Closed
Bug 542020
Opened 15 years ago
Closed 14 years ago
Prevent random embedding of personas pages, nuisance hover previews
Categories
(Websites Graveyard :: getpersonas.com, defect)
Websites Graveyard
getpersonas.com
Tracking
(Not tracked)
RESOLVED
FIXED
3.0
People
(Reporter: johnath, Assigned: brandon)
References
()
Details
Attachments
(3 files, 4 obsolete files)
2.15 KB,
patch
|
reed
:
review+
|
Details | Diff | Splinter Review |
1.18 KB,
patch
|
reed
:
review+
|
Details | Diff | Splinter Review |
405.87 KB,
image/png
|
Details |
+++ This bug was initially created as a clone of Bug #541308 +++ In bug 541308 we discuss the fact that getpersonas pages can be iframed by arbitrary sites on the net, allowing them to produce nuisance on-hover previews and even installs on click. While these installs are easily undoable, it's still annoying, and worse, to some users it feels like a genuine security bug. We think this can be fixed web-side, instead of client side, by putting in a basic "am I framed?" check. The problem with just doing: if (self != top) { // Disable previews/installs } is that it would kill our own ability to use pages in an iframe on sites like http://www.mozilla.com/firefox/3.6/firstrun/ Shaver proposed that we handle this with postMessage ( https://developer.mozilla.org/en/DOM/window.postMessage ). So basically, the logic would be: // on getPersonas pages that support preview/install if (self != top) { // We're in a frame, disable previews/installs } function receiveMessage(event) { if (event.origin is in mozilla.com or otherwise trusted && event.data says "reactivate" or whatever) { // Turn previews/installs back on } } window.addEventListener("postmessage", receiveMessage, false) And then on sites like the firstrun page which use the iframing in this way, we just include a line onLoad that does iframeElement.contentWindow.postMessage("reactivate", "*"); Arbitrary pages out there in the world could copy all of this, but they wouldn't pass the event.origin test in the getpersonas page, so their previews and installs would be disabled -- no more nuisance. Does that all make sense? This bug should update getpersonas AND existing firstrun content (so that fixing this doesn't temporarily break firstrun). I'll file a clone for the AMO galleries.
Comment 2•15 years ago
|
||
Will any changes be required on www.mozilla.com?
Comment 3•15 years ago
|
||
(In reply to comment #2) > Will any changes be required on www.mozilla.com? Yes: iframeElement.contentWindow.postMessage("reactivate", "*"); will need to be added to all our pages that use an iframe to embed personas.
Comment 4•15 years ago
|
||
That can be added harmlessly before the personas site is changed, though (and should be triggered by the iframe signalling onload, right?).
Comment 5•15 years ago
|
||
Example patch for mozilla.com. Will need some help moving this into other pages and locales. Would like a couple people to review.
Comment 6•15 years ago
|
||
Patch for getpersonas.com that disables previews/installs if embedded in iframe and enables only if postmessage is from mozilla.com & data == 'activatePersonas'
Updated•15 years ago
|
Assignee: nobody → rdoherty
Comment 7•15 years ago
|
||
Comment on attachment 423748 [details] [diff] [review] getpersonas.com js patch >+function receiveMessage(event) { >+ if (event.origin == 'http://www.mozilla.com' && >+ event.data == 'activatePersonas') { >+ PERSONAS_ENABLED = true; >+ } Only allowing http://www.mozilla.com is going to break all of our staging sites. Also, we still have to support locale-based subdomains for a while... I'm wondering how many users are still hitting the page via one of the subdomains.
Attachment #423748 -
Flags: review-
Comment 8•15 years ago
|
||
(In reply to comment #7) > Only allowing http://www.mozilla.com is going to break all of our staging > sites. Also, we still have to support locale-based subdomains for a while... > I'm wondering how many users are still hitting the page via one of the > subdomains. Ah, yes, I forgot about those. I can add staging, do we point any of our builds to locale-specific subdomains?
Comment 9•15 years ago
|
||
Comment on attachment 423746 [details] [diff] [review] Mozilla.com patch for 3.6 firstrun So, in general, I think we should try to keep JS-only files as .js so they get correctly cached and gzip'd. Could we do something with minify, too, for all the js things? I'm also curious how onload will interact with the JS loading so late, but maybe that's not an issue.
