Closed Bug 274225 Opened 20 years ago Closed 20 years ago

HP Speechbot when put in an embedded IFRAME tag, can redirect browser to page (shooting the use of the embedded frame tag)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: riseofthethorax, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Don't know if you can help here, but this is a bit bothersome, I've 
been generating IFRAME's in my page to get people to look at sites I've found..
I tried this with the HP Speechbot site, and the site redirected my browser to 
their site.. Somwhow it recognized that I was placing them in an IFRAME, or in
some kind of frame.. Would be neat if I could somehow disable their access 
to the javascript features that my page has access to.. Like to give sites in
frames limited Javascriupt access over the parent including the IFRAME. 
 

Reproducible: Always
Steps to Reproduce:
1.put HP Speechbot search in a frame in HTML
2.View site
3.

Actual Results:  
Will now be looking at HP Speechbot site and your site or webpage 
is history.. 

Expected Results:  
HP Speechbot site in a frame on my web page, viewable as a 
sub frame from my blog. 



BTW, if you like the best 100 top hits from 1976 to 1984, and have rhapsody
(which kicks Napster's butt), there are rhapsody playlists for 100 top hits of
every year.. 

http://www.bl3nder.com/music/rhapsody/
The address to try again is 

http://www.bl3nDer.com/music/rhapsody/disect.php

Allowing site X control over what site Y does with javascript would represent a
potential security hole (cross-site scripting anyone?).

This is a very common bit of javascript used to prevent sites from embedding
content from other sites.  In this particular case, HP obviously doesn't want
their content used within frames at all, which is perfectly legitimate.  This
could easily be used to embed a site for phishing purposes, so I can't see a
reason to allow this.

WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
if you ever write an operating system, 
tell me about it so I can avoid your self-righteous
security holes. There is no reason for a script within a 
frame from anotehr site to make calls to the parent script, 
that means that if I had a advertisement in a site, and used a 
frame, the person with the ad could then change the content of 
my site by sending method calls to the parent objects.. 

Now I can see what designers and programmers don't get along. 
(In reply to comment #3)
> if you ever write an operating system, 
> tell me about it so I can avoid your self-righteous
> security holes. There is no reason for a script within a 

Okay I see where I was wrong, I found plenty of sites with 
code that exploits javascript to break out of frames. The problem 
that I see with this is it allows someone to have control over your site 
from a frame, to even say read your sites cookies and submit them to their 
site, by using the frame's access to the parent. I haven't messed with this 
but I think it would be possible if the site in the frame has access rights. 

What I would do is enforce the property that the content in the frame is an 
object, and that object is only capable of access within its realm. The object 
could be told that its in a frame, or it should be able to tell that it is 
in a frame using Javascript and the DOM object hierarchy. Then it could 
choose to black itself out, put in DHTML  to layer on the frame "this is a
frame, please understand that this content is not a part of the site 
which has included it as a frame". This is a better solution, and would 
ruin the phishing schemes by notifying the user that the link that was 
given them is from a phisher and not say affiliated with PayPal or Ebay. 
It would also allow the legitimate use of a frame, which is what I was 
doing, to allow people to see sites that I had found rather than seeing links, 
its actually and encouragement of recognition of websites, by first seeing them 
before judging the representation of the link.. Like if I gave your a URL 
or a link, I would have to find a way to entice you to click the link to go to
the site, or I could preload it on the browser by using a frame.. Its like using
a frame of a TV (to allow quotations from video) to denote the video is from
another context other than from the TV program presenting the video (this is a
requirement I believe, to allow people to reference video content without
permission, same as for referencing radio content and CD's). 

What I'm saying is the "breaking of the frames" acts against the will of those 
framing the content, by giving anyone of those whose content is being framed, to 
control components of the parent page which is like showing content from FOX tv 
in reference, and having FOX change the channel to theirs. 

With a website, if the website knows the referrer is framing it, it should not 
be allowed to change the channel, but instead change the look of the frame, and
even overlay imagery on the website in the frame (by way of DHTML, or by use of
serverside scripting)to show that the content shown is not representative of the
site presenting the frame. The framed site could even change the look of the 
frame's look to denote this.. And this would enforce the security of the content 
that frames the content while informing the user of the difference. 

This is better than "breaking out of the frame" because, say I could use the
"break out effect" to cause users to adopt my URL in place of someone else's, 
by offering links in my site to a page that breaks out into someone else's
site.. Would the users then interpret my site to be the one offering up the
other's site. 

I can also write PHP scripts to pre-parse pages and protect my site from 
the other by either disabling their javascript and providing the HTML with 
absolute links to their site (allowing me to also change links in their site to
point to my site).  But what would be more kosher is I could parse their content 
and determine if the content uses javascript code that "breaks my frames" then 
I could provide links to their site with the added remark "the guys are lame
they want to be a portal site".

BTW.. If I find any site specific content in firefox, like ignore IP address
123.123.123.123, I will bring it to the authorities including Microsoft, don't
even think about using firefox to control the observation of content. 

Hey I bet Microsoft will do that to keep Firefox from being recognized.. 
It would be a nice anti-campaign.. 

I was able to come up with an interesting anti hack to help you 
understand how this decision to allow access to the parent can be a trouble.. 

See http://www.bl3nder.com/music/rhapsody/abuse2.html 

I could elaborate on this, but maybe you will get the point.. 

Someone could place code like this on a popular site, and 
bring down a server by using a client browser as a method of 
something like a ping flood. 

And all because you want people to have access to the parent document
to unbreak frames, shall I look for more hacks?
You need to log in before you can comment on or make changes to this bug.