Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html 

<html>
<head>
<script src="../resources/libwrapjs.js"></script>
<script src="../resources/cross-frame-access.js"></script>
<script>
    var code;
    var openedWindow;

    window.onload = function()
    {
        if (window.testRunner) {
            testRunner.waitUntilDone();
            testRunner.setPopupBlockingEnabled(false);
            testRunner.dumpAsText();
            testRunner.dumpChildFrames();
        }

        var message_fail = 'FAIL: XSS was allowed.';
        var message_success = 'SUCCESS: Window remained in original SecurityOrigin.';

        var write_func = 'function write(target, message) { target.document.body.innerHTML = message; }';

        var try_attack = 'write(window.opener, ' + libwrapjs.in_string(message_fail) + ');';
        var attack = 'setTimeout(function() {' + try_attack + '}, 100);';

        var try_control = 'write(window.opener.top.frames[1], ' + libwrapjs.in_string(message_success) + ');';
        var control = 'setTimeout(function() {' + try_control + '}, 200);';

        var sigDone = 'setTimeout(function() { window.opener.top.postMessage(\'done\', \'*\'); }, 300);';

        var payload = 'document.write(' + libwrapjs.in_string(libwrapjs.in_script_tag(write_func + attack + control + sigDone)) + ');';
        code = libwrapjs.in_script_tag(payload);
        log("Code injected into window:");
        log(code);

        frames[0].openWindow();
        openedWindow = frames[0].openedWindow;

        document.getElementById('targetFrame').onload = runTest;
        frames[0].location = 'http://localhost:8000/security/resources/innocent-victim.html';
    }

    runTest = function()
    {
        window.addEventListener('message', function () { closeWindowAndNotifyDone(openedWindow); });
        openedWindow.document.write(code);
        openedWindow.document.close();
    }
</script>
</head>
<body>
<div>This page opens a window to &quot;&quot;, injects malicious code, and
then navigates its opener to the victim.  The opened window then tries to
scripts its opener after <code>document.write</code>ing a new document.</div>
<pre id="console"></pre>
<iframe id="targetFrame" style="border: solid 3px red;" src="../resources/open-window.html"></iframe>
<iframe style="border: solid 3px green;" src="../resources/innocent-victim.html"></iframe>
</body>
</html>