<!DOCTYPE html>
<html>
<head>
<script src="/js-test-resources/js-test.js"></script>
</head>
<body>
<iframe src="http://localhost:8080/security/resources/innocent-victim.html"></iframe>
<script>
window.jsTestIsAsync = true;
description("Certain window properties are readable cross-origin, but ought not be writable.");
var iWindow;
window.onload = function () {
iWindow = document.querySelector('iframe').contentWindow;
var ex1 = '"SecurityError: Failed to set a named property \'';
var ex2 = '\' on \'Window\': Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a cross-origin frame."';
// 'DoNotCheckSecurity' methods.
var DoNotCheckSecurityMethods = [
'focus',
'blur',
'close',
'postMessage',
'toString'
];
for (var i = 0; i < DoNotCheckSecurityMethods.length; i++) {
shouldThrow('iWindow.' + DoNotCheckSecurityMethods[i] + ' = function () {};', ex1 + DoNotCheckSecurityMethods[i] + ex2);
}
// 'Replacable' properties (not an exhaustive list).
var ReplaceableProperties = [
'clientInformation',
'devicePixelRatio',
'event',
'frames',
'history',
'innerHeight',
'innerWidth',
'length',
'locationbar',
'menubar',
'navigator',
'offscreenBuffering',
'opener',
'outerHeight',
'outerWidth',
'parent',
'personalbar',
'screen',
'screenLeft',
'screenTop',
'screenX',
'screenY',
'scrollX',
'scrollY',
'scrollbars',
'self',
'statusbar',
'toolbar'
];
for (var i = 0; i < ReplaceableProperties.length; i++) {
shouldThrow('iWindow.' + ReplaceableProperties[i] + ' = 1;');
}
finishJSTest();
};
</script>
</body>
</html>
Codebase Browser
chromium