Open Bug 1419501 Opened 7 years ago Updated 2 months ago

consider requiring user interaction for cross-origin iframe window.top.location navigation

Categories

(Core :: DOM: Core & HTML, enhancement, P3)

57 Branch
enhancement

Tracking

()

People

(Reporter: bkelly, Unassigned)

References

()

Details

(Keywords: spec-needed)

We should consider requiring user interaction before allowing a cross-origin iframe to navigate the top window. For example, to prevent stuff like this: https://twitter.com/NateTheFinch/status/933030604844740609 Chrome has been running an intervention to experiment with this and are shipping some kind of mitigation in chrome 64: https://github.com/WICG/interventions/issues/16 If they are successful in shipping that, it might be nice to follow suit.
Priority: -- → P3
See Also: → 1433267
Component: DOM → DOM: Core & HTML
Severity: normal → S3
Duplicate of this bug: 1814879
You need to log in before you can comment on or make changes to this bug.