Attachment #423746 -
Flags: review-
Comment 10•15 years ago
|
||
(In reply to comment #9) > (From update of attachment 423746 [details] [diff] [review]) > So, in general, I think we should try to keep JS-only files as .js so they get > correctly cached and gzip'd. Could we do something with minify, too, for all > the js things? I'm also curious how onload will interact with the JS loading so > late, but maybe that's not an issue. I had intended in adding it to a js file, but the firstrun page doesn't have any external files that this could be added to (all are js libraries and stats code). I don't want to add an extra JS file b/c that's one more file to include. We could use the minify tools we have to reduce http requests, but I don't want to change more code than necessary. Probably a style/opinion thing, if others really think we should do it I can. I think the onload event firing will be ok as long as the external JS file is included above the iframe.
Comment 11•15 years ago
|
||
Can we just make it accept *.mozilla.com and *.mozilla.org, which I think we can trust to not abuse for nuisance?
Comment 12•15 years ago
|
||
anyplace on those domains with user generated content would still be open to hosting abuse. here in bugzilla, amo comments, and probably other places.
Comment 13•15 years ago
|
||
moving to 2.5, 2.4 is going out tonight with fixes for more important security issues.
Target Milestone: 2.4 → 2.5
Comment 14•15 years ago
|
||
Updated js for getpersonas.com. I accidentally committed the previous one, so this is a diff against trunk.
Attachment #423748 -
Attachment is obsolete: true
Attachment #426119 -
Flags: review?(reed)
Comment 15•15 years ago
|
||
Attachment #423746 -
Attachment is obsolete: true
Attachment #426126 -
Flags: review?(reed)
Updated•15 years ago
|
Attachment #426119 -
Flags: review?(reed) → review-
Comment 16•15 years ago
|
||
Comment on attachment 426119 [details] [diff] [review] getpersonas.com js patch v2 >+var ALLOWED_ORIGINS = ['http://www.mozilla.com', 'http://www-trunk.stage.mozilla.com']; Should allow http or https for all hosts. Also need to support *.www.mozilla.com, as I'm just not sure we still don't have users using the old locale-based subdomains. Plus, add www.authstage.mozilla.com. I'm not too worried about locale-based subdomains on the staging servers. How about dev environments? Should we permit localhost or something?
Comment 17•15 years ago
|
||
Comment on attachment 426126 [details] [diff] [review] Mozilla.com patch for 3.6 firstrun v2 >@@ -47,7 +49,6 @@ $page_title = 'Welcome to Firefox'; > </p> > > </div> >- > <?php > @include_once "{$config['file_root']}/{$lang}/includes/footers/3.6/portal-pages.inc.php"; Why are you removing this line? Please keep it. Other than that nit, this is fine. r=reed
Attachment #426126 -
Flags: review?(reed) → review+
Comment 18•15 years ago
|
||
Should have used a regex from the start. Tested with www.mozilla.com, http://www-trunk.stage.mozilla.com, https, locale subdomains, etc.
Attachment #426119 -
Attachment is obsolete: true
Attachment #427846 -
Flags: review?(reed)
Comment 19•15 years ago
|
||
Comment on attachment 427846 [details] [diff] [review] getpersonas.com js patch v3 See comment #12 as to why we don't want *.mozilla.com.
Attachment #427846 -
Flags: review?(reed) → review-
Comment 20•15 years ago
|
||
This should about do it: * www * www-trunk.stage * www.authstage * *.www * http & httpS
Attachment #427846 -
Attachment is obsolete: true
Attachment #428284 -
Flags: review?(reed)
Comment 21•15 years ago
|
||
Comment on attachment 428284 [details] [diff] [review] getpersonas.com js patch v4 r=reed You could collapse this regex some, but what's there is fine as-is for now. If we need to add more sites later, we can. Thanks for the work on this.
