Changeset 272607 in webkit

Timestamp:

Feb 9, 2021, 1:21:26 PM (5 years ago)

Author:

Chris Dumez

Message:

Disallow alert/confirm/prompt in cross-origin-domain subframes
​https://bugs.webkit.org/show_bug.cgi?id=221568

Reviewed by Geoff Garen.

Source/WebCore:

Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification:

• ​https://github.com/whatwg/html/pull/6297

Tests: http/tests/security/cross-origin-js-prompt-forbidden.html

http/tests/security/same-origin-different-domain-js-prompt-forbidden.html

• page/DOMWindow.cpp:

(WebCore::DOMWindow::alert):
(WebCore::DOMWindow::confirmForBindings):
(WebCore::DOMWindow::prompt):

• page/SecurityOrigin.cpp:
• page/SecurityOrigin.h:

LayoutTests:

Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes.

• fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
• fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html:
• fast/events/popup-when-select-change-expected.txt:
• fast/events/popup-when-select-change.html:
• fast/events/resize-subframe-expected.txt:
• fast/events/resize-subframe.html:
• fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt:
• fast/forms/autofocus-in-sandbox-with-allow-scripts.html:
• fast/frames/resources/navigate-top-by-name-to-fail.html:
• fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt:
• http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html:
• http/tests/cookies/third-party-cookie-relaxing-expected.txt:
• http/tests/history/cross-origin-replace-history-object-child-expected.txt:
• http/tests/history/cross-origin-replace-history-object-expected.txt:
• http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html:
• http/tests/history/resources/cross-origin-replaces-history-object-iframe.html:
• http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html:
• http/tests/plugins/third-party-cookie-accept-policy-expected.txt:
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt:
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt:
• http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt:
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt:
• http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt:
• http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt:
• http/tests/security/contentSecurityPolicy/resources/alert-fail.html:
• http/tests/security/contentSecurityPolicy/resources/alert-fail.js:

(catch):

• http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
• http/tests/security/contentSecurityPolicy/resources/alert-pass.js:

(catch):

• http/tests/security/contentSecurityPolicy/resources/sandbox.php:
• http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
• http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt:
• http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
• http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt:
• http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added.
• http/tests/security/cross-origin-js-prompt-forbidden.html: Added.
• http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html:
• http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html:
• http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
• http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
• http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html:
• http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt:
• http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added.
• http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added.
• http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added.
• http/tests/security/xssAuditor/base-href-control-char-expected.txt:
• http/tests/security/xssAuditor/base-href-direct-expected.txt:
• http/tests/security/xssAuditor/base-href-expected.txt:
• http/tests/security/xssAuditor/base-href-null-char-expected.txt:
• http/tests/security/xssAuditor/base-href-safe-expected.txt:
• http/tests/security/xssAuditor/base-href-safe2-expected.txt:
• http/tests/security/xssAuditor/base-href-safe3-expected.txt:
• http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
• http/tests/security/xssAuditor/cached-frame-expected.txt:
• http/tests/security/xssAuditor/cached-frame.html:
• http/tests/security/xssAuditor/cookie-injection-expected.txt:
• http/tests/security/xssAuditor/data-urls-work-expected.txt:
• http/tests/security/xssAuditor/data-urls-work.html:
• http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt:
• http/tests/security/xssAuditor/dom-write-innerHTML.html:
• http/tests/security/xssAuditor/form-action-expected.txt:
• http/tests/security/xssAuditor/formaction-on-button-expected.txt:
• http/tests/security/xssAuditor/formaction-on-input-expected.txt:
• http/tests/security/xssAuditor/javascript-link-safe-expected.txt:
• http/tests/security/xssAuditor/javascript-link-safe.html:
• http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
• http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
• http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
• http/tests/security/xssAuditor/property-escape-noquotes.html:
• http/tests/security/xssAuditor/property-inject-expected.txt:
• http/tests/security/xssAuditor/property-inject.html:
• http/tests/security/xssAuditor/resources/base-href/really-safe-script.js:
• http/tests/security/xssAuditor/resources/base-href/safe-script.js:
• http/tests/security/xssAuditor/resources/echo-intertag.pl:
• http/tests/security/xssAuditor/resources/javascript-link-safe.html:
• http/tests/security/xssAuditor/resources/nph-cached.pl:
• http/tests/security/xssAuditor/resources/safe-script-noquotes.js:
• http/tests/security/xssAuditor/resources/safe-script.js:
• http/tests/security/xssAuditor/resources/script-tag-safe2.html:
• http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
• http/tests/security/xssAuditor/script-tag-near-start.html:
• http/tests/security/xssAuditor/script-tag-safe2-expected.txt:
• http/tests/security/xssAuditor/script-tag-safe2.html:
• http/tests/security/xssAuditor/script-tag-safe3-expected.txt:
• http/tests/security/xssAuditor/script-tag-safe3.html:
• http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt:
• http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
• http/tests/security/xssAuditor/script-tag-with-injected-comment.html:
• http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt:
• platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (modified) (1 diff)
• LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (modified) (1 diff)
• LayoutTests/fast/events/popup-when-select-change-expected.txt (modified) (1 diff)
• LayoutTests/fast/events/popup-when-select-change.html (modified) (1 diff)
• LayoutTests/fast/events/resize-subframe-expected.txt (modified) (1 diff)
• LayoutTests/fast/events/resize-subframe.html (modified) (1 diff)
• LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt (modified) (1 diff)
• LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html (modified) (1 diff)
• LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-scripting-02-expected.txt (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-scripting-02.html (modified) (1 diff)
• LayoutTests/http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html (modified) (4 diffs)
• LayoutTests/http/tests/cookies/third-party-cookie-relaxing-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/history/cross-origin-replace-history-object-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html (modified) (2 diffs)
• LayoutTests/http/tests/history/resources/cross-origin-replaces-history-object-iframe.html (modified) (1 diff)
• LayoutTests/http/tests/misc/frame-default-enc-different-domain-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/misc/frame-default-enc-same-domain-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/misc/resources/frame-default-enc-frame.html (modified) (1 diff)
• LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html (modified) (2 diffs)
• LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-put-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden-expected.txt (added)
• LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden.html (added)
• LayoutTests/http/tests/security/data-url-inline.css-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/data-url-inline.css.html (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/drag-drop-local-file-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html (modified) (3 diffs)
• LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html (modified) (1 diff)
• LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/no-popup-from-sandbox-top.html (modified) (1 diff)
• LayoutTests/http/tests/security/no-popup-from-sandbox.html (modified) (1 diff)
• LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html (modified) (2 diffs)
• LayoutTests/http/tests/security/resources/cross-origin-js-prompt-forbidden.html (added)
• LayoutTests/http/tests/security/resources/drag-drop-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/drag-drop.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/sandboxed-iframe-ALLOWED-modals-iframe.html (added)
• LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt (added)
• LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden.html (added)
• LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/cached-frame.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/data-urls-work.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-inject.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (modified) (4 diffs)
• LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/nph-cached.pl (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt (modified) (1 diff)
• LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt (modified) (1 diff)
• LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt (modified) (1 diff)
• LayoutTests/plugins/plugin-document-back-forward-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/DOMWindow.cpp (modified) (3 diffs)
• Source/WebCore/page/SecurityOrigin.h (modified) (1 diff)
• Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-02-09  Chris Dumez  <cdumez@apple.com>
+
+        Disallow alert/confirm/prompt in cross-origin-domain subframes
+        https://bugs.webkit.org/show_bug.cgi?id=221568
+
+        Reviewed by Geoff Garen.
+
+        Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes.
+
+        * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
+        * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html:
+        * fast/events/popup-when-select-change-expected.txt:
+        * fast/events/popup-when-select-change.html:
+        * fast/events/resize-subframe-expected.txt:
+        * fast/events/resize-subframe.html:
+        * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt:
+        * fast/forms/autofocus-in-sandbox-with-allow-scripts.html:
+        * fast/frames/resources/navigate-top-by-name-to-fail.html:
+        * fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt:
+        * http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html:
+        * http/tests/cookies/third-party-cookie-relaxing-expected.txt:
+        * http/tests/history/cross-origin-replace-history-object-child-expected.txt:
+        * http/tests/history/cross-origin-replace-history-object-expected.txt:
+        * http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html:
+        * http/tests/history/resources/cross-origin-replaces-history-object-iframe.html:
+        * http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html:
+        * http/tests/plugins/third-party-cookie-accept-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt:
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/resources/alert-fail.html:
+        * http/tests/security/contentSecurityPolicy/resources/alert-fail.js:
+        (catch):
+        * http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
+        * http/tests/security/contentSecurityPolicy/resources/alert-pass.js:
+        (catch):
+        * http/tests/security/contentSecurityPolicy/resources/sandbox.php:
+        * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt:
+        * http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added.
+        * http/tests/security/cross-origin-js-prompt-forbidden.html: Added.
+        * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html:
+        * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
+        * http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html:
+        * http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt:
+        * http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added.
+        * http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added.
+        * http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added.
+        * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-direct-expected.txt:
+        * http/tests/security/xssAuditor/base-href-expected.txt:
+        * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-safe-expected.txt:
+        * http/tests/security/xssAuditor/base-href-safe2-expected.txt:
+        * http/tests/security/xssAuditor/base-href-safe3-expected.txt:
+        * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
+        * http/tests/security/xssAuditor/cached-frame-expected.txt:
+        * http/tests/security/xssAuditor/cached-frame.html:
+        * http/tests/security/xssAuditor/cookie-injection-expected.txt:
+        * http/tests/security/xssAuditor/data-urls-work-expected.txt:
+        * http/tests/security/xssAuditor/data-urls-work.html:
+        * http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-innerHTML.html:
+        * http/tests/security/xssAuditor/form-action-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-safe-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-safe.html:
+        * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
+        * http/tests/security/xssAuditor/property-escape-noquotes.html:
+        * http/tests/security/xssAuditor/property-inject-expected.txt:
+        * http/tests/security/xssAuditor/property-inject.html:
+        * http/tests/security/xssAuditor/resources/base-href/really-safe-script.js:
+        * http/tests/security/xssAuditor/resources/base-href/safe-script.js:
+        * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+        * http/tests/security/xssAuditor/resources/javascript-link-safe.html:
+        * http/tests/security/xssAuditor/resources/nph-cached.pl:
+        * http/tests/security/xssAuditor/resources/safe-script-noquotes.js:
+        * http/tests/security/xssAuditor/resources/safe-script.js:
+        * http/tests/security/xssAuditor/resources/script-tag-safe2.html:
+        * http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-near-start.html:
+        * http/tests/security/xssAuditor/script-tag-safe2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-safe2.html:
+        * http/tests/security/xssAuditor/script-tag-safe3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-safe3.html:
+        * http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-injected-comment.html:
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt:
+        * platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:
+
 2021-02-09  Peng Liu  <peng.liu6@apple.com>
 

trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>console.log(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
 
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html

@@ -12 +12 @@
 <body>
 <iframe name="A"></iframe>
-<iframe name="B" src="data:text/html,<script>alert(window.open('about:blank', 'A') ? 'FAIL' : 'PASS');</script>"></iframe>
+<iframe name="B" src="data:text/html,<script>console.log(window.open('about:blank', 'A') ? 'FAIL' : 'PASS');</script>"></iframe>
 </body>
 </html>

trunk/LayoutTests/fast/events/popup-when-select-change-expected.txt

@@ -1 @@
-ALERT: PASSED
+CONSOLE MESSAGE: PASSED
  If the pop-up was not blocked then there will be an PASS message. Otherwise, the test fails.
 

trunk/LayoutTests/fast/events/popup-when-select-change.html

@@ -39 +39 @@
 <select onchange="onpopup()" id="control1"><option value="0">abcd</option><option value="0">efgh</option></select>
 If the pop-up was not blocked then there will be an PASS message. Otherwise, the test fails.
-<form id="form" action="data:text/html,<script>alert('PASSED')</script>" target="target">
+<form id="form" action="data:text/html,<script>console.log('PASSED')</script>" target="target">
 <input id="control2" type="submit" value="Submit to new window"/>
 </form>

trunk/LayoutTests/fast/events/resize-subframe-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/fast/events/resize-subframe.html

@@ -19 +19 @@
                     if (window.testRunner)
                     {
-                        alert('PASS');
+                        console.log('PASS');
                         testRunner.notifyDone();
                     }

trunk/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt

@@ -1 @@
-ALERT: INPUT
+CONSOLE MESSAGE: INPUT
 This test passes if the activeElement is the input element rather than the body (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).

trunk/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html

@@ -6 +6 @@
 (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).
 <iframe sandbox="allow-scripts allow-modals"
-    src="data:text/html,<input autofocus onfocus><script>window.onload = function() { alert(document.activeElement.tagName) }</script>"></iframe>
+    src="data:text/html,<input autofocus onfocus><script>window.onload = function() { console.log(document.activeElement.tagName) }</script>"></iframe>

trunk/LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html

@@ -1 +1 @@
 <script>
 if (window.open("fail-and-notify-done.html", "target"))
-    alert("FAIL");
+    console.log("FAIL");
 if (window.open("fail-and-notify-done.html", "_top"))
-    alert("FAIL");
+    console.log("FAIL");
 if (window.open("fail-and-notify-done.html", "_parent"))
-    alert("FAIL");
+    console.log("FAIL");
 if (window.open("fail-and-notify-done.html", "_blank"))
-    alert("FAIL");
-alert("PASS");
+    console.log("FAIL");
+console.log("PASS");
 </script>

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt

@@ -7 +7 @@
 
 CONSOLE MESSAGE: Blocked opening 'fail-and-notify-done.html' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 This test verifies that a sandboxed IFrame cannot navigate the top-level frame without allow-top-navigation. This test passes if the navigation does not occur.
 

trunk/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt

@@ -1 @@
-ALERT: PASS: Form feed is a delimiter.
+CONSOLE MESSAGE: PASS: Form feed is a delimiter.
 CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scripts
 allow-forms' is an invalid sandbox flag.
-CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: Vertical tab is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-ALERT: PASS: Newline is a delimiter.
-ALERT: PASS: Return is a delimiter.
+CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>console.log('FAIL: Vertical tab is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+CONSOLE MESSAGE: PASS: Newline is a delimiter.
+CONSOLE MESSAGE: PASS: Return is a delimiter.
 CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsxallow-forms' is an invalid sandbox flag.
-CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: x is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-ALERT: PASS: Tab is a delimiter.
-ALERT: PASS: Space is a delimiter character.
+CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>console.log('FAIL: x is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+CONSOLE MESSAGE: PASS: Tab is a delimiter.
+CONSOLE MESSAGE: PASS: Space is a delimiter character.
 This tests whether we correct parse various space characters in the sandbox attribute.
 

trunk/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html

@@ -26 +26 @@
     var iframe = document.createElement('iframe');
     iframe.sandbox = policy;
-    iframe.src = "data:text/html,<script>alert('" + message + "');<\/script>";
+    iframe.src = "data:text/html,<script>console.log('" + message + "');<\/script>";
     iframe.onload = next;
     document.body.appendChild(iframe);

trunk/LayoutTests/fast/frames/sandboxed-iframe-scripting-02-expected.txt

@@ -1 @@
-ALERT: PASS: Executed script in data URL
+CONSOLE MESSAGE: PASS: Executed script in data URL
 Verify that sandboxed frames with sandbox='allow-scripts' can execute script from data: URLs.
 

trunk/LayoutTests/fast/frames/sandboxed-iframe-scripting-02.html

@@ -25 +25 @@
 <body>
     <iframe sandbox="allow-same-origin allow-scripts allow-modals"
-            src="data:text/html,<script>alert('PASS: Executed script in data URL');window.parent.postMessage({'pass': true}, '*');</script>">
+            src="data:text/html,<script>console.log('PASS: Executed script in data URL');window.parent.postMessage({'pass': true}, '*');</script>">
     </iframe>
     <script>

trunk/LayoutTests/http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html

@@ -19 +19 @@
         return;
     } else
-        alert("Unknown message.");
+        console.log("Unknown message.");
 }
 
@@ -32 +32 @@
 function showCookies()
 {
-    alert("Test stage " + stage++ + " document.cookie is: " + sortCookie(document.cookie));
+    console.log("Test stage " + stage++ + " document.cookie is: " + sortCookie(document.cookie));
     parent.window.postMessage("done", "*");
 }
@@ -40 +40 @@
     var baseurl = "http://localhost:8000/cookies/resources/cookie-utility.php";
     var url = queryCommand ? baseurl + "?queryfunction=" + queryCommand : baseurl;
-    alert(url);
+    console.log(url);
     var req = new XMLHttpRequest();
     req.open('GET', url, false);
@@ -46 +46 @@
 
     if (req.status == 200)
-        alert("XHR response - " + req.responseText);
+        console.log("XHR response - " + req.responseText);
     else
-        alert("xhr error");
+        console.log("xhr error");
     
     parent.window.postMessage("done", "*");    

trunk/LayoutTests/http/tests/cookies/third-party-cookie-relaxing-expected.txt

@@ -2 +2 @@
 
 ALERT: Allowing all cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
-ALERT: XHR response - Deleted all cookies
-ALERT: Test stage 1 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
+CONSOLE MESSAGE: XHR response - Deleted all cookies
+CONSOLE MESSAGE: Test stage 1 document.cookie is:
 ALERT: Restricting to first party only cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
-ALERT: XHR response - Set the foo cookie
-ALERT: Test stage 2 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+CONSOLE MESSAGE: XHR response - Set the foo cookie
+CONSOLE MESSAGE: Test stage 2 document.cookie is:
 ALERT:
 
 ALERT: Allowing all cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
-ALERT: XHR response - Deleted all cookies
-ALERT: Test stage 3 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
+CONSOLE MESSAGE: XHR response - Deleted all cookies
+CONSOLE MESSAGE: Test stage 3 document.cookie is:
 ALERT: Restricting to first party only cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooAndBarCookie
-ALERT: XHR response - Set the foo and bar cookies
-ALERT: Test stage 4 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooAndBarCookie
+CONSOLE MESSAGE: XHR response - Set the foo and bar cookies
+CONSOLE MESSAGE: Test stage 4 document.cookie is:
 ALERT:
 
