Closed Bug 580804 Opened 10 years ago Closed 3 years ago

cert exception procedure can be accelerated with clickjacking

Categories

(Core Graveyard :: Security: UI, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 633691

People

(Reporter: geekboy, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [sg:low])

Elie Bursztein reported to me:

A site can overlay a frame with a bad cert and steal two clicks to simulate opening the "I understand the risks" call-out, and "Add Exception" buttons.  This secretly bypasses the hidden cert error page requiring the user to only click "Confirm Security Exception" in the final dialog to add the cert exception.
Whiteboard: [sg:low]
Could we make the "Add exception" button be a "open in top window" button if the page is iframed? Which would set top.location = window.location when clicked.
+1 for "open in top window"
We have to watch out for the parent page reaching into the child iframe and messing up whatever "are we iframed" checks we do.
Would it make sense to have a separate page entirely for framed errors?  Yeah, I know, it's lots of duplication, but then the code linking to the cert exception dialog couldn't possibly be called from the outer page if it doesn't exist.

Maybe that's overkill.  Maybe there's enough cross-domain action going on that it wouldn't be scriptable.
Group: core-security → dom-core-security
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2012-1964
Product: Core → Core Graveyard
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.