Closed
Bug 1180085
Opened 9 years ago
Closed 9 years ago
Prevent signed packages from being framed cross-origin
Categories
(Core :: Networking, defect, P3)
Core
Networking
Tracking
()
RESOLVED
WONTFIX
tracking-b2g | backlog |
People
(Reporter: pauljt, Unassigned)
References
Details
(Whiteboard: [necko-would-take])
Signed packages will have extended permissions and as such need to be protected from clickjacking.
We might get this automatically if we set the OriginAttributes as part of the handling of a top-level <iframe mozbrowser> being navigated to a signed package and us then switching process.
I.e. if we just make sure to not set the signed-package OriginAttribute in normal <iframe>s, this bug should happen pretty much automatically.
Reporter | ||
Updated•9 years ago
|
Priority: -- → P1
Reporter | ||
Updated•9 years ago
|
blocking-b2g: --- → 2.5+
Comment 2•9 years ago
|
||
Paul, since this bug is 2.5+, we should assign it to someone ASAP.
Flags: needinfo?(ptheriault)
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(ptheriault)
QA Contact: ptheriault
Reporter | ||
Comment 3•9 years ago
|
||
Ill take it so it doesnt show up in triage, but we will need to find an owner for this. As per comment 2, this might just involve testing.
Reporter | ||
Updated•9 years ago
|
Assignee: nobody → ptheriault
QA Contact: ptheriault
Reporter | ||
Updated•9 years ago
|
Priority: P1 → P2
Reporter | ||
Comment 4•9 years ago
|
||
This is a defense-in-depth control: for 2.5 developers could just make sure to set x-frame-allow headers to prevent framing of privileged content. We could also do this as part of the developer packaging tool (bug 1178448) for now.
Priority: P2 → P3
Reporter | ||
Updated•9 years ago
|
blocking-b2g: 2.5+ → ---
Comment 5•9 years ago
|
||
Let me take this bug. :)
Assignee: ptheriault → ettseng
tracking-b2g:
--- → backlog
Updated•9 years ago
|
Whiteboard: [necko-would-take]
Comment 6•9 years ago
|
||
I am not actively working on this bug. Deactivate myself.
Paul, is this bug a general feature for signed packages? Or it is b2g-specific?
I am not sure we should close it or not.
Flags: needinfo?(ptheriault)
Updated•9 years ago
|
Assignee: ettseng → nobody
Reporter | ||
Comment 7•9 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #6)
> I am not actively working on this bug. Deactivate myself.
>
> Paul, is this bug a general feature for signed packages? Or it is
> b2g-specific?
> I am not sure we should close it or not.
Very much nsec specific. We need it if we even do nsec, but otherwise we can eventually close it.
Flags: needinfo?(ptheriault)
Comment 8•9 years ago
|
||
Thanks Paul.
Close this bug according to comment 7.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•