 ALERT: Allowing all cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
-ALERT: XHR response - Deleted all cookies
-ALERT: Test stage 5 document.cookie is:
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
-ALERT: XHR response - Set the foo cookie
-ALERT: Test stage 6 document.cookie is: foo=awesomevalue
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
+CONSOLE MESSAGE: XHR response - Deleted all cookies
+CONSOLE MESSAGE: Test stage 5 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+CONSOLE MESSAGE: XHR response - Set the foo cookie
+CONSOLE MESSAGE: Test stage 6 document.cookie is: foo=awesomevalue
 ALERT: Restricting to first party only cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
-ALERT: XHR response - Deleted all cookies
-ALERT: Test stage 7 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
+CONSOLE MESSAGE: XHR response - Deleted all cookies
+CONSOLE MESSAGE: Test stage 7 document.cookie is:
 ALERT:
 
 ALERT: Allowing all cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
-ALERT: XHR response - Deleted all cookies
-ALERT: Test stage 8 document.cookie is:
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
-ALERT: XHR response - Set the foo cookie
-ALERT: Test stage 9 document.cookie is: foo=awesomevalue
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=deleteCookies
+CONSOLE MESSAGE: XHR response - Deleted all cookies
+CONSOLE MESSAGE: Test stage 8 document.cookie is:
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+CONSOLE MESSAGE: XHR response - Set the foo cookie
+CONSOLE MESSAGE: Test stage 9 document.cookie is: foo=awesomevalue
 ALERT: Restricting to first party only cookies
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooAndBarCookie
-ALERT: XHR response - Set the foo and bar cookies
-ALERT: Test stage 10 document.cookie is: bar=anotherawesomevalue; foo=awesomevalue
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooAndBarCookie
+CONSOLE MESSAGE: XHR response - Set the foo and bar cookies
+CONSOLE MESSAGE: Test stage 10 document.cookie is: bar=anotherawesomevalue; foo=awesomevalue
 

trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
 ALERT: Child window's history object before attempt to clear: undefined
-ALERT: About to shadow child window's history object: [object History]
-ALERT: PASS: Could not shadow child window's history object: [object History]
+CONSOLE MESSAGE: Use of window.alert is not allowed in different origin-domain iframes.
+CONSOLE MESSAGE: PASS: Could not shadow child window's history object: [object History]
 CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
 ALERT: Child window's history object after attempt to clear: undefined

trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-expected.txt

@@ -1 +1 @@
 ALERT: Parent window's history object before attempt to clear: [object History]
-ALERT: Attempting to clear parent window's history object:
+CONSOLE MESSAGE: Attempting to clear parent window's history object:
 CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "http://localhost:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
 ALERT: Parent window's history object after attempt to clear: [object History]

trunk/LayoutTests/http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html

@@ -10 +10 @@
         return;
     } else
-        alert("Unknown message.");
+        console.log("Unknown message.");
 }
 
@@ -18 +18 @@
     window.history = "";
     if (window.history === "")
-        alert("FAIL: Shadowed child window's history object: " + window.history);
+        console.log("FAIL: Shadowed child window's history object: " + window.history);
     else
-        alert("PASS: Could not shadow child window's history object: " + window.history);
+        console.log("PASS: Could not shadow child window's history object: " + window.history);
     parent.window.postMessage("done", "*");
 }

trunk/LayoutTests/http/tests/history/resources/cross-origin-replaces-history-object-iframe.html

@@ -10 +10 @@
         return;
     } else
-        alert("Unknown message.");
+        console.log("Unknown message.");
 }
 
 function setHistoryLength()
 {
-    alert("Attempting to clear parent window's history object:");
+    console.log("Attempting to clear parent window's history object:");
     try {
         parent.window.history = "";

trunk/LayoutTests/http/tests/misc/frame-default-enc-different-domain-expected.txt

@@ -1 @@
-ALERT: windows-1252
+CONSOLE MESSAGE: windows-1252
 

trunk/LayoutTests/http/tests/misc/frame-default-enc-same-domain-expected.txt

@@ -1 @@
-ALERT: windows-1256
+CONSOLE MESSAGE: windows-1256
 

trunk/LayoutTests/http/tests/misc/resources/frame-default-enc-frame.html

@@ -11 +11 @@
         chs = document.characterSet;
 
-    alert(chs);
+    console.log(chs);
 </script>
 

trunk/LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html

@@ -23 +23 @@
 function trySetCookie()
 {
-   alert("Cookies should be clear, and are: '" + document.cookie + "'");
-   alert("About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail.");
+   console.log("Cookies should be clear, and are: '" + document.cookie + "'");
+   console.log("About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail.");
     if (window.testRunner)
         testRunner.setAlwaysAcceptCookies(false);
@@ -32 +32 @@
 function completeTest()
 {
-   alert("Cookies should still be clear, and are: '" + document.cookie + "'");
+   console.log("Cookies should still be clear, and are: '" + document.cookie + "'");
    resetCookies();
    if (window.testRunner)

trunk/LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt

@@ -1 @@
-ALERT: Cookies should be clear, and are: ''
-ALERT: About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail.
-ALERT: Cookies should still be clear, and are: ''
+CONSOLE MESSAGE: Cookies should be clear, and are: ''
+CONSOLE MESSAGE: About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail.
+CONSOLE MESSAGE: Cookies should still be clear, and are: ''
 This tests that plug-ins cannot set cookies in violation of the 3rd party cookie policy.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 ALERT: PASS
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt

@@ -1 @@
-ALERT: PASS (1/2): Script can execute
-ALERT: PASS (2/2): Eval works
+CONSOLE MESSAGE: PASS (1/2): Script can execute
+CONSOLE MESSAGE: PASS (2/2): Eval works
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt

@@ -1 @@
-ALERT: Plugin Loaded!
+CONSOLE MESSAGE: Plugin Loaded!
 This tests that an object-src directive on a top-level page is not inherited by a PluginDocument embedded in an iframe on the page. This test passes if an alert pops up saying that the plugin loaded.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html

@@ -1 +1 @@
 <script>
-alert('FAIL');
+let isSameOrigin = true;
+try { top.name } catch (e) { isSameOrigin = false; }
+if (isSameOrigin)
+    alert("FAIL");
+else
+    console.log("FAIL");
 </script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js

@@ -1 @@
-alert('FAIL');
+{
+let isSameOrigin = true;
+try { top.name } catch (e) { isSameOrigin = false; }
+if (isSameOrigin)
+    alert("FAIL");
+else
+    console.log("FAIL");
+}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html

@@ -1 +1 @@
 <script>
-alert("PASS");
+let isSameOrigin = true;
+try { top.name } catch (e) { isSameOrigin = false; }
+if (isSameOrigin)
+    alert("PASS");
+else
+    console.log("PASS");
 
 var shouldNotifyDone = document.location.search.indexOf("?notifyDone=1") !== -1 && window.testRunner;

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js

@@ -1 @@
-alert('PASS');
+{ 
+let isSameOrigin = true;
+try { top.name } catch (e) { isSameOrigin = false; }
+if (isSameOrigin)
+    alert("PASS");
+else
+    console.log("PASS");
+}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php

@@ -9 +9 @@
 <p>Ready</p>
 <script>
-alert("Script executed in iframe.");
+console.log("Script executed in iframe.");
 window.secret = "I am a secret";
 </script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php

@@ -3 +3 @@
 ?>
 <script>
-alert('PASS (1/2): Script can execute');
+console.log('PASS (1/2): Script can execute');
 </script>
 <script>
-eval("alert('PASS (2/2): Eval works')");
+eval("console.log('PASS (2/2): Eval works')");
 </script>
 Done.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt

@@ -1 @@
-ALERT: Script executed in iframe.
+CONSOLE MESSAGE: Script executed in iframe.
 ALERT: PASS: Iframe was not in a unique origin
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt

@@ -1 @@
-ALERT: Script executed in iframe.
+CONSOLE MESSAGE: Script executed in iframe.
 CONSOLE MESSAGE: SecurityError: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a cross-origin frame.  The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
 ALERT: PASS: Iframe was in a unique origin

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The Content Security Policy directive 'sandbox' is ignored when delivered in a report-only policy.
 CONSOLE MESSAGE: The Content Security Policy 'sandbox' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-ALERT: Script executed in iframe.
+CONSOLE MESSAGE: Script executed in iframe.
 ALERT: PASS: Iframe was not in a unique origin
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt

@@ -2 +2 @@
 main frame - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didCommitLoadForFrame
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 frame "<!--frame2-->" - didStartProvisionalLoadForFrame
 frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame2-->" - didCommitLoadForFrame
-ALERT: PASS
-ALERT: PASS
+CONSOLE MESSAGE: PASS
+CONSOLE MESSAGE: PASS
 frame "<!--frame2-->" - didFinishDocumentLoadForFrame
 frame "<!--frame2-->" - didHandleOnloadEventsForFrame

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 This page should alert "PASS" and not generate any mixed content warnings in the console.

