Closed Bug 542022 Opened 15 years ago Closed 14 years ago

Prevent random embedding of AMO personas pages, nuisance hover previews

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: johnath, Unassigned)

References

(
URL
)

Details

+++ This bug was initially created as a clone of Bug #542020 +++

In bug 541308 we discuss the fact that AMO pages can be iframed by arbitrary sites on the net, allowing them to produce nuisance on-hover previews and even installs on click.  While these installs are easily undoable, it's still annoying, and worse, to some users it feels like a genuine security bug.

We think this can be fixed web-side, instead of client side, by putting in a basic "am I framed?" check. The problem with just doing:

if (self != top) {
  // Disable previews/installs
}

is that it would kill our own ability to use pages in an iframe on sites like http://www.mozilla.com/firefox/3.6/firstrun/

Shaver proposed that we handle this with postMessage ( https://developer.mozilla.org/en/DOM/window.postMessage ). So basically, the logic would be:

// on AMO pages that support personas preview/install

if (self != top) {
  // We're in a frame, disable previews/installs
}

function receiveMessage(event) {
  if (event.origin is in mozilla.com or otherwise trusted 
      && event.data says "reactivate" or whatever) {
    // Turn previews/installs back on
  }
}
window.addEventListener("postmessage", receiveMessage, false)


And then on sites like the firstrun page which use the iframing in this way, we just include a line onLoad that does

iframeElement.contentWindow.postMessage("reactivate", "*");


Arbitrary pages out there in the world could copy all of this, but they wouldn't pass the event.origin test in the AMO page, so their previews and installs would be disabled -- no more nuisance.

Does that all make sense?  This bug should be used to track the AMO fix - bug 542020 tracks the same work on getpersonas.com and the existing firstrun content.
Hope you don't mind the summary edit. I know the component says AMO but it was still a little confusing having two duplicate summaries in lists.
Summary: Prevent random embedding of personas pages, nuisance hover previews → Prevent random embedding of AMO personas pages, nuisance hover previews
Bug 584831 adds x-frame-options:DENY to all pages on addons.mozilla.org which should prevent any iframing.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.