	604c0baa92f88b29cbccb4728203410ffff802ab (diff)
download	chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.zip chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.tar.gz chromium_src-4b2170afea2d38cd98c7ea0e25a5c45151f7471e.tar.bz2