trunk/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
-ALERT: PASS: window.Attr should be 'function Attr() {    [native code]}' and is.
-ALERT: PASS: window.CDATASection should be 'function CDATASection() {    [native code]}' and is.
-ALERT: PASS: window.CharacterData should be 'function CharacterData() {    [native code]}' and is.
-ALERT: PASS: window.Comment should be 'function Comment() {    [native code]}' and is.
-ALERT: PASS: window.CSSPrimitiveValue should be 'function CSSPrimitiveValue() {    [native code]}' and is.
-ALERT: PASS: window.CSSRule should be 'function CSSRule() {    [native code]}' and is.
-ALERT: PASS: window.CSSStyleDeclaration should be 'function CSSStyleDeclaration() {    [native code]}' and is.
-ALERT: PASS: window.CSSValue should be 'function CSSValue() {    [native code]}' and is.
-ALERT: PASS: window.Document should be 'function Document() {    [native code]}' and is.
-ALERT: PASS: window.DocumentFragment should be 'function DocumentFragment() {    [native code]}' and is.
-ALERT: PASS: window.DocumentType should be 'function DocumentType() {    [native code]}' and is.
-ALERT: PASS: window.DOMException should be 'function DOMException() {    [native code]}' and is.
-ALERT: PASS: window.DOMImplementation should be 'function DOMImplementation() {    [native code]}' and is.
-ALERT: PASS: window.DOMParser should be 'function DOMParser() {    [native code]}' and is.
-ALERT: PASS: window.Element should be 'function Element() {    [native code]}' and is.
-ALERT: PASS: window.EvalError should be 'function EvalError() {    [native code]}' and is.
-ALERT: PASS: window.Event should be 'function Event() {    [native code]}' and is.
-ALERT: PASS: window.HTMLAnchorElement should be 'function HTMLAnchorElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLAppletElement should be 'undefined' and is.
-ALERT: PASS: window.HTMLAreaElement should be 'function HTMLAreaElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLBaseElement should be 'function HTMLBaseElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLBodyElement should be 'function HTMLBodyElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLBRElement should be 'function HTMLBRElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLButtonElement should be 'function HTMLButtonElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLCanvasElement should be 'function HTMLCanvasElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLDirectoryElement should be 'function HTMLDirectoryElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLDivElement should be 'function HTMLDivElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLDListElement should be 'function HTMLDListElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLDocument should be 'function HTMLDocument() {    [native code]}' and is.
-ALERT: PASS: window.HTMLElement should be 'function HTMLElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLFieldSetElement should be 'function HTMLFieldSetElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLFontElement should be 'function HTMLFontElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLFormElement should be 'function HTMLFormElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLFrameElement should be 'function HTMLFrameElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLFrameSetElement should be 'function HTMLFrameSetElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLHeadElement should be 'function HTMLHeadElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLHeadingElement should be 'function HTMLHeadingElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLHRElement should be 'function HTMLHRElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLHtmlElement should be 'function HTMLHtmlElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLIFrameElement should be 'function HTMLIFrameElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLImageElement should be 'function HTMLImageElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLInputElement should be 'function HTMLInputElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLIsIndexElement should be 'undefined' and is.
-ALERT: PASS: window.HTMLLabelElement should be 'function HTMLLabelElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLLegendElement should be 'function HTMLLegendElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLLIElement should be 'function HTMLLIElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLLinkElement should be 'function HTMLLinkElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLMapElement should be 'function HTMLMapElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLMarqueeElement should be 'function HTMLMarqueeElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLMenuElement should be 'function HTMLMenuElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLMetaElement should be 'function HTMLMetaElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLModElement should be 'function HTMLModElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLOListElement should be 'function HTMLOListElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLOptGroupElement should be 'function HTMLOptGroupElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLOptionElement should be 'function HTMLOptionElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLParagraphElement should be 'function HTMLParagraphElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLParamElement should be 'function HTMLParamElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLPreElement should be 'function HTMLPreElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLQuoteElement should be 'function HTMLQuoteElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLScriptElement should be 'function HTMLScriptElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLSelectElement should be 'function HTMLSelectElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLStyleElement should be 'function HTMLStyleElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableCaptionElement should be 'function HTMLTableCaptionElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableCellElement should be 'function HTMLTableCellElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableColElement should be 'function HTMLTableColElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableElement should be 'function HTMLTableElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableRowElement should be 'function HTMLTableRowElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTableSectionElement should be 'function HTMLTableSectionElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTextAreaElement should be 'function HTMLTextAreaElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLTitleElement should be 'function HTMLTitleElement() {    [native code]}' and is.
-ALERT: PASS: window.HTMLUListElement should be 'function HTMLUListElement() {    [native code]}' and is.
-ALERT: PASS: window.MutationEvent should be 'function MutationEvent() {    [native code]}' and is.
-ALERT: PASS: window.Node should be 'function Node() {    [native code]}' and is.
-ALERT: PASS: window.NodeFilter should be 'function NodeFilter() {    [native code]}' and is.
-ALERT: PASS: window.ProcessingInstruction should be 'function ProcessingInstruction() {    [native code]}' and is.
-ALERT: PASS: window.Range should be 'function Range() {    [native code]}' and is.
-ALERT: PASS: window.RangeError should be 'function RangeError() {    [native code]}' and is.
-ALERT: PASS: window.RangeException should be 'undefined' and is.
-ALERT: PASS: window.ReferenceError should be 'function ReferenceError() {    [native code]}' and is.
-ALERT: PASS: window.SyntaxError should be 'function SyntaxError() {    [native code]}' and is.
-ALERT: PASS: window.Text should be 'function Text() {    [native code]}' and is.
-ALERT: PASS: window.TypeError should be 'function TypeError() {    [native code]}' and is.
-ALERT: PASS: window.URIError should be 'function URIError() {    [native code]}' and is.
-ALERT: PASS: window.XMLDocument should be 'function XMLDocument() {    [native code]}' and is.
-ALERT: PASS: window.XMLSerializer should be 'function XMLSerializer() {    [native code]}' and is.
-ALERT: PASS: window.XPathEvaluator should be 'function XPathEvaluator() {    [native code]}' and is.
-ALERT: PASS: window.XPathResult should be 'function XPathResult() {    [native code]}' and is.
-ALERT: PASS: window.clientInformation should be '[object Navigator]' and is.
-ALERT: PASS: window.closed should be 'false' and is.
-ALERT: PASS: window.console should be '[object console]' and is.
-ALERT: PASS: window.crypto should be '[object Crypto]' and is.
-ALERT: PASS: window.defaultStatus should be '' and is.
-ALERT: PASS: window.defaultstatus should be '' and is.
-ALERT: PASS: window.devicePixelRatio should be '1' and is.
-ALERT: PASS: window.document should be '[object HTMLDocument]' and is.
-ALERT: PASS: window.embeds should be 'undefined' and is.
-ALERT: PASS: window.event should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.Attr should be 'function Attr() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CDATASection should be 'function CDATASection() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CharacterData should be 'function CharacterData() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Comment should be 'function Comment() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CSSPrimitiveValue should be 'function CSSPrimitiveValue() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CSSRule should be 'function CSSRule() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CSSStyleDeclaration should be 'function CSSStyleDeclaration() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.CSSValue should be 'function CSSValue() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Document should be 'function Document() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.DocumentFragment should be 'function DocumentFragment() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.DocumentType should be 'function DocumentType() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.DOMException should be 'function DOMException() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.DOMImplementation should be 'function DOMImplementation() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.DOMParser should be 'function DOMParser() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Element should be 'function Element() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.EvalError should be 'function EvalError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Event should be 'function Event() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLAnchorElement should be 'function HTMLAnchorElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLAppletElement should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.HTMLAreaElement should be 'function HTMLAreaElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLBaseElement should be 'function HTMLBaseElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLBodyElement should be 'function HTMLBodyElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLBRElement should be 'function HTMLBRElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLButtonElement should be 'function HTMLButtonElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLCanvasElement should be 'function HTMLCanvasElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLDirectoryElement should be 'function HTMLDirectoryElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLDivElement should be 'function HTMLDivElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLDListElement should be 'function HTMLDListElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLDocument should be 'function HTMLDocument() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLElement should be 'function HTMLElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLFieldSetElement should be 'function HTMLFieldSetElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLFontElement should be 'function HTMLFontElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLFormElement should be 'function HTMLFormElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLFrameElement should be 'function HTMLFrameElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLFrameSetElement should be 'function HTMLFrameSetElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLHeadElement should be 'function HTMLHeadElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLHeadingElement should be 'function HTMLHeadingElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLHRElement should be 'function HTMLHRElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLHtmlElement should be 'function HTMLHtmlElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLIFrameElement should be 'function HTMLIFrameElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLImageElement should be 'function HTMLImageElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLInputElement should be 'function HTMLInputElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLIsIndexElement should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.HTMLLabelElement should be 'function HTMLLabelElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLLegendElement should be 'function HTMLLegendElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLLIElement should be 'function HTMLLIElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLLinkElement should be 'function HTMLLinkElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLMapElement should be 'function HTMLMapElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLMarqueeElement should be 'function HTMLMarqueeElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLMenuElement should be 'function HTMLMenuElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLMetaElement should be 'function HTMLMetaElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLModElement should be 'function HTMLModElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLOListElement should be 'function HTMLOListElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLOptGroupElement should be 'function HTMLOptGroupElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLOptionElement should be 'function HTMLOptionElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLParagraphElement should be 'function HTMLParagraphElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLParamElement should be 'function HTMLParamElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLPreElement should be 'function HTMLPreElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLQuoteElement should be 'function HTMLQuoteElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLScriptElement should be 'function HTMLScriptElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLSelectElement should be 'function HTMLSelectElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLStyleElement should be 'function HTMLStyleElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableCaptionElement should be 'function HTMLTableCaptionElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableCellElement should be 'function HTMLTableCellElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableColElement should be 'function HTMLTableColElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableElement should be 'function HTMLTableElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableRowElement should be 'function HTMLTableRowElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTableSectionElement should be 'function HTMLTableSectionElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTextAreaElement should be 'function HTMLTextAreaElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLTitleElement should be 'function HTMLTitleElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.HTMLUListElement should be 'function HTMLUListElement() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.MutationEvent should be 'function MutationEvent() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Node should be 'function Node() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.NodeFilter should be 'function NodeFilter() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.ProcessingInstruction should be 'function ProcessingInstruction() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Range should be 'function Range() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.RangeError should be 'function RangeError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.RangeException should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.ReferenceError should be 'function ReferenceError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.SyntaxError should be 'function SyntaxError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.Text should be 'function Text() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.TypeError should be 'function TypeError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.URIError should be 'function URIError() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.XMLDocument should be 'function XMLDocument() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.XMLSerializer should be 'function XMLSerializer() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.XPathEvaluator should be 'function XPathEvaluator() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.XPathResult should be 'function XPathResult() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.clientInformation should be '[object Navigator]' and is.
