<p>This page verifies that you can't use eval to subvert cross-domain checks.</p>
<p>If the test passes, you'll see a pass message below.</p>
<hr>
<pre id="console"></pre>
<iframe style="width:0; height: 0" src="resources/xss-eval2.html"></iframe>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
function log(s)
{
document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
}
function shouldBe(aDescription, a, b)
{
if (a === b) {
log("PASS: " + aDescription + " should be " + b + " and is.");
} else {
log("FAIL: " + aDescription + " should be " + b + " but instead is " + a + ".");
}
}
document.testExpando = "It's me!";
addEventListener("message", function()
{
shouldBe("eval.call(frames[0], 'document').testExpando",
(function() { try {
return eval.call(frames[0], 'document').testExpando;
} catch(e) { return e.name; } })(), "It's me!")
shouldBe("childEval.call(frames[0], 'document').testExpando",
(function() { try {
return childEval.call(frames[0], 'document').testExpando;
} catch(e) { return e.name; } })(), "TypeError");
shouldBe("childEvalCaller('document').testExpando",
(function() { try {
return childEvalCaller('document').testExpando;
} catch(e) { return e.name; } })(), "SecurityError");
shouldBe("childLocalEvalCaller('document').testExpando",
(function() { try { return childLocalEvalCaller('document').testExpando; } catch(e) { return e.name; } })(), "TypeError");
if (window.testRunner)
testRunner.notifyDone();
}, false);
</script>
Codebase Browser
chromium