Closed Bug 847261 Opened 12 years ago Closed 12 years ago

iframe sandbox attribute allows top-level browsing context to be changed

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 785310

People

(Reporter: jtd, Unassigned)

References

(
URL
)

Details

With the sandbox attribute set on an iframe, Gecko allows top.location.replace to change the location of the top frame.  This shouldn't be allowed without "allow-top-navigation" explicitly enabled.

http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

Steps to reproduce:

1. Open URL
2. Wait three seconds

Expected result: iframe should remain red (Chrome behavior)
Result: top-level context changes to apple.com
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.