Closed
Bug 1147227
Opened 9 years ago
Closed 9 years ago
ensure that any pages sending "WebChannelMessageToChrome" events also set X-Frame-Options: Deny
Categories
(Input Graveyard :: Frontend, defect)
Input Graveyard
Frontend
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Gavin, Assigned: willkg)
References
Details
... to mitigate bug 1146724. This seems to have been implemented in bug 1104932.
Assignee | ||
Comment 1•9 years ago
|
||
I can't see bug #1146724 and there's like zero context here. What's the issue?
Reporter | ||
Comment 2•9 years ago
|
||
Pages whitelisted to allow sending "WebChannelMessageToChrome" messages being iframed can be abused due to a client bug. Not allowing them to be iframed helps mitigate the risk that the client bug is abused. (I CCed you to the bug.)
Reporter | ||
Updated•9 years ago
|
Group: core-security → websites-security
Assignee | ||
Comment 3•9 years ago
|
||
Awesome--thank you! I read through the bug. Like SUMO, Input adds the X-Frame-Options: DENY to *all* pages including the feedback page that has the JS that does the WebChannelMessageToChrome. This HTTP header is added by commonware.middleware.FrameOptionsHeader: https://github.com/mozilla/fjord/blob/16d94494ad40df7e641400c761db5dc66d7dbc56/fjord/settings/base.py#L299 https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L4 To make sure that this doesn't change at some point in the future, I added a note to the view code and also added a test. In a PR: https://github.com/mozilla/fjord/pull/537
Assignee: nobody → willkg
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•9 years ago
|
||
Landed in master: https://github.com/mozilla/fjord/commit/7e796de7417c0364efcfaec419375721d93bf8f2
Assignee | ||
Comment 5•9 years ago
|
||
Pushed this to prod just now. Marking this as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•9 years ago
|
||
Awesome - thanks for the quick turnaround Will.
Assignee | ||
Comment 7•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
Updated•7 years ago
|
Product: Input → Input Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•