Cross domain frame navigation is allowed




10 years ago
10 years ago


(Reporter: alexp700, Unassigned)


Firefox Tracking Flags

(Not tracked)




10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0


I am not sure if this is a security violation, and it appears IE7 and Safari both allow this behaviour. I would like to use it, but it strikes me it could be used as an exploit for a cross-site security vulnerability. Therefore I'd like the devs to confirm this is expected behaviour.


A page "http://site1/page.htm" has a frameset. It has two frames, "one" that is set to point to http://site1/subpage1.htm and "two" is set to point to http://site2/page.htm

http://site2/page.htm executes the javascript: 

window.parent.frame["one"].location = "http://site1/subpage2.htm";

This is allowed as long as the page it navigates to is in http://site1 on Firefox and Safari, and seems to be allowed to be anywhere on IE7 - eg "http://site3/another.html".

I would like to use this behaviour to pass data between two domains, using the query string on that redirect, and navigating to a page that can process that data. In my instance its benign - I am trying to pass data between two pages on two sites I have created, but it occurs to me that if you were able to navigate a subframe to a malicious site, that frame could make calls to the server using the session cookies etc.

Is this behaviour by design and will it likely continue into the future? I am trying to avoid using a mechanism that will suddenly stop working.

Kind regards,


Reproducible: Always

Steps to Reproduce:
As above
Actual Results:  

Expected Results:  
Not sure, but probably a security violation when the frame is redirected from http://site2

Comment 1

10 years ago
It's allowed because the parent frame is the same as the frame doing the navigation.  They're from the same origin, and the parent frame could have done the same.

See bug 408052 and -- Adam Barth and Collin Jackson really thought this through a few months ago :)  Firefox 3 uses the "Descendant policy", and your use would be allowed by even the strictest policy that has been in wide use, the "Child policy" (assuming "origin propagation" is allowed).
Group: security
Last Resolved: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.