416574 - Some URLs can hijack the Main Window when opened in a frameset

Status: RESOLVED DUPLICATE of bug 341604

(Firefox :: General, defect)

Description

[Nitin Gupta]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 FirePHP/0.0.5.26
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 FirePHP/0.0.5.26

I have three frames in a frameset, where if I open similar to following to URL, in a frame, it takes over complete window
http://www.nytimes.com/2008/02/09/business/09data.html?_r=1&ref=business&oref=slogin
http://classifieds.myspace.com/index.cfm?fuseaction=classifieds.viewAd&classifiedID=12310220&catID=2&subCatID=12

Sample code:
test.html file
<html>

<frameset cols="25%,50%,25%">

  <frame src="www.craigslist.org">
  <frame src="http://www.nytimes.com/2008/02/09/business/09data.html?_r=1&ref=business&oref=slogin">
  <frame src="frame_c.htm">

</frameset>

</html>


Reproducible: Always

Steps to Reproduce:
1. Load test.html in a browser

Actual Results:  
NY Times or Myspace Classifieds hijack/redirect the frame to take over complete Window

Expected Results:  
We should be able to open different URLs in different frame

This issue can potentially be used as a security hole so I am filing it with high severity.

Comment 1

[Nitin Gupta]

This issue should get resolved by a fix for bug 341604.
BTW, In case of NY times, they are using following frame busting mechanism

  
if (window.self != window.top) {
      top.location.replace(window.location.href);
   }

Comment 2

[Nitin Gupta]

CCing Ian 
https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c5

Ian, Can you recommend something for this particular scenario?

Comment 3

[Gervase Markham [:gerv]]

This is not a security hole. It's just tough. If these sites don't want you framing them, then (as things currently stand), you can't.

Gerv