+CONSOLE MESSAGE: PASS: window.closed should be 'false' and is.
+CONSOLE MESSAGE: PASS: window.console should be '[object console]' and is.
+CONSOLE MESSAGE: PASS: window.crypto should be '[object Crypto]' and is.
+CONSOLE MESSAGE: PASS: window.defaultStatus should be '' and is.
+CONSOLE MESSAGE: PASS: window.defaultstatus should be '' and is.
+CONSOLE MESSAGE: PASS: window.devicePixelRatio should be '1' and is.
+CONSOLE MESSAGE: PASS: window.document should be '[object HTMLDocument]' and is.
+CONSOLE MESSAGE: PASS: window.embeds should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.event should be 'undefined' and is.
 CONSOLE MESSAGE: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
-ALERT: PASS: window.frameElement should be 'null' and is.
-ALERT: PASS: window.frames should be '[object Window]' and is.
-ALERT: PASS: window.history should be '[object History]' and is.
-ALERT: PASS: window.images should be 'undefined' and is.
-ALERT: PASS: window.innerHeight should be '150' and is.
-ALERT: PASS: window.innerWidth should be '300' and is.
-ALERT: PASS: window.length should be '0' and is.
-ALERT: PASS: window.locationbar should be '[object BarProp]' and is.
-ALERT: PASS: window.menubar should be '[object BarProp]' and is.
-ALERT: PASS: window.name should be '' and is.
-ALERT: PASS: window.navigator should be '[object Navigator]' and is.
-ALERT: PASS: window.offscreenBuffering should be 'true' and is.
-ALERT: PASS: window.onabort should be 'null' and is.
-ALERT: PASS: window.onbeforeunload should be 'null' and is.
-ALERT: PASS: window.onblur should be 'null' and is.
-ALERT: PASS: window.onchange should be 'null' and is.
-ALERT: PASS: window.onclick should be 'null' and is.
-ALERT: PASS: window.ondblclick should be 'null' and is.
-ALERT: PASS: window.onerror should be 'null' and is.
-ALERT: PASS: window.onfocus should be 'null' and is.
-ALERT: PASS: window.onkeydown should be 'null' and is.
-ALERT: PASS: window.onkeypress should be 'null' and is.
-ALERT: PASS: window.onkeyup should be 'null' and is.
-ALERT: PASS: window.onload should be 'null' and is.
-ALERT: PASS: window.onmousedown should be 'null' and is.
-ALERT: PASS: window.onmousemove should be 'null' and is.
-ALERT: PASS: window.onmouseout should be 'null' and is.
-ALERT: PASS: window.onmouseover should be 'null' and is.
-ALERT: PASS: window.onmouseup should be 'null' and is.
-ALERT: PASS: window.onmousewheel should be 'null' and is.
-ALERT: PASS: window.onreset should be 'null' and is.
-ALERT: PASS: window.onresize should be 'null' and is.
-ALERT: PASS: window.onscroll should be 'null' and is.
-ALERT: PASS: window.onsearch should be 'null' and is.
-ALERT: PASS: window.onselect should be 'null' and is.
-ALERT: PASS: window.onsubmit should be 'null' and is.
-ALERT: PASS: window.onunload should be 'null' and is.
-ALERT: PASS: window.opener should be 'null' and is.
-ALERT: PASS: window.outerHeight matched the expected value.
-ALERT: PASS: window.outerWidth matched the expected value.
-ALERT: PASS: window.pageXOffset should be '0' and is.
-ALERT: PASS: window.pageYOffset should be '0' and is.
-ALERT: PASS: window.personalbar should be '[object BarProp]' and is.
-ALERT: PASS: window.plugins should be 'undefined' and is.
-ALERT: PASS: window.screen should be '[object Screen]' and is.
-ALERT: PASS: window.screenLeft should be '0' and is.
-ALERT: PASS: window.screenTop matched the expected value.
-ALERT: PASS: window.screenX should be '0' and is.
-ALERT: PASS: window.screenY matched the expected value.
-ALERT: PASS: window.scrollbars should be '[object BarProp]' and is.
-ALERT: PASS: window.scrollX should be '0' and is.
-ALERT: PASS: window.scrollY should be '0' and is.
-ALERT: PASS: window.self should be '[object Window]' and is.
-ALERT: PASS: window.status should be '' and is.
-ALERT: PASS: window.statusbar should be '[object BarProp]' and is.
-ALERT: PASS: window.toolbar should be '[object BarProp]' and is.
-ALERT: PASS: window.window should be '[object Window]' and is.
-ALERT: PASS: window.parent should be parentOld and is.
-ALERT: PASS: window.top should be topOld and is.
-ALERT: PASS: window.addEventListener should be 'function addEventListener() {    [native code]}' and is.
-ALERT: PASS: window.alert should be 'function alert() {    [native code]}' and is.
-ALERT: PASS: window.atob should be 'function atob() {    [native code]}' and is.
-ALERT: PASS: window.btoa should be 'function btoa() {    [native code]}' and is.
-ALERT: PASS: window.captureEvents should be 'function captureEvents() {    [native code]}' and is.
-ALERT: PASS: window.clearInterval should be 'function clearInterval() {    [native code]}' and is.
-ALERT: PASS: window.clearTimeout should be 'function clearTimeout() {    [native code]}' and is.
-ALERT: PASS: window.confirm should be 'function confirm() {    [native code]}' and is.
-ALERT: PASS: window.eval should be 'function eval() {    [native code]}' and is.
-ALERT: PASS: window.find should be 'function find() {    [native code]}' and is.
-ALERT: PASS: window.getComputedStyle should be 'function getComputedStyle() {    [native code]}' and is.
-ALERT: PASS: window.getMatchedCSSRules should be 'function getMatchedCSSRules() {    [native code]}' and is.
-ALERT: PASS: window.getSelection should be 'function getSelection() {    [native code]}' and is.
-ALERT: PASS: window.moveBy should be 'function moveBy() {    [native code]}' and is.
-ALERT: PASS: window.moveTo should be 'function moveTo() {    [native code]}' and is.
-ALERT: PASS: window.open should be 'function open() {    [native code]}' and is.
-ALERT: PASS: window.print should be 'function print() {    [native code]}' and is.
-ALERT: PASS: window.prompt should be 'function prompt() {    [native code]}' and is.
-ALERT: PASS: window.releaseEvents should be 'function releaseEvents() {    [native code]}' and is.
-ALERT: PASS: window.removeEventListener should be 'function removeEventListener() {    [native code]}' and is.
-ALERT: PASS: window.resizeBy should be 'function resizeBy() {    [native code]}' and is.
-ALERT: PASS: window.resizeTo should be 'function resizeTo() {    [native code]}' and is.
-ALERT: PASS: window.scroll should be 'function scroll() {    [native code]}' and is.
-ALERT: PASS: window.scrollBy should be 'function scrollBy() {    [native code]}' and is.
-ALERT: PASS: window.scrollTo should be 'function scrollTo() {    [native code]}' and is.
-ALERT: PASS: window.setInterval should be 'function setInterval() {    [native code]}' and is.
-ALERT: PASS: window.setTimeout should be 'function setTimeout() {    [native code]}' and is.
-ALERT: PASS: window.showModalDialog matched the expected value.
-ALERT: PASS: window.stop should be 'function stop() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.frameElement should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.frames should be '[object Window]' and is.
+CONSOLE MESSAGE: PASS: window.history should be '[object History]' and is.
+CONSOLE MESSAGE: PASS: window.images should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.innerHeight should be '150' and is.
+CONSOLE MESSAGE: PASS: window.innerWidth should be '300' and is.
+CONSOLE MESSAGE: PASS: window.length should be '0' and is.
+CONSOLE MESSAGE: PASS: window.locationbar should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.menubar should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.name should be '' and is.
+CONSOLE MESSAGE: PASS: window.navigator should be '[object Navigator]' and is.
+CONSOLE MESSAGE: PASS: window.offscreenBuffering should be 'true' and is.
+CONSOLE MESSAGE: PASS: window.onabort should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onbeforeunload should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onblur should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onchange should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onclick should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.ondblclick should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onerror should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onfocus should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onkeydown should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onkeypress should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onkeyup should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onload should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmousedown should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmousemove should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmouseout should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmouseover should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmouseup should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onmousewheel should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onreset should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onresize should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onscroll should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onsearch should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onselect should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onsubmit should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.onunload should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.opener should be 'null' and is.
+CONSOLE MESSAGE: PASS: window.outerHeight matched the expected value.
+CONSOLE MESSAGE: PASS: window.outerWidth matched the expected value.
+CONSOLE MESSAGE: PASS: window.pageXOffset should be '0' and is.
+CONSOLE MESSAGE: PASS: window.pageYOffset should be '0' and is.
+CONSOLE MESSAGE: PASS: window.personalbar should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.plugins should be 'undefined' and is.
+CONSOLE MESSAGE: PASS: window.screen should be '[object Screen]' and is.
+CONSOLE MESSAGE: PASS: window.screenLeft should be '0' and is.
+CONSOLE MESSAGE: PASS: window.screenTop matched the expected value.
+CONSOLE MESSAGE: PASS: window.screenX should be '0' and is.
+CONSOLE MESSAGE: PASS: window.screenY matched the expected value.
+CONSOLE MESSAGE: PASS: window.scrollbars should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.scrollX should be '0' and is.
+CONSOLE MESSAGE: PASS: window.scrollY should be '0' and is.
+CONSOLE MESSAGE: PASS: window.self should be '[object Window]' and is.
+CONSOLE MESSAGE: PASS: window.status should be '' and is.
+CONSOLE MESSAGE: PASS: window.statusbar should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.toolbar should be '[object BarProp]' and is.
+CONSOLE MESSAGE: PASS: window.window should be '[object Window]' and is.
+CONSOLE MESSAGE: PASS: window.parent should be parentOld and is.
+CONSOLE MESSAGE: PASS: window.top should be topOld and is.
+CONSOLE MESSAGE: PASS: window.addEventListener should be 'function addEventListener() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.alert should be 'function alert() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.atob should be 'function atob() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.btoa should be 'function btoa() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.captureEvents should be 'function captureEvents() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.clearInterval should be 'function clearInterval() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.clearTimeout should be 'function clearTimeout() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.confirm should be 'function confirm() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.eval should be 'function eval() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.find should be 'function find() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.getComputedStyle should be 'function getComputedStyle() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.getMatchedCSSRules should be 'function getMatchedCSSRules() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.getSelection should be 'function getSelection() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.moveBy should be 'function moveBy() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.moveTo should be 'function moveTo() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.open should be 'function open() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.print should be 'function print() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.prompt should be 'function prompt() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.releaseEvents should be 'function releaseEvents() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.removeEventListener should be 'function removeEventListener() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.resizeBy should be 'function resizeBy() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.resizeTo should be 'function resizeTo() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.scroll should be 'function scroll() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.scrollBy should be 'function scrollBy() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.scrollTo should be 'function scrollTo() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.setInterval should be 'function setInterval() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.setTimeout should be 'function setTimeout() {    [native code]}' and is.
+CONSOLE MESSAGE: PASS: window.showModalDialog matched the expected value.
+CONSOLE MESSAGE: PASS: window.stop should be 'function stop() {    [native code]}' and is.
 ALERT: continue test in parent frame
 This test checks cross-frame access security of window attribute setters (rdar://problem/5326791).

