Closed
Bug 1178037
Opened 9 years ago
Closed 9 years ago
clickjacking in marketplace.firefox.com
Categories
(Marketplace Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 872531
People
(Reporter: ignatio2007, Unassigned)
Details
(Whiteboard: [ktlo])
How to reproduce: 1. logged in https://marketplace.firefox.com/ 2. go to poc script http://bin-bon.narod.ru/1112123231221323123121312.html 3. maybe to drag text to other frame or delete app look at attchment
|
||
Comment 1•9 years ago
|
||
XFO header was removed in 2013. This is a dupe of bug 872531
|
||
Comment 2•9 years ago
|
||
Yeah, this is a dupe of that bug. If it were possible to put the packaged app origin into the ALLOW_FROM parameter we might be able to use x-frame-options.
|
||
Updated•9 years ago
|
Whiteboard: [ktlo]
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 4•9 years ago
|
||
(In reply to Wil Clouser [:clouserw] from comment #2) > Yeah, this is a dupe of that bug. If it were possible to put the packaged > app origin into the ALLOW_FROM parameter we might be able to use > x-frame-options. Why can't the site send the header unless the UserAgent is a FxOS device?
Flags: needinfo?(wclouser)
|
|
||
Updated•7 years ago
|
Flags: needinfo?(wclouser)
You need to log in
before you can comment on or make changes to this bug.
Description
•