Skip to site navigation (Press enter)

[webkit-changes] [211435] trunk/LayoutTests

cdumez Tue, 31 Jan 2017 09:36:57 -0800

Title: [211435] trunk/LayoutTests

Revision: 211435
Author: [email protected]
Date: 2017-01-31 09:21:42 -0800 (Tue, 31 Jan 2017)

Log Message

Add better test coverage for scripting windows opened via window.open()
https://bugs.webkit.org/show_bug.cgi?id=167531


Reviewed by Brent Fulgham.

Add better test coverage for scripting windows opened via window.open().

* http/tests/security/cross-origin-window-open-insert-script-expected.txt: Added.
* http/tests/security/cross-origin-window-open-insert-script.html: Added.
* http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt: Added.
* http/tests/security/cross-origin-window-open-_javascript_-url.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog

Added Paths

trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script-expected.txt
trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script.html
trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt
trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url.html

Diff

Modified: trunk/LayoutTests/ChangeLog (211434 => 211435)


--- trunk/LayoutTests/ChangeLog	2017-01-31 16:52:00 UTC (rev 211434)
+++ trunk/LayoutTests/ChangeLog	2017-01-31 17:21:42 UTC (rev 211435)
@@ -1,3 +1,17 @@
+2017-01-31  Chris Dumez  <[email protected]>
+
+        Add better test coverage for scripting windows opened via window.open()
+        https://bugs.webkit.org/show_bug.cgi?id=167531
+
+        Reviewed by Brent Fulgham.
+
+        Add better test coverage for scripting windows opened via window.open().
+
+        * http/tests/security/cross-origin-window-open-insert-script-expected.txt: Added.
+        * http/tests/security/cross-origin-window-open-insert-script.html: Added.
+        * http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt: Added.
+        * http/tests/security/cross-origin-window-open-_javascript_-url.html: Added.
+
 2017-01-31  Simon Fraser  <[email protected]>
 
         REGRESSION (r209411): Scrolling to a fragment identifier in overflow:scroll inside position:fixed no longer works

Added: trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script-expected.txt (0 => 211435)


--- trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script-expected.txt	2017-01-31 17:21:42 UTC (rev 211435)
@@ -0,0 +1,10 @@
+Tests that inserting a script into newly opened window does not bypass origin checks.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+This test passes unless you see FAIL messages below
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script.html (0 => 211435)


--- trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-open-insert-script.html	2017-01-31 17:21:42 UTC (rev 211435)
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<div id="resultDiv"></div>
+<script>
+description("Tests that inserting a script into newly opened window does not bypass origin checks.");
+debug("This test passes unless you see FAIL messages below");
+jsTestIsAsync = true;
+if (window.testRunner) {
+    testRunner.setCanOpenWindows();
+    testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+}
+
+let win = open("about:blank", "one");
+let otherDocument = win.document;
+win.resultDiv = document.getElementById("resultDiv");
+
+let a = otherDocument.createElement("a");
+a.href = ""
+a.click();
+
+window.addEventListener('message', function(e) {
+    testFailed("Script executed in cross origin iframe");
+    testFailed("Retrieved cross-origin window's URL: " + e.data);
+});
+
+it = setInterval(function() {
+    try {
+        win.location.href;
+    } catch (e) {
+        // Window has navigated to cross origin URL.
+        clearInterval(it);
+        try {
+            var script = otherDocument.createElement("script");
+            script.innerText = "opener.postMessage(location.href, '*');";
+            otherDocument.body.append(script);
+        } catch (e) {
+            debug(e);
+        }
+        setTimeout(finishJSTest, 0);
+    }
+}, 10);
+</script>
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt (0 => 211435)


--- trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url-expected.txt	2017-01-31 17:21:42 UTC (rev 211435)
@@ -0,0 +1,10 @@
+Tests that inserting a script into newly opened window does not bypass origin checks.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+This test passes unless you see FAIL messages below
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url.html (0 => 211435)


--- trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-open-_javascript_-url.html	2017-01-31 17:21:42 UTC (rev 211435)
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<div id="resultDiv"></div>
+<script>
+description("Tests that inserting a script into newly opened window does not bypass origin checks.");
+debug("This test passes unless you see FAIL messages below");
+jsTestIsAsync = true;
+if (window.testRunner) {
+    testRunner.setCanOpenWindows();
+    testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+}
+
+let win = open("about:blank", "one");
+let otherDocument = win.document;
+win.resultDiv = document.getElementById("resultDiv");
+
+let a = otherDocument.createElement("a");
+a.href = ""
+a.click();
+
+window.addEventListener('message', function(e) {
+    testFailed("Script executed in cross origin iframe");
+    testFailed("Retrieved cross-origin window's URL: " + e.data);
+});
+
+it = setInterval(function() {
+    try {
+        win.location.href;
+    } catch (e) {
+        // Window has navigated to cross origin URL.
+        clearInterval(it);
+        try {
+            var frame = document.createElement("iframe");
+            frame.src = "" '*')"
+            otherDocument.body.append(frame);
+        } catch (e) {
+            debug(e);
+        }
+        setTimeout(finishJSTest, 0);
+    }
+}, 10);
+</script>
+<script src=""
+</body>
+</html>

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes