clickjacking in marketplace.firefox.com

RESOLVED DUPLICATE of bug 872531

Status

Marketplace
General
RESOLVED DUPLICATE of bug 872531
2 years ago
2 years ago

People

(Reporter: Sergey, Unassigned, NeedInfo)

Tracking

Avenir
Points:
---

Details

(Whiteboard: [ktlo])

(Reporter)

Description

2 years ago
How to reproduce:

1. logged in https://marketplace.firefox.com/
2. go to poc script http://bin-bon.narod.ru/1112123231221323123121312.html
3. maybe to drag text to other frame or delete app

look at attchment

Comment 1

2 years ago
XFO header was removed in 2013.  This is a dupe of bug 872531
Yeah, this is a dupe of that bug.  If it were possible to put the packaged app origin into the ALLOW_FROM parameter we might be able to use x-frame-options.

Updated

2 years ago
Whiteboard: [ktlo]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 872531
(In reply to Wil Clouser [:clouserw] from comment #2)
> Yeah, this is a dupe of that bug.  If it were possible to put the packaged
> app origin into the ALLOW_FROM parameter we might be able to use
> x-frame-options.

Why can't the site send the header unless the UserAgent is a FxOS device?
Flags: needinfo?(wclouser)
You need to log in before you can comment on or make changes to this bug.