Why does a self-referencing iframe not infinitely loop and crash my machine?

Asked 8/1, 2013 at 20:41 Answered 6/1, 2022 at 16:31

Solved html internet-explorer google-chrome firefox iframe

I created a simple HTML page with an iframe whose src attribute references the containing page -- in other words a self-referencing iframe.

this.html

<html>
<head></head>
<body>
<iframe src="this.html"></iframe>
</body>
</html>

Why does this not infinitely loop and crash my browser? Also, why doesn't even IE crash at this?

(Note: This spawned from a team discussion on the virtues and demerits of using iframes to solve problems. You know, the 'mirror of a mirror' sort.)

Calen answered 8/1, 2013 at 20:41 Comment(4)

Food for thought, this was actually addressed at some point (1999?) but I wonder what the rationale was? bugzilla.mozilla.org/show_bug.cgi?id=8065 – Calen 8/1, 2013 at 20:47

This is already discussed here: https://mcmap.net/q/276040/-iframe-to-infinity In short, browsers place limits on iframe nesting. – Bethezel 8/1, 2013 at 20:48

Your code was able to break one thing after all. My devtools: dl.dropbox.com/u/8989748/devtools_broken.png . I hope you are happy now :( – Tennyson 8/1, 2013 at 21:1

1000 points for "why doesn't even IE crash at this?" – Mcgraw 18/4, 2019 at 22:38

W3C took care of that in 1997 explaining how frames should be implemented in "Implementing HTML Frames":

Any frame that attempts to assign as its SRC a URL used by any of its ancestors is treated as if it has no SRC URL at all (basically a blank frame).

Iframe recursion bug/attack history

As kingdago found out and mentioned in the comment above, one browser that missed to implement a safeguard for this was Mozilla in 1999. Quote from one of the developers:

This is a parity bug (and a source of possible embarrasment) since MSIE5 doesn't have a problem with these kinds of pages.

I decided to dig some more into this and it turns out that in 2004 this happened again. However, this time JavaScript was involved:

This is the code, what causes it: <iframe name="productcatalog" id="productcatalog" src="page2.htm"></iframe> directly followed by a script with this in it: frames.productcatalog.location.replace(frames.productcatalog.location + location.hash);

...

Actual Results: The parent window gets recursively loaded into the iframe, resulting sometimes in a crash.

Expected Results: Just show it like in Internet Explorer.

Then again in 2008 with Firefox 2 (this also involved JavaScript).

And again in 2009. The interesting part here is that this bug is still open and this attachment: https://bugzilla.mozilla.org/attachment.cgi?id=414035 (will you restrain your curiosity?) will still crash/freeze your Firefox (I just tested it and I almost crashed the whole Ubuntu). In Chrome it just loads indefinitely (probably because each tab lives in a separate process).

As for the other browsers:

In 2005 Konqueror had a bug in it's safeguard that allowed to render iframes one inside another (but it seems that somehow it wasn't freezing/crashing the whole app).
IE6, Opera 7.54 and Firefox 0.9.3 are also reported to be susceptible to attacks basing on iframe recursion.

Tennyson answered 8/1, 2013 at 20:54 Comment(4)

You are an amazing person @Konrad – Calen 8/1, 2013 at 21:44

Well thank you @kingdango. This is a great question, I ended up doing a research on "iframe recursion bug/attack" history, check out my updated answer. – Tennyson 8/1, 2013 at 22:36

@Konrad as I illustrated in my answer below an iframe recursion attack should still be possible today with all versions of IE - that is if one can exploit the generic crash I found. – Kare 1/8, 2013 at 19:44

You can create this behavior in modern browsers, too -- it just requires JavaScript: e.g. frame.src = 'http://0.0.0.0:9922/index.html?' + new Date().getTime() – Kendo 1/5, 2014 at 23:0

I'd like to add a little something to the "Also, why doesn't even IE crash at this?" part of the question. IE does not let us down...

If you add a simple iteration number as a query string to the nested iFrame's src Firefox and others will just stop after a certain iteration depth. IE - and we tested this with IE version 10 - just crashes :)

this.php

<html>
<head></head>
<body>
<iframe src="this.php?q=<?php echo (isset($_GET['q'])?$_GET['q']:1)+1?>" />
</body>
</html>

Kare answered 4/5, 2013 at 14:21 Comment(2)

I love the person inside you that made you test this. – Calen 6/5, 2013 at 13:36

I tested on FF 108.0, on the third call of a same URL (with thing after ?, without thing after #) it's empty. Is this "iteration" something else? – Undecagon 27/12, 2022 at 19:55

IE 6.0 can crash without script:

<iframe src="this.html?c=9"></iframe>

I'm not sure why this doesn't trigger loop detection nor if it's changed though.

EDIT: Got the reason. since it's a local file, URL after ? is ignored, so only this.html is marked visited, not this.html?c=9.

Undecagon answered 6/1, 2022 at 16:31 Comment(1)

Testing stuff on IE 6.0 in 2022 is worth a +1 to me :-) – Kare 24/10, 2022 at 22:50

Iframe recursion bug/attack history

Recommended topics

Hot tags