From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; de-DE; m18) Gecko/20010131 Netscape6/6.01 BuildID: 20010505 In the page at http://www.leistungssportler.de, the frames on the start page are not working. there is only the background colour of the index.html, but it does not load the several frames. Other browser display it. Reproducible: Always Steps to Reproduce: run http://www.leistungssportler.de Actual Results: only a black background is displayed Expected Results: the frames should be created by the broser and it should load the pages into the frames. x

Javascript console says: Error: uncaught exception: Permission denied to access property Error: xtpop.blur is not a function Source File: http://surfen.virtualave.net/index.html Line: 70 Error: uncaught exception: Permission denied to access property

The frameset and its framed document are from different domains; the framed document uses a "frame busting" script to break out of another site's frameset by changing top.location.href -- security measures are preventing this in Mozilla where other browsers allow it. Can someone enlighten on why this is prevented? Bug number?

reassign to caps for explanation [this does not mean i consider it a bug -- although i think there are similar(duplicate?) bugzilla reports]

This should have been happening, but 20010505 was during a buggy period. Please retest with a more recent nightly.

"Setting location.href across domains doesn't work" is bug 56053. That bug was fixed on 05/09, but the site still doesn't work on a 05/14 build. The frame-busting script is // if this isn't the top frame, bust out if(top.frames.length>0) { top.location.href=self.location; } // (else) write the document Mozilla gives an access denied error as soon as the script asks for top.frames. (Most frame-busting scripts check for window!=top rather than top.frames.length>0.) See also bug 52920, "frame can't access sibling if parent frame is in another domain", which is marked as wontfix. Giving scripts access to the frames array is likely to let scripts do things they shouldn't be able to do, like replacing other frames on the page. (Even letting a script find out how many subframes another frame has might lead to a small security hole similar to bug 59208.)

Sounds like Jesse is recommending WONTFIX. I would tend to agree. As he says, the site should be comparing window and top, not their locations or the size of the frames array. That's simpler anyway and gives basically the same information. I know that other browsers allow this site's current behavior, but those browsers are less secure. Encourage the site to change that script. If I hear about a whole bunch of sites that are written like this (I've only heard of 2 or 3 so far), I may reconsider this policy.

Marking VERIFIED WONTFIX based on mstoltz's comments. If you disagree, re-open.