Closed
Bug 1160727
Opened 10 years ago
Closed 10 years ago
iframe Same Origin bypass which affects parent window
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: s.h.h.n.j.k, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Steps to reproduce:
1. Go to https://safendup-xss-game.appspot.com/
2. search with "<script>window.top.location.replace("https://www.google.com");</script>"
Actual results:
Parent window redirects by cross origin script which bypass X-frame-option Same Origin.
Expected results:
Prevent child iframe script to affect parent window. If you search with "<script>window.location.replace("https://www.google.com");</script>" which is without "top", Firefox says "Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing."
Reporter | ||
Updated•10 years ago
|
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Reporter | ||
Comment 1•10 years ago
|
||
Sorry my explanation was logically bad.
Please try search with "<script>window.top.alert(1);</script>"
Browser says "Error: Permission denied to access property 'alert'"
By this, we know that child frame should not have any ability to affect parent window.
Comment 2•10 years ago
|
||
You seem to be confused. Navigating parent frames is always allowed, unless the parent has restricted the iframe in some way, e.g. by a sandbox attribute that omits "allow-top-navigation". The reason Google doesn't want to load inside the frame is because Google itself specifies this for its page with X-Frame-Options. This has nothing to do with the test page that you're using.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•