blob: 86e34e9d4a83bca339bd7c11c02bb37f42970c82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
<!DOCTYPE html>
<html>
<head>
<title>postMessage message receiver</title>
<script type="application/javascript" src="browserFu.js"></script>
<script type="application/javascript">
function $(id) { return document.getElementById(id); }
function setup()
{
var target = $("domain");
target.textContent = location.hostname + ":" + (location.port || 80);
}
function receiveMessage(evt)
{
var response = evt.data + "-response";
if (evt.lastEventId !== "")
response += " wrong-lastEventId(" + evt.lastEventId + ")";
if (evt.source !== window.parent)
{
response += " unexpected-source(" + evt.source + ")";
response += " window-parent-is(" + window.parent + ")";
response += " location(" + window.location.href + ")";
}
if (isMozilla)
{
if (evt.isTrusted !== false)
response += " unexpected-trusted";
}
if (evt.type != "message")
response += " wrong-type(" + evt.type + ")";
var data = evt.data;
if (data == "post-to-other-same-domain")
{
receiveSame(evt, response);
}
else if (data == "post-to-other-cross-domain")
{
receiveCross(evt, response);
}
else
{
response += " unexpected-message-to(" + window.location.href + ")";
window.parent.postMessage(response, "http://mochi.test:8888");
return;
}
}
function receiveSame(evt, response)
{
var source = evt.source;
try
{
if (evt.origin != "http://mochi.test:8888")
response += " unexpected-origin(" + evt.origin + ")";
try
{
var threw = false;
var privateVariable = source.privateVariable;
}
catch (e)
{
threw = true;
}
if (threw || privateVariable !== window.parent.privateVariable)
response += " accessed-source!!!";
}
finally
{
source.postMessage(response, evt.origin);
}
}
function receiveCross(evt, response)
{
var source = evt.source;
if (evt.origin != "http://mochi.test:8888")
response += " unexpected-origin(" + evt.origin + ")";
try
{
var threw = false;
var privateVariable = source.privateVariable;
}
catch (e)
{
threw = true;
}
if (!threw || privateVariable !== undefined)
response += " accessed-source!!!";
source.postMessage(response, evt.origin);
}
window.addEventListener("load", setup, false);
window.addEventListener("message", receiveMessage, false);
</script>
</head>
<body>
<h1 id="domain"></h1>
</body>
</html>
|