ssl written iframes are affected by about:blank permissions

al_9x · Post by **al_9x** » Fri Jan 07, 2011 5:27 am

A written iframe takes on the URL of the parent and should be allowed if the parent is allowed, and should not be affected by about:blank permissions.

NS 2.0.9.4rc1, Fx 3.6.13, new profile, remove (msn.com, about:blank) from the whitelist.

login to https hotmail: https://mail.live.com/
once you get to the inbox, you'll see that the two ad iframes (1 - lower left, 2 - right column) are untrusted. They both have the url of their parent (InboxLight.aspx), which is trusted.
add about:blank back to the whitelist and refresh, the iframes now appear to be trusted

Post by **Giorgio Maone** » Fri Jan 07, 2011 8:01 am

Investigating, thanks.

al_9x · Post by **al_9x** » Sun Jan 23, 2011 1:49 pm

Another example of this is on the Amazon homepage. The dynamically added (via DOM it seems) iframe should be allowed, since amazon.com is, but isn't

when about:blank is not whitelisted.

This started in 2.0.9.2. Can you repro?

al_9x · Post by **al_9x** » Fri Mar 04, 2011 8:23 pm

fixed in a latter build

InformAction Forums

ssl written iframes are affected by about:blank permissions

ssl written iframes are affected by about:blank permissions

Re: ssl written iframes are affected by about:blank permissi

Re: ssl written iframes are affected by about:blank permissi

Re: ssl written iframes are affected by about:blank permissi