(Copied from mcoates bug #599410) Issue The input website is not currently using the X-Frame-Options header to prevent another site from maliciously framing the input site. X-Frame-Options header can be used as a defense against clickjacking attacks which ultimately allow an attacker to fool an user into unintentionally submitting happy/sad reports. Steps to Reproduce: 1. Request any input page and inspect the HTTP response for the primary html content (e.g. not the .css or .js responses) 2. Observe the X-Frame-Options header is not present. Recommended Remediation Set the x-frame-options header for all responses containing HTML content. The possible values are "DENY" or "SAMEORIGIN". DENY will block any site (regardless of domain) from framing the content. SAMEORIGIN will block all sites from framing the content, except sites within the same domain. The "DENY" setting is recommended unless a specific need has been identified for framing.
Can someone pick this up before 1.8 goes out tomorrow?
Commonware is our friend. Fix and test: http://github.com/fwenzel/reporter/commit/0d10493 QA: Since we don't use (i)frames on Input, every response should contain that header ("DENY") now.
Verified FIXED: http://input.stage.mozilla.com/en-US/themes/ GET /en-US/themes/ HTTP/1.1 Host: input.stage.mozilla.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:18.104.22.168) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://input.stage.mozilla.com/en-US/ <snip> HTTP/1.1 200 OK Date: Fri, 01 Oct 2010 19:03:54 GMT Server: Apache/2.2.3 (Red Hat) Expires: Fri, 01 Oct 2010 19:08:54 GMT Last-Modified: Fri, 01 Oct 2010 19:03:54 GMT Etag: "5b6faf2a4df7677f85c727f5f7d32811" Cache-Control: max-age=300 x-frame-options: DENY Keep-Alive: timeout=5, max=631 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
These bugs are all resolved, so I'm removing the security flag from them.