top.location forced redirect
Replace the whole parent window from inside an iframe and compare sandbox allow-top-navigation behavior.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | blocked |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/top-redirect?lang=en" title="XSS Playground - top.location forced redirect" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- A same-origin frame can change the top-level page with
window.top.location; modern browsers usually allow cross-origin frames to do it only after user interaction. SOP blocks reads, but it does not fully replace navigation controls for this surface. - To block it, do not grant
allow-top-navigationin sandbox. Evensandbox="allow-scripts"is enough to block. - The attack value is high: after the user clicks inside a trusted service, the whole tab can be replaced by a phishing site.