Closed
Bug 542022
Opened 15 years ago
Closed 14 years ago
Prevent random embedding of AMO personas pages, nuisance hover previews
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: johnath, Unassigned)
References
()
Details
+++ This bug was initially created as a clone of Bug #542020 +++ In bug 541308 we discuss the fact that AMO pages can be iframed by arbitrary sites on the net, allowing them to produce nuisance on-hover previews and even installs on click. While these installs are easily undoable, it's still annoying, and worse, to some users it feels like a genuine security bug. We think this can be fixed web-side, instead of client side, by putting in a basic "am I framed?" check. The problem with just doing: if (self != top) { // Disable previews/installs } is that it would kill our own ability to use pages in an iframe on sites like http://www.mozilla.com/firefox/3.6/firstrun/ Shaver proposed that we handle this with postMessage ( https://developer.mozilla.org/en/DOM/window.postMessage ). So basically, the logic would be: // on AMO pages that support personas preview/install if (self != top) { // We're in a frame, disable previews/installs } function receiveMessage(event) { if (event.origin is in mozilla.com or otherwise trusted && event.data says "reactivate" or whatever) { // Turn previews/installs back on } } window.addEventListener("postmessage", receiveMessage, false) And then on sites like the firstrun page which use the iframing in this way, we just include a line onLoad that does iframeElement.contentWindow.postMessage("reactivate", "*"); Arbitrary pages out there in the world could copy all of this, but they wouldn't pass the event.origin test in the AMO page, so their previews and installs would be disabled -- no more nuisance. Does that all make sense? This bug should be used to track the AMO fix - bug 542020 tracks the same work on getpersonas.com and the existing firstrun content.
Comment 1•15 years ago
|
||
Hope you don't mind the summary edit. I know the component says AMO but it was still a little confusing having two duplicate summaries in lists.
Summary: Prevent random embedding of personas pages, nuisance hover previews → Prevent random embedding of AMO personas pages, nuisance hover previews
Comment 2•14 years ago
|
||
Bug 584831 adds x-frame-options:DENY to all pages on addons.mozilla.org which should prevent any iframing.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•