Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/cross-frame-access-enumeration.html 

<html>
<head>
    <script src="resources/cross-frame-access.js"></script>
    <script>
        window.onload = function()
        {
            if (window.testRunner) {
                testRunner.dumpAsText();
                testRunner.waitUntilDone();
            }

            // Test enumerating the Window object
            var b_win = document.getElementsByTagName("iframe")[0].contentWindow;
            try {
                for (var k in b_win) {
                    if (k == "customWindowProperty") {
                        log("FAIL: Cross frame access by enumerating the window object was allowed.");
                        return;
                    }
                }
            } catch (e) {
            }
            log("PASS: Cross frame access by enumerating the window object was denied.");

            try {
                var b_winKeys = Object.keys(b_win);
                if (b_winKeys.indexOf("customWindowProperty") != -1) {
                    log("FAIL: Cross frame access by getting the keys of the window object was allowed.");
                    return;
                }
            } catch (e) {
            }
            log("PASS: Cross frame access by getting the keys of the window object was denied.");

            try {
                var b_winPropertyNames = Object.getOwnPropertyNames(b_win);
                if (b_winPropertyNames.indexOf("customWindowProperty") != -1) {
                    log("FAIL: Cross frame access by getting the property names of the window object was allowed.");
                    return;
                }
            } catch (e) {
            }
            log("PASS: Cross frame access by getting the property names of the window object was denied.");

            // Test enumerating the Location object
            var b_win_location = b_win.location;
            for (var k in b_win_location) {
                log("FAIL: Cross frame access by enumerating the Location object was allowed.");
                return;
            }
            log("PASS: Cross frame access by enumerating the Location object revealed no properties.");

            var b_winLocationKeys = Object.keys(b_win_location);
            var keys_failure = false;
            for (var i = 0; i < b_winLocationKeys.length; i++) {
                var k = b_winLocationKeys[i];
                // See also cross-frame-access-location-get.html for the list of accessible keys.
                if (k !== "assign" && k !== "replace") {
                    log("FAIL: Cross frame access by getting the keys of the Location object returned non-whitelisted key: " + k);
                    keys_failure = true;
                }
            }
            if (!keys_failure) {
                log("PASS: Cross frame access by getting the keys of the Location object revealed only whitelisted keys.");
            }

            var b_winLocationPropertyNames = Object.getOwnPropertyNames(b_win_location);
            if (b_winLocationPropertyNames.indexOf("customLocationProperty") != -1) {
                log("FAIL: Cross frame access by getting the property names of the Location object was allowed.");
                return;
            }
            log("PASS: Cross frame access by getting the property names of the Location object revealed no custom properties.");

            if (window.testRunner)
                testRunner.notifyDone();
        }
    </script>
</head>
<body>
    <p>This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)</p>
    <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test.html"></iframe>
    <pre id="console"></pre>
</body>
</html>