User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 FirePHP/0.0.5.26 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 FirePHP/0.0.5.26 I have three frames in a frameset, where if I open similar to following to URL, in a frame, it takes over complete window http://www.nytimes.com/2008/02/09/business/09data.html?_r=1&ref=business&oref=slogin http://classifieds.myspace.com/index.cfm?fuseaction=classifieds.viewAd&classifiedID=12310220&catID=2&subCatID=12 Sample code: test.html file <html> <frameset cols="25%,50%,25%"> <frame src="www.craigslist.org"> <frame src="http://www.nytimes.com/2008/02/09/business/09data.html?_r=1&ref=business&oref=slogin"> <frame src="frame_c.htm"> </frameset> </html> Reproducible: Always Steps to Reproduce: 1. Load test.html in a browser Actual Results: NY Times or Myspace Classifieds hijack/redirect the frame to take over complete Window Expected Results: We should be able to open different URLs in different frame This issue can potentially be used as a security hole so I am filing it with high severity.

This issue should get resolved by a fix for bug 341604. BTW, In case of NY times, they are using following frame busting mechanism if (window.self != window.top) { top.location.replace(window.location.href); }

CCing Ian https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c5 Ian, Can you recommend something for this particular scenario?

This is not a security hole. It's just tough. If these sites don't want you framing them, then (as things currently stand), you can't. Gerv