I can't see bug #1146724 and there's like zero context here. What's the issue?
Pages whitelisted to allow sending "WebChannelMessageToChrome" messages being iframed can be abused due to a client bug. Not allowing them to be iframed helps mitigate the risk that the client bug is abused. (I CCed you to the bug.)
Group: core-security → websites-security
Awesome--thank you! I read through the bug. Like SUMO, Input adds the X-Frame-Options: DENY to *all* pages including the feedback page that has the JS that does the WebChannelMessageToChrome. This HTTP header is added by commonware.middleware.FrameOptionsHeader: https://github.com/mozilla/fjord/blob/16d94494ad40df7e641400c761db5dc66d7dbc56/fjord/settings/base.py#L299 https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L4 To make sure that this doesn't change at some point in the future, I added a note to the view code and also added a test. In a PR: https://github.com/mozilla/fjord/pull/537
Assignee: nobody → willkg
Status: NEW → ASSIGNED
Pushed this to prod just now. Marking this as FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Awesome - thanks for the quick turnaround Will.
These bugs are all resolved, so I'm removing the security flag from them.
You need to log in before you can comment on or make changes to this bug.