Why does a self-referencing iframe not infinitely loop and crash my machine?

html internet-explorer google-chrome firefox iframe
15,212

Solution 1

W3C took care of that in 1997 explaining how frames should be implemented in "Implementing HTML Frames":

Any frame that attempts to assign as its SRC a URL used by any of its ancestors is treated as if it has no SRC URL at all (basically a blank frame).

Iframe recursion bug/attack history

As kingdago found out and mentioned in the comment above, one browser that missed to implement a safeguard for this was Mozilla in 1999. Quote from one of the developers:

This is a parity bug (and a source of possible embarrasment) since MSIE5 doesn't have a problem with these kinds of pages.

I decided to dig some more into this and it turns out that in 2004 this happened again. However, this time JavaScript was involved:

This is the code, what causes it: <iframe name="productcatalog" id="productcatalog" src="page2.htm"></iframe> directly followed by a script with this in it: frames.productcatalog.location.replace(frames.productcatalog.location + location.hash);

...

Actual Results: The parent window gets recursively loaded into the iframe, resulting sometimes in a crash.

Expected Results: Just show it like in Internet Explorer.

Then again in 2008 with Firefox 2 (this also involved JavaScript).

And again in 2009. The interesting part here is that this bug is still open and this attachment: https://bugzilla.mozilla.org/attachment.cgi?id=414035 (will you restrain your curiosity?) will still crash/freeze your Firefox (I just tested it and I almost crashed the whole Ubuntu). In Chrome it just loads indefinitely (probably because each tab lives in a separate process).

As for the other browsers:

  • In 2005 Konqueror had a bug in it's safeguard that allowed to render iframes one inside another (but it seems that somehow it wasn't freezing/crashing the whole app).
  • IE6, Opera 7.54 and Firefox 0.9.3 are also reported to be susceptible to attacks basing on iframe recursion.

Solution 2

I'd like to add a little something to the "Also, why doesn't even IE crash at this?" part of the question. IE does not let us down...

If you add a simple iteration number as a query string to the nested iFrame's src Firefox and others will just stop after a certain iteration depth. IE - and we tested this with IE version 10 - just crashes :)

this.php

<html>
<head></head>
<body>
<iframe src="this.php?q=<?php echo (isset($_GET['q'])?$_GET['q']:1)+1?>" />
</body>
</html>
Share:
15,212
kingdango
Author by

kingdango

Updated on June 09, 2022

Comments

  • kingdango
    kingdango almost 2 years

    I created a simple HTML page with an iframe whose src attribute references the containing page -- in other words a self-referencing iframe.

    this.html

    <html>
<head></head>
<body>
<iframe src="this.html"></iframe>
</body>
</html>

    Why does this not infinitely loop and crash my browser? Also, why doesn't even IE crash at this?

    (Note: This spawned from a team discussion on the virtues and demerits of using iframes to solve problems. You know, the 'mirror of a mirror' sort.)

  • kingdango
    kingdango over 11 years
    You are an amazing person @Konrad
  • Konrad Dzwinel
    Konrad Dzwinel over 11 years
    Well thank you @kingdango. This is a great question, I ended up doing a research on "iframe recursion bug/attack" history, check out my updated answer.
  • kingdango
    kingdango almost 11 years
    I love the person inside you that made you test this.
  • C.O.
    C.O. over 10 years
    @Konrad as I illustrated in my answer below an iframe recursion attack should still be possible today with all versions of IE - that is if one can exploit the generic crash I found.
  • derrylwc
    derrylwc about 10 years
    You can create this behavior in modern browsers, too -- it just requires JavaScript: e.g. frame.src = 'http://0.0.0.0:9922/index.html?' + new Date().getTime()

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iframe height in % doesn't work with IE
Advertisement suddenly appearing on top of almost every page
event object not defined only with Firefox (IE and Chrome works)
My CSS is not loading in Internet Explorer 11 and Firefox! Only works with Chrome
Website working in Chrome / Firefox but not in Internet Explorer
Browsers won't reflect changes made in html file
How to open a windows folder when clicking on some link on a HTML page using Python
How can I remove extra margin from INSIDE an iframe?
Submit button doesn't work
How to mimic word-break: break-word; for IE9, IE11 and Firefox