Closed Bug 667859 Opened 13 years ago Closed 13 years ago

anchor links dont work in frames/iframes

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
5 Branch
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 638598

People

(Reporter: info, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

My customers use anchor links in ebay article descriptions. Ebay show these descriptions in frames/iframes. 


Actual results:

Since firefox 5.0 the anchor dont work anymore. If you go mouseover the anchor links the wrong url (the url of the iframe+#anchor) is showen at bottom right.


Expected results:

Anchor links in frames/iframes should go to the active url (showen in firefox address bar + #anchor)
Example: http://cgi.ebay.de/200541813177

scroll down until the orange header. Under this header (right site) you see some anchors: "Preise";  "Technische Daten"; "Transportkosten" etc.

Mouse over "Preise" it shows you the following link: http://vi.ebaydesc.de/ws/eBayISAPI.dll?ViewItemDescV4&item=200541813177&t=1301557232000&ds=0&js=-1&ssid=77&seller=ravensberger-matratzen&category=77508&bv=mozilla&nv=2&sd=1&caz.html#preis

correct link would be: http://cgi.ebay.de/200541813177#preis

even if you tipe in the correct link into the addressbar it wount work...
Severity: normal → critical
Theres no frame or iframe on that page, all i can find is a call for an undefined resizeFrame function.
Ok, sorry for that but if i right klick on the orange header i can choose in german "Aktueller Frame" -> "nur diesen Frame anzeigen" translation "current frame" -> "show only this frame". It must be any kind of frame which cause the problem
Iframe or frame would append the url of the page the frame uses if the link only has "#anchor" as its href. Thats expected and according to specs.

So you need to show a testcase or an url where it actually has a failing frame.
Sorry maybe my english is not good enough to understand you 100% or make my problem understandable for you... I coded a simple example with a real iframe:

http://do1emu.de/frametest.html

you can click the anchors but nothing happens in Firefox 5.0. That cant be "normal"!!!! This (my) page worked for me in:

Firefox 3.6.18
Internet Explorer 9
Safari 5.0.2
Ah, the parent window doesn't scroll into view if the iframe is higher then the viewport. That sounds like a dup of bug 638598.

Just looks like this was intentionally blocked for security in bug 583889 cause of information leakage.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
bug 583889 is about inserting an external-domain iframe with anchor property that is another situation than klicking an anchor link in an iframe!!!

bug 638598 says this is a WONTFIX beacuase of bug 583889. I am not sure what that means :) but you cant tell me that klicking an anchor in an iframe is a security risk for me/client. Directly inserting ok - but klicking?? Or did you mean that you cant differentiate between klicking and inserting?
if some webmaster want to abuse their visitors with such things they will find other ways using javascript etc. But in my case I cant do that because ebay dissalow most javascript codes. So all in all your "fix" is not better for the community...
The fix is that anchor links from another domain can't scroll that parent window. That is what your example tried to do, and it is what the exploit used (the external big iframe scrolled a small local iframe).

As long as you make the iframe small enough to have scroll area, it will scroll THAT iframe just fine, it won't scroll that parent window though.

See bug 583889 comment 12.
(In reply to comment #9)
> The fix is that anchor links from another domain can't scroll that parent
> window. That is what your example tried to do, and it is what the exploit
> used (the external big iframe scrolled a small local iframe).

Ok, I understand (i read the document from the other ticket) but all this deponds on attackers who coded a website loading another website with anchors. The keyword is "loading". If a user click anchors by himself there is no more risk!? Because the #anchor info is client side - so no remote coding will detect it!?


So here my example:

There is someone who wants to insert directly otherdomain.com/index.php#password the browser doesnt scrol because of directly trying to access on some datas. So far so good...

But if there is an anchor link on that iframe the user klicks on, the attacker cant get this. I read that it is not possible to get locations and other attributes of an iframe from other websites with Javascript. Otherwise he would also be able to read the scrolling position on the iframe that is small enogh to scroll by its own too.

If the attacking website scrol down by clicking an anchor thats in the iframe (and the keyword is now klicking) the attackers cant get the info what the klicked anchor is about! So nothing i am worry about.

Please think about it you dont fix this well in my optinion!!!

Even for me its not possible to get this problem fixed with iframes fom same domain!!! See comment 5 !!!

Thank you for your patience :)
You need to log in before you can comment on or make changes to this bug.