Closed
Bug 1147228
Opened 9 years ago
Closed 9 years ago
ensure that any pages sending "WebChannelMessageToChrome" events also set X-Frame-Options: Deny
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Gavin, Unassigned)
References
Details
... to mitigate bug 1146724. Bug 1097168 seems to have implemented this on the SUMO side.
Comment 1•9 years ago
|
||
As far as I understand, SUMO uses the WebChannelMessageToChrome event via the UITour library in two places. 1. In articles such as this one https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings that allow users to trigger a refresh from inside an article. 2. During the "ask a question" flow, where we use it to collect about:support data. Our general policy is to put X-Frame-Deny on every page. There is one notable exception, which is that we allow kb articles (such as in the case #1) to be put in iframes. In this case we use an alternate minimal view that does not include the UITour library, and so has no code paths that use WebChannelMessageToChrome. The iframed page is still on the whitelist for WebChannelMessageToChrome, but we don't use it anywhere else. Based on all of this, I don't think SUMO provides a surface for this to be exploited, and so I'm going to mark it as resolved.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 2•9 years ago
|
||
Awesome, thanks Mike.
Reporter | ||
Updated•9 years ago
|
Group: core-security → websites-security
Comment 3•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•