Closed Bug 1099482 Opened 10 years ago Closed 10 years ago

sec-moderate: Missing X-Frame Options

Categories

(www.mozilla.org :: General, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: junkemail132, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141106120505 Steps to reproduce: Not huge but I thought it was worth mentioning: https://www.mozilla.org/en-US/firefox/new/ is missing X-frame-options: DENY/SAMEORIGIN Actual results: https://www.mozilla.org/en-US/firefox/new/?utm_source=getfirefox-com&utm_medium=referral HTTP/1.1 200 OK Server: Apache X-Backend-Server: bedrock4.webapp.scl3.mozilla.com Vary: Accept-Encoding Cache-Control: max-age=600 Content-Type: text/html; charset=utf-8 Date: Fri, 14 Nov 2014 23:28:04 GMT Keep-Alive: timeout=5, max=999 Expires: Fri, 14 Nov 2014 23:38:04 GMT X-Robots-Tag: noodp Connection: Keep-Alive X-Cache-Info: caching Content-Length: 51084 Expected results: HTTP/1.1 200 OK Server: Apache ... X-Frame-Options: DENY
Pretty sure this is intentional -- there's not much worth clickjacking on that page. If an attacker wanted to "fool" someone into downloading Firefox they could just put a link to do that on their own page. But I'll move this over to the website folks and let them make the determination.
Group: core-security
Product: Core → www.mozilla.org
Yes, this is intentional; see Bug 1004598.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.