Invalid. The exception you're getting comes from the line if (top.content.location.href.indexOf("https://") == -1) which *reads* href. If you take out the "if", you'll find that you are allowed to modify href even outside of a try/catch block. You're allowed to set the href because you own the frame, but you're not allowed to read it because you don't own the content of the frame. This doesn't allow phishing because your URL is still displayed in the address bar.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
Removing confidential flag from bugs resolved INVALID
You need to log in before you can comment on or make changes to this bug.