Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/xss-DENIED-iframe-src-alias.html 

<html>
<head>
<script>
window.onload = function()
{
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.setDumpConsoleMessages(false);
        testRunner.waitUntilDone();
    }

    function alertMsg(msg) { 
        return "javascript:alert(\"FAIL: " + msg + 
            "\");document.body.innerHTML=\"<p style='font-weight:bold;color:red'>Failure testing " + msg + "</p>\";//"; 
    }
    // Test different ways of setting iframe.src
    var aliasTests = [
        // Attr/Node attributes
        function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;},
        
        // Text Node Manipulation
        function(iFrame) { iFrame.attributes['src'].firstChild.data = alertMsg("nodeValue");},

        // Node attribute manipulation functions
        function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));},
        function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));},
        function(iFrame) {
            var a = document.createAttribute('src');
            a.value = alertMsg("setAttributeNode");
            iFrame.setAttributeNode(a);
        },
        function(iFrame) {
            var a = document.createAttribute('src');
            a.nodeValue = alertMsg("setAttributeNodeNS");
            iFrame.setAttributeNodeNS(a);
        },
        // NamedNodeMap
        function(iFrame) {
            var a = document.createAttribute('src');
            a.value = alertMsg("setNamedItem()");
            iFrame.attributes.setNamedItem(a);
        },
        function(iFrame) {
            var a = document.createAttribute('src');
            a.value = alertMsg("setNamedItemNS()");
            iFrame.attributes.setNamedItemNS(a);
        }
    ];

    function makeOnloadHandler (idx, tgtFrame, nextTest) {
        return function() {
            tgtFrame.onload = null;
            try {
                aliasTests[idx](tgtFrame);
            } catch (e) {}
            setTimeout(nextTest, 0);
        }
    }

    function runOneTest (idx) {
        if (idx >= aliasTests.length) {
            if (window.testRunner)
                testRunner.notifyDone();
            return;
        }

        var aFrame = document.createElement('iframe');
        aFrame.src = 'http://localhost:8080/security/resources/innocent-victim.html';
        aFrame.onload = makeOnloadHandler(idx, aFrame, runOneTest.bind(this, idx + 1));
        aFrame.width = 700;
        aFrame.height = 40;
        document.body.appendChild(aFrame);
        document.body.appendChild(document.createElement('br'));
    }

    runOneTest(0);
}

</script>
</head>
<body>
<p>This script tests if iframe.src can be set to a JavaScript URL via alternate 
   DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). 
   The test is successful if no alerts appear and the page finishes loading.</p>
</body>
</html>