Closed Bug 1160727 Opened 9 years ago Closed 9 years ago

iframe Same Origin bypass which affects parent window

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
1.0 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: s.h.h.n.j.k, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Steps to reproduce:

1. Go to https://safendup-xss-game.appspot.com/
2. search with "<script>window.top.location.replace("https://www.google.com");</script>"



Actual results:

Parent window redirects by cross origin script which bypass X-frame-option Same Origin.


Expected results:

Prevent child iframe script to affect parent window. If you search with "<script>window.location.replace("https://www.google.com");</script>" which is without "top", Firefox says "Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing."
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Sorry my explanation was logically bad.
Please try search with "<script>window.top.alert(1);</script>"
Browser says "Error: Permission denied to access property 'alert'"

By this, we know that child frame should not have any ability to affect parent window.
You seem to be confused. Navigating parent frames is always allowed, unless the parent has restricted the iframe in some way, e.g. by a sandbox attribute that omits "allow-top-navigation". The reason Google doesn't want to load inside the frame is because Google itself specifies this for its page with X-Frame-Options. This has nothing to do with the test page that you're using.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.