trunk/LayoutTests/http/tests/security/data-url-inline.css-expected.txt

@@ -1 @@
-ALERT: 1 rules found
+CONSOLE MESSAGE: 1 rules found
 This test ensures that a data URL can access its own inline style sheets. Sorry for the obscurity of the test case, but it's the repro from Bug 32309, which has an "unobfuscated" version of the code.
 

trunk/LayoutTests/http/tests/security/data-url-inline.css.html

@@ -8 +8 @@
 has an "unobfuscated" version of the code.</p>
 <p>This test passes if it alerts that it found 1 rule.</p>
-<iframe src="data:text/html;base64,PGh0bWw+CiAgPHN0eWxlPgogICAgYm9keSB7CiAgICAgIGJhY2tncm91bmQ6IGdyZWVuOwogICAgfQogIDwvc3R5bGU+CiAgPGJvZHk+CiAgICA8c2NyaXB0PgogICAgICB2YXIgc3R5bGVzaGVldHMgPSBkb2N1bWVudC5zdHlsZVNoZWV0czsKICAgICAgdmFyIHN0eWxlc2hlZXQgPSBzdHlsZXNoZWV0c1tzdHlsZXNoZWV0cy5sZW5ndGgtMV07CiAgICAgIHZhciBydWxlcyA9IHN0eWxlc2hlZXQuY3NzUnVsZXM7CiAgICAgIGFsZXJ0KHJ1bGVzLmxlbmd0aCArICcgcnVsZXMgZm91bmQnKTsKICAgIDwvc2NyaXB0PgogIDwvYm9keT4KPC9odG1sPgo="></iframe>
+<iframe src="data:text/html;base64,PGh0bWw+DQogIDxzdHlsZT4NCiAgICBib2R5IHsNCiAgICAgIGJhY2tncm91bmQ6IGdyZWVuOw0KICAgIH0NCiAgPC9zdHlsZT4NCiAgPGJvZHk+DQogICAgPHNjcmlwdD4NCiAgICAgIHZhciBzdHlsZXNoZWV0cyA9IGRvY3VtZW50LnN0eWxlU2hlZXRzOw0KICAgICAgdmFyIHN0eWxlc2hlZXQgPSBzdHlsZXNoZWV0c1tzdHlsZXNoZWV0cy5sZW5ndGgtMV07DQogICAgICB2YXIgcnVsZXMgPSBzdHlsZXNoZWV0LmNzc1J1bGVzOw0KICAgICAgY29uc29sZS5sb2cocnVsZXMubGVuZ3RoICsgJyBydWxlcyBmb3VuZCcpOw0KICAgIDwvc2NyaXB0Pg0KICA8L2JvZHk+DQo8L2h0bWw+DQo="></iframe>

trunk/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html

@@ -12 +12 @@
             +             "try {"
             +                 "top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';"
-            +                 "alert('FAIL: No exception thrown.');"
+            +                 "console.log('FAIL: No exception thrown.');"
             +             "} catch (e) {"
             +                 "console.log(e);"
-            +                 "alert('PASS: Exception thrown successfully.');"
+            +                 "console.log('PASS: Exception thrown successfully.');"
             +             "}"
             +             "if (window.testRunner)"

trunk/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html

@@ -11 +11 @@
             +             "try {"
             +                 "parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';"
-            +                 "alert('FAIL: No exception thrown.');" 
+            +                 "console.log('FAIL: No exception thrown.');" 
             +             "} catch (e) {"
             +                 "console.log(e);"
-            +                 "alert('PASS: Exception thrown successfully.');"
+            +                 "console.log('PASS: Exception thrown successfully.');"
             +             "}"
             +             "if (window.testRunner)"

trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame. Protocols, domains, and ports must match.
-ALERT: PASS: Exception thrown successfully.
+CONSOLE MESSAGE: PASS: Exception thrown successfully.
 The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document.
 

trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame. Protocols, domains, and ports must match.
-ALERT: PASS: Exception thrown successfully.
+CONSOLE MESSAGE: PASS: Exception thrown successfully.
 Opener Frame
 

trunk/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 Dragme

trunk/LayoutTests/http/tests/security/drag-drop-local-file-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Not allowed to drag local resource: foobar
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 Dragme

trunk/LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html

@@ -6 +6 @@
 
 function onSocketOpened() {
-    alert("WebSocket connection opened.");
+    console.log("WebSocket connection opened.");
     finishJSTest();
 }
 
 function onSocketError() {
-    alert("WebSocket connection failed.");
+    console.log("WebSocket connection failed.");
     ws.close();
     finishJSTest();
@@ -17 +17 @@
 
 function onSocketClosed() {
-    alert("WebSocket closed.");
+    console.log("WebSocket closed.");
     finishJSTest();
 }
@@ -27 +27 @@
     ws.onclose = onSocketClosed;
 } catch (e) {
-    alert("Test failed: exception thrown");
+    console.log("Test failed: exception thrown");
     finishJSTest();
 }

trunk/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo.
 
-ALERT: WebSocket connection failed.
+CONSOLE MESSAGE: WebSocket connection failed.
 CONSOLE MESSAGE: WebSocket connection failed: WebSocket is closed before the connection is established.
 This test loads an iframe that creates an insecure WebSocket connection. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker.

trunk/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo.
 
