Prevent signed packages from being framed cross-origin

RESOLVED WONTFIX

Status

()

P3
normal
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: pauljt, Unassigned)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(tracking-b2g:backlog)

Details

(Whiteboard: [necko-would-take])

(Reporter)

Description

3 years ago
Signed packages will have extended permissions and as such need to be protected from clickjacking.
We might get this automatically if we set the OriginAttributes as part of the handling of a top-level <iframe mozbrowser> being navigated to a signed package and us then switching process.

I.e. if we just make sure to not set the signed-package OriginAttribute in normal <iframe>s, this bug should happen pretty much automatically.
(Reporter)

Updated

3 years ago
Priority: -- → P1
(Reporter)

Updated

3 years ago
blocking-b2g: --- → 2.5+

Comment 2

3 years ago
Paul, since this bug is 2.5+, we should assign it to someone ASAP.
Flags: needinfo?(ptheriault)
(Reporter)

Updated

3 years ago
Flags: needinfo?(ptheriault)
QA Contact: ptheriault
(Reporter)

Comment 3

3 years ago
Ill take it so it doesnt show up in triage, but we will need to find an owner for this. As per comment 2, this might just involve testing.
(Reporter)

Updated

3 years ago
Assignee: nobody → ptheriault
QA Contact: ptheriault
(Reporter)

Updated

3 years ago
Priority: P1 → P2
(Reporter)

Comment 4

3 years ago
This is a defense-in-depth control: for 2.5 developers could just make sure to set x-frame-allow headers to prevent framing of privileged content. We could also do this as part of the developer packaging tool (bug 1178448) for now.
Priority: P2 → P3
(Reporter)

Updated

3 years ago
blocking-b2g: 2.5+ → ---

Comment 5

3 years ago
Let me take this bug. :)
Assignee: ptheriault → ettseng
tracking-b2g: --- → backlog
Whiteboard: [necko-would-take]

Comment 6

3 years ago
I am not actively working on this bug. Deactivate myself.

Paul, is this bug a general feature for signed packages? Or it is b2g-specific?
I am not sure we should close it or not.
Flags: needinfo?(ptheriault)

Updated

3 years ago
Assignee: ettseng → nobody
(Reporter)

Comment 7

3 years ago
(In reply to Ethan Tseng [:ethan] from comment #6)
> I am not actively working on this bug. Deactivate myself.
> 
> Paul, is this bug a general feature for signed packages? Or it is
> b2g-specific?
> I am not sure we should close it or not.

Very much nsec specific. We need it if we even do nsec, but otherwise we can eventually close it.
Flags: needinfo?(ptheriault)

Comment 8

3 years ago
Thanks Paul.
Close this bug according to comment 7.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.