Commit 18b6035c authored by mkwst@chromium.org's avatar mkwst@chromium.org

Drop full URLs from cross-origin access errors caused by protocol mismatches.

https://bugs.webkit.org/show_bug.cgi?id=112894

Reviewed by Timothy Hatcher.

Source/WebCore:

Following up on http://wkbug.com/112813, this patch brings protocol
mismatch errors into line with the new origin-only hotness. The message
is also changed to display the URL's protocol rather than the origin's
protocol: it makes a big difference for 'data:' URLs, for instance.

* page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
* http/tests/security/cross-frame-access-protocol-expected.txt:
* http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* http/tests/security/view-source-no-javascript-url-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
* platform/chromium/http/tests/security/window-named-proto-expected.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146516 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 6f1de057
2013-03-21 Mike West <mkwst@chromium.org>
Drop full URLs from cross-origin access errors caused by protocol mismatches.
https://bugs.webkit.org/show_bug.cgi?id=112894
Reviewed by Timothy Hatcher.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
* http/tests/security/cross-frame-access-protocol-expected.txt:
* http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* http/tests/security/view-source-no-javascript-url-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
* platform/chromium/http/tests/security/window-named-proto-expected.txt:
2013-03-21 Stephen Chenney <schenney@chromium.org>
SVG text path referencing parent text infinite loops
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to block.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to allow.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to block.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to filter.
CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to invalid.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to unset.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to block.
CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to block.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: Loaded cross-origin frame.
Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to block.
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
Tests that 'X-WebKit-CSP: reflected-xss block;' enables the XSSAuditor. This test passes if a console message is generated, and the page is blocked. There should be no content in the IFrame below:
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of 'https'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "https://127.0.0.1:8443". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match.
PASS: Cross frame access to https from http was denied!
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe-with-explicit-domain-set.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol-explicit-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of 'https'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "https://127.0.0.1:8443". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match.
This test currently fails because we check the port and protocol even if document.domain is explicitly set (rdar://problem/5366437).
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,<html><head><script>window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}</script></head><body><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame. It should not have access to it.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
ALERT: PASS: Exception thrown successfully.
The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,<html><head><script>window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}</script></head><body><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame. It should not have access to it.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
ALERT: PASS: Exception thrown successfully.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,<html><head><script>function test() {try {top.document.getElementById("accessMe").innerHTML = "FAIL: Cross frame access from a data: URL inside another data: URL was allowed.";} catch (e) {}if (window.testRunner)testRunner.notifyDone();}</script></head><body onload="test();"><p>Inner-inner iframe.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
This tests that a data: URL loaded in an iframe inside another data: URL loaded iframe doesn't have access to the main frame.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,<html><head><script>function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}</script></head><body onload="test()"><p>Inner iframe.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
This tests that a data: URL loaded in an iframe doesn't have access to its parent's frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,<html><head><script>function test() {try {opener.document.getElementById("accessMe").innerHTML = "FAIL: Access from a window opened with a data: URL was allowed!";} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="test();"><p>Opened Frame.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Cross frame access from a frame on a foreign domain denied!</p><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that this main document does not have access to that data: URL loaded iframe.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Cross frame access from a frame on a foreign domain denied!</p><p>Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
Opener frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Access from the main frame was denied!</p><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
PASS: Cross frame access to a data: URL embed in a frame window.open'ed on foreign domain denied!
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="fireSentinel();"><p id="accessMe">PASS: Cross frame access to a data: URL 2 levels deep was denied.</p><p>Inner-inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame doesn't have access to a data: URL loaded in an iframe inside another data: URL loaded iframe.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><script>onload = function() { parent.postMessage('LOADED', '*'); } </script><body><p id='accessMe'></p><p>Inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><script>onload = function() { parent.postMessage('LOADED', '*'); } </script><body><p id='accessMe'></p><p>Inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page using the uppercased variant DATA:
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="fireSentinel();"><p>Opened Frame</p><p id='accessMe'>PASS: Cross frame access from an opener frame was denied</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/view-source-no-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "http". Protocols must match.
This test passes if it does not alert FAIL.
......
CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
PASS xssed.contentDocument is null
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-referrer.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
PASS frame.contentDocument is null
PASS successfullyParsed is true
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-base-href.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-iframe-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-javascript-link.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-link-onclick.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-object-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-with-source.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E
