search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / third_party / WebKit / LayoutTests / http / tests / security / cross-frame-access-set-window-properties.html
blob4a198c3783289b0c93e84cb6b0963811732b53f5
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <script src="/js-test-resources/js-test.js"></script>
5 </head>
6 <body>
7 <iframe src="http://localhost:8080/security/resources/innocent-victim.html"></iframe>
8 <script>
9 window.jsTestIsAsync = true;
10 description("Certain window properties are readable cross-origin, but ought not be writable.");
11
12 var iWindow;
13 window.onload = function () {
14 iWindow = document.querySelector('iframe').contentWindow;
15
16 var ex = '"SecurityError: Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a cross-origin frame."';
17
18 // 'DoNotCheckSecurity' methods.
19 var DoNotCheckSecurityMethods = [
20 'focus',
21 'blur',
22 'close',
23 'postMessage',
24 'toString'
25 ];
26 for (var i = 0; i < DoNotCheckSecurityMethods.length; i++) {
27 shouldThrow('iWindow.' + DoNotCheckSecurityMethods[i] + ' = function () {};', ex);
28 }
29
30 // 'Replacable' properties (not an exhaustive list).
31 var ReplaceableProperties = [
32 'clientInformation',
33 'devicePixelRatio',
34 'event',
35 'frames',
36 'history',
37 'innerHeight',
38 'innerWidth',
39 'length',
40 'locationbar',
41 'menubar',
42 'navigator',
43 'offscreenBuffering',
44 'opener',
45 'outerHeight',
46 'outerWidth',
47 'parent',
48 'personalbar',
49 'screen',
50 'screenLeft',
51 'screenTop',
52 'screenX',
53 'screenY',
54 'scrollX',
55 'scrollY',
56 'scrollbars',
57 'self',
58 'statusbar',
59 'toolbar'
60 ];
61 for (var i = 0; i < ReplaceableProperties.length; i++) {
62 shouldThrow('iWindow.' + ReplaceableProperties[i] + ' = 1;');
63 }
64
65 finishJSTest();
66 };
67 </script>
68 </body>
69 </html>