Closed Bug 1180085 Opened 5 years ago Closed 5 years ago

Prevent signed packages from being framed cross-origin

Categories

(Core :: Networking, defect, P3)

defect

Tracking

()

RESOLVED WONTFIX
tracking-b2g backlog

People

(Reporter: pauljt, Unassigned)

References

Details

(Whiteboard: [necko-would-take])

Signed packages will have extended permissions and as such need to be protected from clickjacking.
We might get this automatically if we set the OriginAttributes as part of the handling of a top-level <iframe mozbrowser> being navigated to a signed package and us then switching process.

I.e. if we just make sure to not set the signed-package OriginAttribute in normal <iframe>s, this bug should happen pretty much automatically.
Priority: -- → P1
blocking-b2g: --- → 2.5+
Paul, since this bug is 2.5+, we should assign it to someone ASAP.
Flags: needinfo?(ptheriault)
Flags: needinfo?(ptheriault)
QA Contact: ptheriault
Ill take it so it doesnt show up in triage, but we will need to find an owner for this. As per comment 2, this might just involve testing.
Assignee: nobody → ptheriault
QA Contact: ptheriault
Priority: P1 → P2
This is a defense-in-depth control: for 2.5 developers could just make sure to set x-frame-allow headers to prevent framing of privileged content. We could also do this as part of the developer packaging tool (bug 1178448) for now.
Priority: P2 → P3
blocking-b2g: 2.5+ → ---
Let me take this bug. :)
Assignee: ptheriault → ettseng
Whiteboard: [necko-would-take]
I am not actively working on this bug. Deactivate myself.

Paul, is this bug a general feature for signed packages? Or it is b2g-specific?
I am not sure we should close it or not.
Flags: needinfo?(ptheriault)
Assignee: ettseng → nobody
(In reply to Ethan Tseng [:ethan] from comment #6)
> I am not actively working on this bug. Deactivate myself.
> 
> Paul, is this bug a general feature for signed packages? Or it is
> b2g-specific?
> I am not sure we should close it or not.

Very much nsec specific. We need it if we even do nsec, but otherwise we can eventually close it.
Flags: needinfo?(ptheriault)
Thanks Paul.
Close this bug according to comment 7.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.