There should be no content in the iframe below:
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-03.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon following mode=blank. Although theoretically malformed, we tolerate this case without issuing an error.
......
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-04.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
This tests that the X-XSS-Protection header is not ignored when the report and mode directives are swapped.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,<html><head><script>window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}</script></head><body><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame. It should not have access to it.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
ALERT: PASS: Exception thrown successfully.
The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,<html><head><script>window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}</script></head><body><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame. It should not have access to it.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
ALERT: PASS: Exception thrown successfully.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,<html><head><script>function test() {try {top.document.getElementById("accessMe").innerHTML = "FAIL: Cross frame access from a data: URL inside another data: URL was allowed.";} catch (e) {}if (window.testRunner)testRunner.notifyDone();}</script></head><body onload="test();"><p>Inner-inner iframe.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
This tests that a data: URL loaded in an iframe inside another data: URL loaded iframe doesn't have access to the main frame.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,<html><head><script>function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}</script></head><body onload="test()"><p>Inner iframe.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
This tests that a data: URL loaded in an iframe doesn't have access to its parent's frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,<html><head><script>function test() {try {opener.document.getElementById("accessMe").innerHTML = "FAIL: Access from a window opened with a data: URL was allowed!";} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="test();"><p>Opened Frame.</p></body></html>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://127.0.0.1:8000". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Cross frame access from a frame on a foreign domain denied!</p><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that this main document does not have access to that data: URL loaded iframe.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Cross frame access from a frame on a foreign domain denied!</p><p>Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
Opener frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function loaded() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload='loaded();'><p id='accessMe'>PASS: Access from the main frame was denied!</p><p>Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access. It should not have access to it.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
PASS: Cross frame access to a data: URL embed in a frame window.open'ed on foreign domain denied!
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="fireSentinel();"><p id="accessMe">PASS: Cross frame access to a data: URL 2 levels deep was denied.</p><p>Inner-inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame doesn't have access to a data: URL loaded in an iframe inside another data: URL loaded iframe.
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><script>onload = function() { parent.postMessage('LOADED', '*'); } </script><body><p id='accessMe'></p><p>Inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><script>onload = function() { parent.postMessage('LOADED', '*'); } </script><body><p id='accessMe'></p><p>Inner iframe.</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page using the uppercased variant DATA:
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<html><head><script>function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}</script></head><body onload="fireSentinel();"><p>Opened Frame</p><p id='accessMe'>PASS: Cross frame access from an opener frame was denied</p></body></html> from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
Opener Frame
......
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/inactive-document-with-empty-security-origin.html#stop. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "about". Protocols must match.
This test passes if it doesn't alert something ugly.
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim-with-iframe.html from frame with URL data:text/html,<script>(function () { setTimeout(function() { if (window.testRunner) testRunner.notifyDone(); }, 0); window.name = "__proto__"; parent.__proto__.alert.constructor("alert(document.body.innerHTML)")(); })()</script>. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
CONSOLE MESSAGE: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'alert' of undefined
2013-03-21 Mike West <mkwst@chromium.org>
Drop full URLs from cross-origin access errors caused by protocol mismatches.
https://bugs.webkit.org/show_bug.cgi?id=112894
Reviewed by Timothy Hatcher.
Following up on http://wkbug.com/112813, this patch brings protocol
mismatch errors into line with the new origin-only hotness. The message
is also changed to display the URL's protocol rather than the origin's
protocol: it makes a big difference for 'data:' URLs, for instance.
* page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):
2013-03-21 Stephen Chenney <schenney@chromium.org>
SVG text path referencing parent text infinite loops
......@@ -1831,11 +1831,15 @@ String DOMWindow::crossDomainAccessErrorMessage(DOMWindow* activeWindow)
SecurityOrigin* activeOrigin = activeWindow->document()->securityOrigin();
SecurityOrigin* targetOrigin = document()->securityOrigin();
KURL activeURL = activeWindow->document()->url();
KURL targetURL = document()->url();
message = "Blocked a frame with origin \"" + activeOrigin->toString() + "\" from accessing a frame with origin \"" + targetOrigin->toString() + "\". ";
// Protocol errors: Use the URL's protocol rather than the origin's protocol so that we get a useful message for non-heirarchal URLs like 'data:'.
if (targetOrigin->protocol() != activeOrigin->protocol())
return message + " The frame requesting access has a protocol of '" + activeOrigin->protocol() + "', the frame being accessed has a protocol of '" + targetOrigin->protocol() + "'. Protocols must match.\n";
return message + " The frame requesting access has a protocol of \"" + activeURL.protocol() + "\", the frame being accessed has a protocol of \"" + targetURL.protocol() + "\". Protocols must match.\n";
// 'document.domain' errors.
message = "Blocked a frame with origin \"" + activeOrigin->toString() + "\" from accessing a frame with origin \"" + targetOrigin->toString() + "\". ";
if (targetOrigin->domainWasSetInDOM() && activeOrigin->domainWasSetInDOM())
return message + "The frame requesting access set \"document.domain\" to \"" + activeOrigin->domain() + "\", the frame being accessed set it to \"" + targetOrigin->domain() + "\". Both must set \"document.domain\" to the same value to allow access.";
if (activeOrigin->domainWasSetInDOM())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment