Strange issue with redirecting users

Question

I've made a script that that makes an input textfield and allows the user to input a url and hit enter which will then redirect them to their inputted website. And that works fine the problem is when a user is in one of my popup boxes and try to hit enter on the textfield it redirects them to some websites but not all example it will not redirect to https://www.google.com/ or https://www.facebook.com/.

<style>
  .browser-bar {
    width;100%;
    height:30px;
  }
  #url-bar {
   width: 60%;
 }
</style>

<div class="browser-bar">
   <input id="url-bar" type="text">
</div>


<script>
var currenturl = window.location;
document.getElementById("url-bar").value = currenturl;

$("#url-bar").keyup(function(event){
    if(event.keyCode == 13){
        $(location).attr('href', document.getElementById("url-bar").value); 
    }
});
</script>

It is very hard to explain so I will link you to my website so maybe replicating it for yourself may help. The main page is http://zackarylundquist.westhostsite.com/portfolio/ and using the textbox to redirect on there works fine as I said but to get the popup window to appear while on the main page click on start>navigation>About Me. While in the popup menu it will not redirect to https://www.google.com/ for example.

Answer 1

Just look what the Response Headers are if google.com is loaded at your iframe

Alternate-Protocol  80:quic
Cache-Control   public, max-age=2592000
Content-Length  219
Content-Type    text/html; charset=UTF-8
Date    Mon, 02 Dec 2013 06:59:22 GMT
Expires Wed, 01 Jan 2014 06:59:22 GMT
Location    http://www.google.com/
Server  gws
-------->X-Frame-Options    SAMEORIGIN
--------> X-XSS-Protection  1; mode=block**

it says "No i frame loading from strangers only SAMEORIGIN !!!"

and your page is working correctly its loading http://netteksolution.com/portfolio/about-me/

change it to http://netteksolution.com/ u can see the diff

Answer 2

This is the same origin policy problem.

You are trying to load the external website inside an iframe. Some websites allow this, some don't.

For example, if you see your network activity (dev tools) of your browser, you will find that sites like google block loading in iframe.

This is what you can spot in the headers:

x-frame-options:SAMEORIGIN 
x-xss-protection:1; mode=block

Try loading microsoft.com, and it will load up just fine!

More info: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript

Answer 3

Seems to be related to HTTP vs. HTTPS security. I'm not an expert by any means, but a quick fix would be to search for any 's' right after 'http' and delete it from the URL string.