Closed Bug 1647092 Opened 5 years ago Closed 5 years ago

Bypass X-Frame-Options using object tag lead to frame any website

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1644076

People

(Reporter: stueotue, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

From the MDN Documentation about X-Frame-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) :

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

However, i've found that even with X-Frame-Options set to DENY the website can still be framed using object tag which can lead to UI Redressing Attack to website if the victim disable the Tracking Protection.

Steps to reproduce :

1. Create a simple html file with <object data="website you want to frame"></object> 
2. Visit the html file and you can see the website is framed.

Tested in :

1. Mozilla Firefox for Ubuntu version 77.0.1 (64-bit)
2. Mozilla Firefox for Windows version 77.0.1 (64-bit)

OS :
 
 1. Ubuntu 18.04.4 LTS
 2. Windows 10
Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

This regressed in Firefox 77. Firefox 76 was unaffected, as is Firefox ESR-68. A patch has landed for Firefox 79 which should be available on the Beta channel tomorrow or the day after.

Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.