Closed Bug 1749231 Opened 3 years ago Closed 3 years ago

Same-Origin Policy is not accounted for when redirecting top-level frame from cross-origin iframe using the Location object

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
Firefox 95
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1741319

People

(Reporter: lukew, Unassigned)

Details

Attachments

(1 file)

Same-Origin policy test for cross-origin iframe redirecting the top level frame
(deleted), text/html
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0

Steps to reproduce:

To reproduce, create a page that loads a cross-origin iframe. The cross-origin iframe can redirect the top-level frame with window.parent.location.replace("about:blank") or window.parent.location.href = "about:blank".

I have attached an example. You can open the file from anywhere as long as ab.html is located at http://localhost:8081/ and the page isn't loaded from the same origin.

Actual results:

In the example, the cross-origin iframe was able to redirect the top-level frame using the Location object to "Rick Astley - Never Gonna Give You Up [HQ]" on YouTube. This happens both on stable Firefox 95.0.1 and Firefox Nightly 97.0a1 (2022-01-08) (64-bit).

Expected results:

The redirect should have been blocked due to Same-Origin policy.

For example, Chrome says in the developer console "Unsafe attempt to initiate navigation for frame with URL 'http://localhost:8080/aa.html' from frame with URL 'http://localhost:8081/ab.html'. The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor has it received a user gesture.".

I am unsure what Safari says in the developer console as I tested it on iOS, but it also blocks this redirect as nothing happens when opening the page.

Reading more into it, this seems like an intentional feature and is blocked if the sandbox attribute is specified. However, Safari and Chrome have shipped to block this by default. I'll let you decide if this is still valid or not.

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Navigation
Product: Firefox → Core
Group: core-security → dom-core-security

This is a intervention which chromium has shipped to change the spec behaviour, and hasn't been standardized yet. We may want to copy it:

WICG intervention issue: https://github.com/WICG/interventions/issues/16
Chrome Status page: https://chromestatus.com/feature/5851021045661696

This might be something we want to do, but I think this is a known issue in the web platform, as seen by Chrome's intervention and the public discussion of it, so I don't think it needs to be hidden.

Group: dom-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: