Test assignment to indexed window properties

LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html

Index: LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html
diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html
new file mode 100644
index 0000000000000000000000000000000000000000..a6b54a1fe164a474f4e2257260378346bec97179
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html
@@ -0,0 +1,13 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+window[0] = {
+    a: "1",
+    f: function() {
+        alert("FAIL: Child called parent.f()");
+    }
+};
+</script>
+<iframe src="data:text/html,<script>alert(parent[0].a);</script><script>parent[0].f();</script>"></iframe><br>

[adamk, 2013/07/22 23:19:28]

Does this load synchronously? If not, you may need to make this test async to
make it non-flaky.

[abarth-chromium, 2013/07/22 23:24:52]

Nope.  The only frames that load synchronously are about:blank frames.
The test framework will wait for the "load" event to fire on the top-level frame
before ending the test.  The "load" event on a frame waits for the "load" event
on all subframes, which means this frame will finish loading before the test
ends.

+This test passes if the access is forbidden.