Open Bug 1841198 Opened 1 years ago Updated 1 years ago

Implement frame busting protection

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: grazhdanindollar, Unassigned)

Details

(Keywords: dupeme)

Steps to reproduce:

Every FF version is affected.
Visit a site with embed frame busting 3rd party site.
Mostly noticeable in marketing/website advertisement/traffic exchanges niches.

Chrome used to have this feature as a flag option years ago and they have enabled by default later.
It was named "Frame busting requires same-origin".
It protects from:

1 doorways and similar stuff that are embedded, framed into another site. Example, I have recently visited a site that has a blogspot page embedded and that page had a doorway to adult content so when i visited a site that embedded broke top frame and redirected to an adult content site, was i happy to see it - nope.

2 Expired domains and bad configured sites. I have noticed that some expired domain landing pages are frame breakers and i when a site has third party content from expired domain then it also breaks a top frame.

Public example is http://ndossougbe.github.io/web-sandbox/interventions/3p-redirect.
I can provide more examples if needed.
My other report is posted here as well last year...
https://connect.mozilla.org/t5/ideas/implement-frame-busting-protection/idi-p/20909

Actual results:

Top frame is busted without user interaction and option to prevent it.

Expected results:

Like Chrome does - a notification in url bar that unwanted redirect is blocked.

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Keywords: dupeme
You need to log in before you can comment on or make changes to this bug.