Closed Bug 1813977 Opened 2 years ago Closed 2 years ago

The cross-origin in the iframe can redirect the current website to a different website

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
Firefox 109
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1800190

People

(Reporter: duckhiem, Unassigned)

Details

On macOS Ventura 13.1 (the latest version of the OS), install Firefox 109.0 (64-bit).

Create an online .html file with:

<script>
top.window.location = "https://www.google.com";
</script>

For example:

https://thisblogtests.blogspot.com/2023/01/top.html

Load:

https://www.w3schools.com/html/tryit.asp?filename=tryhtml_basic

Enter in the left:

<iframe src="https://thisblogtests.blogspot.com/2023/01/top.html"></iframe>

Click Run.

The iframe will redirect the current website https://www.w3schools.com/html/tryit.asp?filename=tryhtml_basic to https://www.google.com.

What happened? (actual results)
The cross-origin in the iframe can redirect the current website to another website.

What should have happened? (expected results)
There should be something (a rule, for example) for this kind of redirect (which is without a user interaction).

I think this is a duplicate of bug 1800190.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Component: Security → DOM: Navigation
Duplicate of bug: 1800190
Product: Firefox → Core
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.