Closed
Bug 1099482
Opened 10 years ago
Closed 10 years ago
sec-moderate: Missing X-Frame Options
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: junkemail132, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141106120505
Steps to reproduce:
Not huge but I thought it was worth mentioning:
https://www.mozilla.org/en-US/firefox/new/ is missing X-frame-options: DENY/SAMEORIGIN
Actual results:
https://www.mozilla.org/en-US/firefox/new/?utm_source=getfirefox-com&utm_medium=referral
HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: bedrock4.webapp.scl3.mozilla.com
Vary: Accept-Encoding
Cache-Control: max-age=600
Content-Type: text/html; charset=utf-8
Date: Fri, 14 Nov 2014 23:28:04 GMT
Keep-Alive: timeout=5, max=999
Expires: Fri, 14 Nov 2014 23:38:04 GMT
X-Robots-Tag: noodp
Connection: Keep-Alive
X-Cache-Info: caching
Content-Length: 51084
Expected results:
HTTP/1.1 200 OK
Server: Apache
...
X-Frame-Options: DENY
Comment 1•10 years ago
|
||
Pretty sure this is intentional -- there's not much worth clickjacking on that page. If an attacker wanted to "fool" someone into downloading Firefox they could just put a link to do that on their own page. But I'll move this over to the website folks and let them make the determination.
Group: core-security
Product: Core → www.mozilla.org
Comment 2•10 years ago
|
||
Yes, this is intentional; see Bug 1004598.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•