| <!DOCTYPE html> |
| <html> |
| <head> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.setXSSAuditorEnabled(true); |
| } |
| </script> |
| </head> |
| <body> |
| <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3clink%20rel=%22import%22%20href=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3e"> |
| </iframe> |
| <p>This test passes if the XSSAuditor blocks the load prior to the CORS restriction kicking in. We've not bothered to enable |
| CORS for this test, unlike what a real attacker would do, so a CORS error here means failure. |
| </body> |
| </html> |