Closed Bug 1147228 Opened 9 years ago Closed 9 years ago

ensure that any pages sending "WebChannelMessageToChrome" events also set X-Frame-Options: Deny

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Gavin, Unassigned)

References

Details

... to mitigate bug 1146724.

Bug 1097168 seems to have implemented this on the SUMO side.
As far as I understand, SUMO uses the WebChannelMessageToChrome event via the UITour library in two places.

1. In articles such as this one https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings that allow users to trigger a refresh from inside an article.

2. During the "ask a question" flow, where we use it to collect about:support data.

Our general policy is to put X-Frame-Deny on every page. There is one notable exception, which is that we allow kb articles (such as in the case #1) to be put in iframes. In this case we use an alternate minimal view that does not include the UITour library, and so has no code paths that use WebChannelMessageToChrome.

The iframed page is still on the whitelist for WebChannelMessageToChrome, but we don't use it anywhere else.

Based on all of this, I don't think SUMO provides a surface for this to be exploited, and so I'm going to mark it as resolved.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Awesome, thanks Mike.
Group: core-security → websites-security
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.