User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Steps to reproduce: 1. Go to https://safendup-xss-game.appspot.com/ 2. search with "<script>window.top.location.replace("https://www.google.com");</script>" Actual results: Parent window redirects by cross origin script which bypass X-frame-option Same Origin. Expected results: Prevent child iframe script to affect parent window. If you search with "<script>window.location.replace("https://www.google.com");</script>" which is without "top", Firefox says "Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing."
Sorry my explanation was logically bad. Please try search with "<script>window.top.alert(1);</script>" Browser says "Error: Permission denied to access property 'alert'" By this, we know that child frame should not have any ability to affect parent window.
You seem to be confused. Navigating parent frames is always allowed, unless the parent has restricted the iframe in some way, e.g. by a sandbox attribute that omits "allow-top-navigation". The reason Google doesn't want to load inside the frame is because Google itself specifies this for its page with X-Frame-Options. This has nothing to do with the test page that you're using.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.