ensure that any pages sending "WebChannelMessageToChrome" events also set X-Frame-Options: Deny

RESOLVED FIXED

Status

defect
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: Gavin, Assigned: willkg)

Tracking

Details

... to mitigate bug 1146724.

This seems to have been implemented in bug 1104932.
I can't see bug #1146724 and there's like zero context here. What's the issue?
Pages whitelisted to allow sending "WebChannelMessageToChrome" messages being iframed can be abused due to a client bug. Not allowing them to be iframed helps mitigate the risk that the client bug is abused.

(I CCed you to the bug.)
Group: core-security → websites-security
Awesome--thank you!

I read through the bug. Like SUMO, Input adds the X-Frame-Options: DENY to *all* pages including the feedback page that has the JS that does the WebChannelMessageToChrome. This HTTP header is added by commonware.middleware.FrameOptionsHeader:

https://github.com/mozilla/fjord/blob/16d94494ad40df7e641400c761db5dc66d7dbc56/fjord/settings/base.py#L299

https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L4

To make sure that this doesn't change at some point in the future, I added a note to the view code and also added a test.

In a PR: https://github.com/mozilla/fjord/pull/537
Assignee: nobody → willkg
Status: NEW → ASSIGNED
Pushed this to prod just now. Marking this as FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Awesome - thanks for the quick turnaround Will.
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
Product: Input → Input Graveyard
You need to log in before you can comment on or make changes to this bug.