Attachment #428284 -
Flags: review?(reed) → review+
Updated•15 years ago
|
Target Milestone: 2.5 → 2.6
Updated•15 years ago
|
Target Milestone: 2.6 → 2.7
Updated•15 years ago
|
Target Milestone: 2.7 → 2.8
Updated•14 years ago
|
Target Milestone: 2.8 → 2.9
Updated•14 years ago
|
Target Milestone: 2.9 → 3.0
Comment 22•14 years ago
|
||
this will probably get yanked from amo soon but someone figure out how to inject personas content on amo at: (https://addons.mozilla.org/en-US/firefox/addon/155045/ code looked like this: </select> </div> </fieldset> <span id="search-data" data-version="any"> </span> <input type="hidden" name="advanced" id="id_advanced" /> </div> </form> </div> </div> <ol class="breadcrumbs"> <li><a href="/en-US/firefox/">Add-ons for Firefox</a></li> <li><a href="/en-US/firefox/personas/">Personas</a></li> <li>Adobe Flash Platform</li> </ol> <hgroup> <h2 class="addon"> <img src="https://www.getpersonas.com/static/5/0/197350/preview_small.jpg" class="icon"/> <span> Adobe Flash Platform </span> </h2> <h4 class="author">by makedonskii</h4> </hgroup> <div id="persona" class="primary" role="main" data-id="155045"> <div class="featured"> <div class="featured-inner object-lead"> <div id="addon-summary-wrapper"> <div id="persona-summary" class=""> <div class="persona persona-large"> <div class="persona-inner"> <div class="persona-preview"> <div title="Adobe Flash Platform" style="background-image:url('https://www.getpersonas.com/static/5/0/197350/preview_large.jpg')" data-browsertheme="{"iconURL":"https://www.getpersonas.com/static/5/0/197350/preview_small.jpg","description":"Adobe Flash Persona","accentcolor":"#b52f2f","header":"http://www.getpersonas.com/static/5/0/197350/flashpersonaforfirefox.jpg","footerURL":"http://www.getpersonas.com/static/5/0/197350/flashpersonafooterforfirefox.jpg","textcolor":"#ffffff","id":"197350","category":null,"headerURL":"http://www.getpersonas.com/static/5/0/197350/flashpersonaforfirefox.jpg","name":"Adobe Flash Platform","author":"makedonskii","footer":"http://www.getpersonas.com/static/5/0/197350/flashpersonafooterforfirefox.jpg","updateURL":"https://www.getpersonas.com/update_check/197350","previewURL":"https://www.getpersonas.com/static/5/0/197350/preview_large.jpg"}"> </div> </div> </div> </div>
Comment 23•14 years ago
|
||
(In reply to comment #22) > this will probably get yanked from amo soon but someone figure out how to > inject personas content on amo at: > > (https://addons.mozilla.org/en-US/firefox/addon/155045/ I'm not sure what's wrong here... AMO has an entire personas section (https://addons.mozilla.org/en-US/firefox/personas/), and since addons.mozilla.org is already whitelisted similar to getpersonas.com, the personas will show up. What problem are you seeing?
Comment 24•14 years ago
|
||
I guess I just wasn't expecting to see a persona preview when I'm looking at something called "Adobe Flash Platform" as did the person reporting this to the addon abuse channel. here was their comment. "... I had some problem with flash contents in my FF 4, so I searched "flash" in addons website. Then I found this addon, with the very confusing name "Adobe Flash Platform", and carelessly clicked on "add to firefox". I think the author intentionally use this name to mislead careless users to install it, for some reason, may be a prank. " Maybe a rename of the addon to call it something like "Persona for Adobe Flash" or some variation that associates it with personas rather than the platform or the plugin would be helpful here.
Comment 25•14 years ago
|
||
A few months ago we allowed Personas to show up in the default search criteria, and we've seen a number of problems where people have called their Personas StumbleUpon, Firesheep, Adobe Flash, etc. Users then install them thinking they're the extension and write bad reviews/abuse reports saying it doesn't actually work. We were talking about this yesterday and decided we should stop showing them in the default search results. This reminds me to file the bug.
Comment 26•14 years ago
|
||
Maybe personas pages should look visually distinct from add-on pages in AMO (ditto search -- really had to look closely today to make sure I was installing the IMDB searchbar thing and not an IMDB site-related add-on). Anyway, it's not this bug because AMO is allowed to host personas. Did the reviewed patch from February ever land? Maybe this bug is fixed.
Comment 27•14 years ago
|
||
Doesn't look like it. Brandon, can you double check that attachment 428284 [details] [diff] [review] doesn't break anything and then land it? Thanks.
Assignee: ryan.doherty → bsavage
Assignee | ||
Comment 28•14 years ago
|
||
This seems to work. Landed in r88676.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 29•14 years ago
|
||
Could one of you please verify this fix on the Personas staging server? http://personas.stage.mozilla.com
Updated•12 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•