From 4b2170afea2d38cd98c7ea0e25a5c45151f7471e Mon Sep 17 00:00:00 2001
From: "fqian@google.com"
 <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 23 Oct 2008 15:42:29 +0000
Subject: Testing that an inactive closure cannot access new page in a frame.

Review URL: http://codereview.chromium.org/8037

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@3813 0039d316-1c4b-4281-b951-d872f2087c98
---
 .../listener/resources/childWithButton.html        |  6 ++++
 .../resources/xss-inactive-closure-child-2.html    |  8 +++++
 .../resources/xss-inactive-closure-child.html      | 12 ++++++++
 .../listener/xss-inactive-closure-expected.txt     |  9 ++++++
 .../security/listener/xss-inactive-closure.html    | 34 ++++++++++++++++++++++
 5 files changed, 69 insertions(+)
 create mode 100644 webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html
 create mode 100644 webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html
 create mode 100644 webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html
 create mode 100644 webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt
 create mode 100644 webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html

(limited to 'webkit')

diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html
new file mode 100644
index 0000000..246a70d
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/childWithButton.html
@@ -0,0 +1,6 @@
+<html>
+<body>
+    <p>Other Child</p>
+    <button id="button">I am a button</button>
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html
new file mode 100644
index 0000000..9b575d3
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child-2.html
@@ -0,0 +1,8 @@
+<html>
+<body>
+A new child window. My bar is 100.
+<script>
+  document.bar = 100;
+</script>
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html
new file mode 100644
index 0000000..0e76619b
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/resources/xss-inactive-closure-child.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+    <p>Target Child</p>
+    <script>
+        window.parent.frames[1].document.getElementById('button').addEventListener("click", function() {
+           parent.log("FAILED: document.bar = " + document.bar);
+        }, false);
+
+        window.location = "http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html";
+    </script> 
+</body>
+</html>
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt
new file mode 100644
index 0000000..b68d599
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure-expected.txt
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html from frame with URL http://127.0.0.1:8081/chrome/http/tests/security/listener/resources/childWithButton.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 6: Uncaught TypeError: Cannot read property 'bar' of undefined
+This tests that when a frame navigates to a new page, closures in the old page cannot access page content of the new page if there are from different domains.
+
+You should see PASSSED at the end of page if the test passes.
+
+  
+PASSED
diff --git a/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html
new file mode 100644
index 0000000..6f513a4
--- /dev/null
+++ b/webkit/data/layout_tests/chrome/http/tests/security/listener/xss-inactive-closure.html
@@ -0,0 +1,34 @@
+<html>
+<head>
+    <script>
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+
+        function onloadForButtonChild() { 
+            var targetChild = document.getElementById('targetChild');
+            targetChild.src = "resources/xss-inactive-closure-child.html";
+            targetChild.onload = start;
+        }
+
+        function start() {
+            var buttonChild = window.frames[1];
+            buttonChild.document.getElementById('button').click();
+
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+        function log(msg) {
+            document.getElementById('result').innerHTML = msg;
+        }
+    </script>
+</head>
+<body>
+    <p>This tests that when a frame navigates to a new page, closures in the old page cannot access page content of the new page if there are from different domains.</p>
+    <p>You should see PASSSED at the end of page if the test passes.</p>
+    <iframe id="targetChild" src=""></iframe>
+    <iframe src="resources/childWithButton.html" onload="onloadForButtonChild();"></iframe>
+    <div id="result">PASSED</div>
+</body>
+</html>
-- 
cgit v1.1