-ALERT: WebSocket connection failed.
+CONSOLE MESSAGE: WebSocket connection failed.
 CONSOLE MESSAGE: WebSocket connection failed: WebSocket is closed before the connection is established.
 This test opens a window that connects to an insecure ws:// WebSocket. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker.

trunk/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt

@@ -1 @@
-ALERT: PASS: db.open() threw a SECURITY_ERR!
+CONSOLE MESSAGE: PASS: db.open() threw a SECURITY_ERR!
 

trunk/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html

@@ -9 +9 @@
              try {
                  db.open('test');
-                 alert('FAIL: db.open() should throw a SECURITY_ERR in a sandbox.');
+                 console.log('FAIL: db.open() should throw a SECURITY_ERR in a sandbox.');
              } catch (e) {
                  if (e.code === DOMException.SECURITY_ERR)
-                     alert('PASS: db.open() threw a SECURITY_ERR!');
+                     console.log('PASS: db.open() threw a SECURITY_ERR!');
                  else
-                     alert('FAIL: db.open() threw a ' + e.name);
+                     console.log('FAIL: db.open() threw a ' + e.name);
              }
          </script>"

trunk/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Blocked opening 'about:blank' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

trunk/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/no-popup-from-sandbox-top.html' from frame with URL 'data:text/html,       <script>       var win = window.open('about:blank', '_top');       alert(win ?%20'FAIL'%20:%20'PASS');%20%20%20%20%20%20%20%3C/script%3E'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/no-popup-from-sandbox-top.html' from frame with URL 'data:text/html,       <script>       var win = window.open('about:blank', '_top');       console.log(win ?%20'FAIL'%20:%20'PASS');%20%20%20%20%20%20%20%3C/script%3E'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
 
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

trunk/LayoutTests/http/tests/security/no-popup-from-sandbox-top.html

@@ -10 +10 @@
        <script>
        var win = window.open('about:blank', '_top');
-       alert(win ? 'FAIL' : 'PASS');
+       console.log(win ? 'FAIL' : 'PASS');
        </script>"
   ></iframe>

trunk/LayoutTests/http/tests/security/no-popup-from-sandbox.html

@@ -10 +10 @@
        <script>
        var win = window.open('about:blank', '_blank');
-       alert(win ? 'FAIL' : 'PASS');
+       console.log(win ? 'FAIL' : 'PASS');
        </script>"
   ></iframe>

trunk/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

trunk/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html

@@ -12 +12 @@
        <script>
        var win = window.open('data:text/html,<script>if (window.testRunner) testRunner.notifyDone();<\/script>', '_blank');
-       alert(win ? 'PASS' : 'FAIL');
+       console.log(win ? 'PASS' : 'FAIL');
        </script>"
   ></iframe>

trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html

@@ -32 +32 @@
             message = String(message).replace(/\n/g, "");
             if (window.testRunner) {
-                alert(message);
+                console.log(message);
             } else {
                 log(message);
@@ -409 +409 @@
             // Using shouldBe for parent and top causes extraneous warnings due to cross-orgin toString'ing.
             if (window.parent === parentOld) {
-                alert("PASS: window.parent should be parentOld and is.");
+                console.log("PASS: window.parent should be parentOld and is.");
             } else {
-                alert("*** FAIL: window.parent should be parentOld but instead is " + window.parent + ". ***");
+                console.log("*** FAIL: window.parent should be parentOld but instead is " + window.parent + ". ***");
             }
 
             if (window.top === topOld) {
-                alert("PASS: window.top should be topOld and is.");
+                console.log("PASS: window.top should be topOld and is.");
             } else {
-                alert("*** FAIL: window.top should be topOld but instead is " + window.top + ". ***");
+                console.log("*** FAIL: window.top should be topOld but instead is " + window.top + ". ***");
             }
 

trunk/LayoutTests/http/tests/security/resources/drag-drop-allowed.html

@@ -20 +20 @@
 
     if (document.getElementById("dragme").parentNode.tagName == "SPAN" && document.getElementById("dragme").src.length > 10)
-        alert("PASS");
+        console.log("PASS");
     else
-        alert("FAIL");
+        console.log("FAIL");
 
     testRunner.notifyDone();

trunk/LayoutTests/http/tests/security/resources/drag-drop.html

@@ -5 +5 @@
     {
         if (document.body.innerHTML.match(/Dragme/i))
-            alert("FAIL");
+            console.log("FAIL");
         else
-            alert("PASS");
+            console.log("PASS");
         
         if (window.testRunner)

trunk/LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html

@@ -4 +4 @@
 </script>
 <p>This test passes if opening modal dialogs is allowed and no error message is logged in the console.</p>
-<iframe sandbox="allow-scripts allow-modals"
-        src="data:text/html,<script>
-            alert('MESSAGE');
-            </script>"></iframe>
-<iframe sandbox="allow-scripts allow-modals"
-        src="data:text/html,<script>
-            confirm('MESSAGE?');
-            </script>"></iframe>
-<iframe sandbox="allow-scripts allow-modals"
-        src="data:text/html,<script>
-            prompt('MESSAGE:', 'DEFAULT');
-            </script>"></iframe>
-<iframe sandbox="allow-scripts allow-modals"
-        src="data:text/html,<script>
-            print();
-            </script>"></iframe>
-<iframe sandbox="allow-scripts allow-modals"
-        src="data:text/html,<script>
-            document.execCommand('print', true, null);
-            </script>"></iframe>
+<iframe sandbox="allow-scripts allow-modals allow-same-origin" src="resources/sandboxed-iframe-ALLOWED-modals-iframe.html"></iframe>

trunk/LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt

@@ -1 @@
-ALERT: undefined
+CONSOLE MESSAGE: undefined
 CONSOLE MESSAGE: TypeError: parent[0].f is not a function. (In 'parent[0].f()', 'parent[0].f' is undefined)
 

trunk/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html

@@ -6 +6 @@
     a: "1",
     f: function() {
-        alert("FAIL: Child called parent.f()");
+        console.log("FAIL: Child called parent.f()");
     }
 };
 </script>
-<iframe src="data:text/html,<script>alert(parent[0].a);</script><script>parent[0].f();</script>"></iframe><br>
+<iframe src="data:text/html,<script>console.log(parent[0].a);</script><script>parent[0].f();</script>"></iframe><br>
 This test passes if the access is forbidden.

trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html

@@ -6 +6 @@
         src="data:text/html,<script>
             window.name='alert2';
-            alert(top.alert2 === window ? 'PASS' : 'FAIL');
+            console.log(top.alert2 === window ? 'PASS' : 'FAIL');
             </script>"></iframe>

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt

@@ -1 @@
-ALERT: /XSS/
+CONSOLE MESSAGE: /XSS/
 We allow direct injections into base tags to reduce false positives.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27//127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3econsole.log(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3econsole.log(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.
 

trunk/LayoutTests/http/tests/security/xssAuditor/cached-frame.html

@@ -29 +29 @@
 </head>
 <body>
-    <iframe src="http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e" onload="frameLoaded()"></iframe>
+    <iframe src="http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3econsole.log(/XSS/);%3c/script%3e" onload="frameLoaded()"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead.
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt

@@ -1 @@
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 

trunk/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html

@@ -9 +9 @@
 </head>
 <body>
-<iframe src="data:text/html,<script>alert('PASS');</script>"></iframe>
+<iframe src="data:text/html,<script>console.log('PASS');</script>"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt

@@ -1 @@
-ALERT: XSS
+CONSOLE MESSAGE: XSS
 

trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html

@@ -15 +15 @@
 </head>
 <body>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-dom-write-innerHTML.html?q=<img src='about:blank' onerror='alert(String.fromCharCode(0x58,0x53,0x53))'>">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-dom-write-innerHTML.html?q=<img src='about:blank' onerror='console.log(String.fromCharCode(0x58,0x53,0x53))'>">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value=%27Please%20type%20your%20PIN.%27%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: Form action set to about:blank
+CONSOLE MESSAGE: Form action set to about:blank
 

trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction=%27http://example.com/%27%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: formaction present on BUTTON with value of about:blank
+CONSOLE MESSAGE: formaction present on BUTTON with value of about:blank
 

trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction=%27http://example.com/%27%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-ALERT: formaction present on INPUT with value of about:blank
+CONSOLE MESSAGE: formaction present on INPUT with value of about:blank
 

trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html

@@ -10 +10 @@
 </head>
 <body>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/javascript-link-safe.html?q=alert('This is a safe script.')">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/javascript-link-safe.html?q=console.log('This is a safe script.')">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt

@@ -1 @@
-ALERT: XSS
+CONSOLE MESSAGE: XSS
 This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.
 

trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt

@@ -1 @@
-ALERT: XSS
+CONSOLE MESSAGE: XSS
 This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.
 

trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html

@@ -12 +12 @@
 the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this 
 functionality.</p>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=dummy%09/onload=alert(String.fromCharCode(0x58,0x53,0x53))&dummy=dummy">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=dummy%09/onload=console.log(String.fromCharCode(0x58,0x53,0x53))&dummy=dummy">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html

