If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Use X-Frame-Options Header to Prevent Malicious Site Framing

VERIFIED FIXED in 1.9

Status

Input
General
P1
normal
VERIFIED FIXED
7 years ago
2 years ago

People

(Reporter: dchan, Assigned: wenzel)

Tracking

Details

(Whiteboard: [infrasec:crossdomain])

(Reporter)

Description

7 years ago
(Copied from mcoates bug #599410)

Issue

The input website is not currently using the X-Frame-Options header to
prevent another site from maliciously framing the input site.
X-Frame-Options header can be used as a defense against clickjacking attacks
which ultimately allow an attacker to fool an user into unintentionally submitting happy/sad reports.

Steps to Reproduce:
1. Request any input page and inspect the HTTP response for the primary
html content (e.g. not the .css or .js responses)
2. Observe the X-Frame-Options header is not present.


Recommended Remediation

Set the x-frame-options header for all responses containing HTML content. The
possible values are "DENY" or "SAMEORIGIN". 

DENY will block any site (regardless of domain) from framing the content.

SAMEORIGIN will block all sites from framing the content, except sites within
the same domain.

The "DENY" setting is recommended unless a specific need has been identified
for framing.
Can someone pick this up before 1.8 goes out tomorrow?
Target Milestone: --- → 1.9
Priority: -- → P1
Whiteboard: [infrasec:access] → [infrasec:crossdomain]
(Assignee)

Comment 2

7 years ago
Commonware is our friend. Fix and test: http://github.com/fwenzel/reporter/commit/0d10493

QA: Since we don't use (i)frames on Input, every response should contain that header ("DENY") now.
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Verified FIXED:

http://input.stage.mozilla.com/en-US/themes/

GET /en-US/themes/ HTTP/1.1
Host: input.stage.mozilla.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://input.stage.mozilla.com/en-US/
<snip>

HTTP/1.1 200 OK
Date: Fri, 01 Oct 2010 19:03:54 GMT
Server: Apache/2.2.3 (Red Hat)
Expires: Fri, 01 Oct 2010 19:08:54 GMT
Last-Modified: Fri, 01 Oct 2010 19:03:54 GMT
Etag: "5b6faf2a4df7677f85c727f5f7d32811"
Cache-Control: max-age=300
x-frame-options: DENY
Keep-Alive: timeout=5, max=631
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Status: RESOLVED → VERIFIED
Component: Input → General
Product: Webtools → Input
Group: webtools-security → websites-security
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.