noscript icon indicating copy to clipboard operation
noscript copied to clipboard
verified publisher icon hackademix

DEFAULT frame embedding denial is applied to a TRUSTED page

Open bughit opened this issue 6 years ago • 1 comments

  • fx 71.0, ns 11.0.10
  • new profile
  • deny frame on DEFAULT
  • load the following page as file: or http: 
    <iframe width="560" height="315" src="http://www.youtube.com/embed/2lAe1cqCOXo" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
  • trust the page, reload
  • the frame is blocked image
  • allow frame on DEFAULT, reload
  • the frame is allowed image

bughit avatar Dec 27 '19 04:12 bughit

it appears that the meaning of frame permission changed from the classic version, the new meaning seems to be focused on the destination and not the origin of the request:

  • when on for a given CATEGORY, any site can load frames from domains in the CATEGORY
  • rather than the classic meaning: domains in a given CATEGORY (default, trusted) are allowed to load frames

If this is indeed the case, this change is far from obvious especially if one is used to classic embedding perms, so should be explained, ideally inline, there's plenty of room in the options UI.

bughit avatar Dec 27 '19 08:12 bughit