@@ -12 +12 @@
 the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this 
 functionality.</p>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=1%20onload=alert(String.fromCharCode(0x58,0x53,0x53))">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=1%20onload=console.log(String.fromCharCode(0x58,0x53,0x53))">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt

@@ -1 @@
-ALERT: XSS
+CONSOLE MESSAGE: XSS
 This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may reinstate this functionality.
 

trunk/LayoutTests/http/tests/security/xssAuditor/property-inject.html

@@ -12 +12 @@
 the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may 
 reinstate this functionality.</p>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-inner-tag.pl?q=onload=alert(String.fromCharCode(0x58,0x53,0x53))">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-inner-tag.pl?q=onload=console.log(String.fromCharCode(0x58,0x53,0x53))">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js

@@ -1 @@
-alert('This is a safe script.');
+console.log('This is a safe script.');

trunk/LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js

@@ -1 @@
-alert(/XSS/);
+console.log(/XSS/);

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

@@ -106 +106 @@
 if ($cgi->param('showAction')) {
     print "<script>\n";
-    print "    alert('Form action set to ' + document.forms[0].action);\n";
+    print "    console.log('Form action set to ' + document.forms[0].action);\n";
     print "</script>\n";
 }
@@ -113 +113 @@
     print "    var e = document.querySelector('[formaction]');\n";
     print "    if (e)\n";
-    print "        alert('formaction present on ' + e.nodeName + ' with value of ' + e.getAttribute('formaction'));\n";
+    print "        console.log('formaction present on ' + e.nodeName + ' with value of ' + e.getAttribute('formaction'));\n";
     print "</script>\n";
 }
@@ -127 +127 @@
     print "        document.getElementById('console').innerText = log;\n";
     print "    } else\n";
-    print "        alert('No element matched the given selector.');\n";
+    print "        console.log('No element matched the given selector.');\n";
     print "</script>\n";
 }
@@ -140 +140 @@
 }
 if ($cgi->param('alert-cookie')) {
-    print "<script>if (/xssAuditorTestCookie/.test(document.cookie)) { alert('FAIL: ' + document.cookie); document.cookie = 'xssAuditorTestCookie=remove; max-age=-1'; } else alert('PASS');</script>\n";
+    print "<script>if (/xssAuditorTestCookie/.test(document.cookie)) { console.log('FAIL: ' + document.cookie); document.cookie = 'xssAuditorTestCookie=remove; max-age=-1'; } else console.log('PASS');</script>\n";
 }
 if ($cgi->param('echo-report')) {

trunk/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html

@@ -4 +4 @@
 </head>
 <body>
-<a id="anchorLink" href="javascript:alert('This is a safe script.')">test</a>
+<a id="anchorLink" href="javascript:console.log('This is a safe script.')">test</a>
 <script>
     var event = document.createEvent('MouseEvent');

trunk/LayoutTests/http/tests/security/xssAuditor/resources/nph-cached.pl

@@ -27 +27 @@
 print "<body>\r\n";
 print "<input id=\"rand\" type=\"text\" value=\"$nonce\"/>\r\n";
-print "<script>alert(/XSS/);</script>\r\n";
+print "<script>console.log(/XSS/);</script>\r\n";
 print "</body>\r\n";
 print "</html>\r\n";

trunk/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js

@@ -1 @@
-alert(/This is a safe script./);
+console.log(/This is a safe script./);

trunk/LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js

@@ -1 @@
-alert('This is a safe script.');
+console.log('This is a safe script.');

trunk/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html

@@ -2 +2 @@
 <html>
 <head>
-<script>alert(/This is a safe script./)</script>
+<script>console.log(/This is a safe script./)</script>
 </head>
 <body>

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-console.log(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
 

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html

@@ -9 +9 @@
 </head>
 <body>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=<script>%22<script>%22-alert(/XSS/)">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=<script>%22<script>%22-console.log(/XSS/)">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt

@@ -1 @@
-ALERT: /This is a safe script./
+CONSOLE MESSAGE: /This is a safe script./
 

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html

@@ -9 +9 @@
 </head>
 <body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe2.html?q=alert(/This+is+a+safe+script./)'>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe2.html?q=console.log(/This+is+a+safe+script./)'>
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt

@@ -1 @@
-ALERT: /This is a safe script./
+CONSOLE MESSAGE: /This is a safe script./
 

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html

@@ -9 +9 @@
 </head>
 <body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe3.html?q=alert(/This+is+a+safe+script./)%3B'>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe3.html?q=console.log(/This+is+a+safe+script./)%3B'>
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/console.log(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
 

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html

@@ -9 +9 @@
 </head>
 <body>
-<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]>*/&q=<script>/*<!CDATA[*/alert(/XSS/)&q2=</script>">
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]>*/&q=<script>/*<!CDATA[*/console.log(/XSS/)&q2=</script>">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt

@@ -1 @@
-ALERT: This is a safe script.
+CONSOLE MESSAGE: This is a safe script.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt

@@ -1 @@
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
-ALERT: XHR response - Set the foo cookie
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+CONSOLE MESSAGE: XHR response - Set the foo cookie
 Test case for bug 37781: [XHR] Cross-Origin asynchronous request with credential raises NETWORK_ERR
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt

@@ -1 @@
-ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
-ALERT: XHR response - Set the foo cookie
+CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+CONSOLE MESSAGE: XHR response - Set the foo cookie
 Test case for bug 37781: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
 

trunk/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt

@@ -2 +2 @@
 frame "<!--frame1-->" - didStartProvisionalLoadForFrame
 frame "<!--frame1-->" - didCommitLoadForFrame
-ALERT: PASS
+CONSOLE MESSAGE: PASS
 frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame2-->" - didStartProvisionalLoadForFrame
 frame "<!--frame2-->" - didCommitLoadForFrame
-ALERT: PASS
-ALERT: PASS
+CONSOLE MESSAGE: PASS
+CONSOLE MESSAGE: PASS
 frame "<!--frame2-->" - didFinishDocumentLoadForFrame
 frame "<!--frame2-->" - didHandleOnloadEventsForFrame

trunk/LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt

@@ -1 @@
-ALERT: Plugin Loaded!
+CONSOLE MESSAGE: Plugin Loaded!
 go fullscreen
 There should only be one ALERT. If there were two, the plugin was reloaded during the transition to fullscreen.

trunk/LayoutTests/plugins/plugin-document-back-forward-expected.txt

@@ -1 @@
-ALERT: Plugin Loaded!
-ALERT: Plugin Loaded!
+CONSOLE MESSAGE: Plugin Loaded!
+CONSOLE MESSAGE: Plugin Loaded!
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-02-09  Chris Dumez  <cdumez@apple.com>
+
+        Disallow alert/confirm/prompt in cross-origin-domain subframes
+        https://bugs.webkit.org/show_bug.cgi?id=221568
+
+        Reviewed by Geoff Garen.
+
+        Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification:
+        - https://github.com/whatwg/html/pull/6297
+
+        Tests: http/tests/security/cross-origin-js-prompt-forbidden.html
+               http/tests/security/same-origin-different-domain-js-prompt-forbidden.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::alert):
+        (WebCore::DOMWindow::confirmForBindings):
+        (WebCore::DOMWindow::prompt):
+        * page/SecurityOrigin.cpp:
+        * page/SecurityOrigin.h:
+
 2021-02-09  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/page/DOMWindow.cpp

@@ -1113 +1113 @@
     }
 
+    if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) {
+        printErrorMessage("Use of window.alert is not allowed in different origin-domain iframes.");
+        return;
+    }
+
     frame->document()->updateStyleIfNeeded();
 #if ENABLE(POINTER_LOCK)
@@ -1141 +1146 @@
     }
 
+    if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) {
+        printErrorMessage("Use of window.confirm is not allowed in different origin-domain iframes.");
+        return false;
+    }
+
     frame->document()->updateStyleIfNeeded();
 #if ENABLE(POINTER_LOCK)
@@ -1166 +1176 @@
     if (!page->arePromptsAllowed()) {
         printErrorMessage("Use of window.prompt is not allowed while unloading a page.");
+        return String();
+    }
+
+    if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) {
+        printErrorMessage("Use of window.prompt is not allowed in different origin-domain iframes.");
         return String();
     }

trunk/Source/WebCore/page/SecurityOrigin.h

@@ -96 +96 @@
     // script from one security origin to read or write objects from
     // another SecurityOrigin.
+    // This method implements the "same origin-domain" algorithm from the HTML Standard:
+    // https://html.spec.whatwg.org/#same-origin-domain
     WEBCORE_EXPORT bool canAccess(const SecurityOrigin&) const;
 

trunk/Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp

@@ -181 +181 @@
         else if (strcasecmp(argn[i], "src") == 0 &&
                  strcasecmp(argv[i], "data:application/x-webkit-test-netscape,alertwhenloaded") == 0)
-            executeScript(obj, "alert('Plugin Loaded!')");
+            executeScript(obj, "console.log('Plugin Loaded!')");
         else if (strcasecmp(argn[i], "src") == 0 &&
                  strcasecmp(argv[i], "data:application/x-webkit-test-netscape,logifloaded") == 0) {