iframe Same Origin bypass which affects parent window

RESOLVED INVALID

Status

()

RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: s.h.h.n.j.k, Unassigned)

Tracking

1.0 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Steps to reproduce:

1. Go to https://safendup-xss-game.appspot.com/
2. search with "<script>window.top.location.replace("https://www.google.com");</script>"



Actual results:

Parent window redirects by cross origin script which bypass X-frame-option Same Origin.


Expected results:

Prevent child iframe script to affect parent window. If you search with "<script>window.location.replace("https://www.google.com");</script>" which is without "top", Firefox says "Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing."
(Reporter)

Updated

4 years ago
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
(Reporter)

Comment 1

4 years ago
Sorry my explanation was logically bad.
Please try search with "<script>window.top.alert(1);</script>"
Browser says "Error: Permission denied to access property 'alert'"

By this, we know that child frame should not have any ability to affect parent window.

Comment 2

4 years ago
You seem to be confused. Navigating parent frames is always allowed, unless the parent has restricted the iframe in some way, e.g. by a sandbox attribute that omits "allow-top-navigation". The reason Google doesn't want to load inside the frame is because Google itself specifies this for its page with X-Frame-Options. This has nothing to do with the test page that you're using.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.