FF144 Relnote+Doc: Cross origin iframe requires user interaction for top navigation #41237
+17
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hamishwillee
requested review from
estelle and
dipikabh
and removed request for
a team
github-actions
bot
added
Content:HTML
Open
8 tasks
|
Preview URLs Flaws (2)Note! 1 document with no flaws that don't need to be listed. 🎉 URL:
External URLs (1)URL:
|
dipikabh
requested changes
Sep 23, 2025
Comment on lines
+195
to
+196
| Scripts running in a same-origin frame can access the {{domxref("Window.top")}} property and set {{domxref("Window.location","window.top.location")}} to redirect the top level page to a new location. | ||
| This is referred to as a "top-navigation" or "framebusting". |
There was a problem hiding this comment.
Suggested change
| Scripts running in a same-origin frame can access the {{domxref("Window.top")}} property and set {{domxref("Window.location","window.top.location")}} to redirect the top level page to a new location. | |
| This is referred to as a "top-navigation" or "framebusting". | |
| Scripts running in a same-origin frame can access the {{domxref("Window.top")}} property and set {{domxref("Window.location","window.top.location")}} to redirect the top-level page to a new location. | |
| This behavior is referred to as "top navigation". |
- Should it be "top navigation" without the hyphen?
- should we differentiate between "top navigation" and "framebusting"?
- From https://en.wikipedia.org/wiki/Framekiller it seems that framebusting is a defensive security technique where a site forces itself out of an iframe "to avoid being embedded", that is, it's a special case of top navigation?
- should we clarify that framebusting is an "attempt to force" a top navigation (and that the "intervention" is browser's behavior for preventing cross-origin framebusting)?
That is to say, AFAICT the same-origin top nav default behavior is not framebusting. Can you you check?
Comment on lines
+198
to
+200
| A cross-origin frame is only allowed to redirect the page using `top` if the frame has {{glossary("Sticky activation")}}. | ||
| If a top-navigation is blocked the browser may prompt for user permission to redirect, or it may simply report the error in the developer console. | ||
| What this means is that you won't be able to load a cross-origin frame and immediately redirect to a new page — the user must first (or previously) have interacted with the frame or granted permission to redirect. |
There was a problem hiding this comment.
Would it be accurate to call this part "framebusting intervention"?
Suggested change
| A cross-origin frame is only allowed to redirect the page using `top` if the frame has {{glossary("Sticky activation")}}. | |
| If a top-navigation is blocked the browser may prompt for user permission to redirect, or it may simply report the error in the developer console. | |
| What this means is that you won't be able to load a cross-origin frame and immediately redirect to a new page — the user must first (or previously) have interacted with the frame or granted permission to redirect. | |
| A cross-origin frame is allowed to redirect the top-level page using `top` only if the frame has {{glossary("sticky activation")}}. | |
| If a top navigation is blocked, browsers may either prompt for user permission to redirect or report the error in the developer console. This restriction by browsers is called framebusting intervention. | |
| What this means is that you won't be able to load a cross-origin frame and immediately redirect the top-level page — the user must have previously interacted with the frame or granted permission to redirect. |
Comment on lines
+202
to
+203
| A sandboxed frame will block all top-navigations unless the values [`allow-top-navigation`](#allow-top-navigation) or [`allow-top-navigation-by-user-activation`](#allow-top-navigation-by-user-activation) are set. | ||
| Note that top-navigation permissions are inherited, so a nested frame will only be allowed to perform top-navigation if its parents are able to. |
There was a problem hiding this comment.
- first para rephrasing is mostly stylistic
- second para edit is for changing the placement of "only", plus parents -> parent frames just to be clearer
Suggested change
| A sandboxed frame will block all top-navigations unless the values [`allow-top-navigation`](#allow-top-navigation) or [`allow-top-navigation-by-user-activation`](#allow-top-navigation-by-user-activation) are set. | |
| Note that top-navigation permissions are inherited, so a nested frame will only be allowed to perform top-navigation if its parents are able to. | |
| A sandboxed frame blocks all top navigation unless the `sandbox` attribute values are set to [`allow-top-navigation`](#allow-top-navigation) or [`allow-top-navigation-by-user-activation`](#allow-top-navigation-by-user-activation). | |
| Note that top-navigation permissions are inherited, so a nested frame can perform a top navigation only if its parent frames are also allowed to. |
| Scripts cannot access most properties in other `window` objects if the script was loaded from a different origin, including scripts inside a frame accessing the frame's parent. | ||
| Cross-origin communication can be achieved using {{domxref("Window.postMessage()")}}. | ||
|
|
||
| ### `Window.top` navigation |
There was a problem hiding this comment.
Wondering if this title is intuitive enough. Or if we can call it something like "Top navigation in cross-origin frames" or any other phrase that devs are likely to search for to land on this section
|
|
||
| <!-- #### DOM --> | ||
|
|
||
| #### Media, WebRTC, and Web Audio |
There was a problem hiding this comment.
should this update go under HTML?
|
|
||
| #### Media, WebRTC, and Web Audio | ||
|
|
||
| - Framebusting Intervention: Cross-origin {{htmlelement("iframe")}}s require either user interaction or explicit permission in order to redirect the top level page using `window.top.location`, aligning behavior with Chrome and Safari. |
There was a problem hiding this comment.
- we don't usually include such info ", aligning behavior with Chrome and Safari"...but may be okay to keep in this case
- should we add the glossary link to sticky activation after "user interaction"
Suggested change
| - Framebusting Intervention: Cross-origin {{htmlelement("iframe")}}s require either user interaction or explicit permission in order to redirect the top level page using `window.top.location`, aligning behavior with Chrome and Safari. | |
| - Framebusting intervention is now supported, where cross-origin {{htmlelement("iframe")}}s require either user interaction or explicit permission to redirect the top-level page using `window.top.location`, aligning behavior with Chrome and Safari. |
OR
Suggested change
| - Framebusting Intervention: Cross-origin {{htmlelement("iframe")}}s require either user interaction or explicit permission in order to redirect the top level page using `window.top.location`, aligning behavior with Chrome and Safari. | |
| - Cross-origin {{htmlelement("iframe")}}s now require either user interaction (sticky activation) or explicit permission to redirect the top-level page using `window.top.location`. This restriction is called framebusting intervention. |
| #### Media, WebRTC, and Web Audio | ||
|
|
||
| - Framebusting Intervention: Cross-origin {{htmlelement("iframe")}}s require either user interaction or explicit permission in order to redirect the top level page using `window.top.location`, aligning behavior with Chrome and Safari. | ||
| See [`Window.top` navigation](/en-US/docs/Web/HTML/Reference/Elements/iframe#window.top_navigation) for more information. ([Firefox bug 1419501](https://bugzil.la/1419501)). |
There was a problem hiding this comment.
would need to be updated if we update the section title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FF144 aligns with Chrome and Safari such that a cross origin iframe now requires sticky activation in order to redirect the top level page via
window.top.location(in https://bugzilla.mozilla.org/show_bug.cgi?id=1419501).This PR adds a release note and also a section in the iframe docs explaining the expected behavior as it is now.
Related docs work can be tracked in #41138