Tests for UXSS with window.open()

These tests make sense if native UIWebView's window.open() is overridden and if cross-tab document.write is supported.

Test case: UXSS attempt against http://www.example.com (immediate)

This test case calls window.open("http://www.example.com") and tries to execute JavaScript there.

JavaScript should write location.href value in the new tab's content (ignore address bar for this test case).

If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.

This test case calls window.open("http://www.example.com") and tries to execute JavaScript there after 5s delay.

JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).

If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.

This test case calls window.open("about:blank"), redirects the child window to www.example.com and tries to execute JavaScript there.

JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).

If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.

This test case calls window.open("redirect.html"), redirects the child window to www.example.com and tries to execute JavaScript there.

JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).

If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.

This test case calls window.open(location.href), redirects the child window to www.example.com and tries to execute JavaScript there.

JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).

If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.

This test case calls window.open("http://a%5c") and tries to execute JavaScript there.

JavaScript should write location.href value in the new tab's content (ignore address bar for this test case).

If this value is "about:blank", "https://ios.browsr-tests.com/alt/" or does not appear at all, it is probably safe.
If this value starts with "applewebdata:", you just detected a Universal Cross-Site Scripting vulnerability.
If the browser crashes, you probably found a null pointer dereference bug.
If this value is anything else, I don't know ;-)