Closed
Bug 600062
Opened 14 years ago
Closed 14 years ago
Use X-Frame-Options Header to Prevent Malicious Site Framing
Categories
(Input :: General, defect, P1)
Input
General
Tracking
(Not tracked)
VERIFIED
FIXED
1.9
People
(Reporter: dchanm+bugzilla, Assigned: wenzel)
Details
(Whiteboard: [infrasec:crossdomain])
(Copied from mcoates bug #599410) Issue The input website is not currently using the X-Frame-Options header to prevent another site from maliciously framing the input site. X-Frame-Options header can be used as a defense against clickjacking attacks which ultimately allow an attacker to fool an user into unintentionally submitting happy/sad reports. Steps to Reproduce: 1. Request any input page and inspect the HTTP response for the primary html content (e.g. not the .css or .js responses) 2. Observe the X-Frame-Options header is not present. Recommended Remediation Set the x-frame-options header for all responses containing HTML content. The possible values are "DENY" or "SAMEORIGIN". DENY will block any site (regardless of domain) from framing the content. SAMEORIGIN will block all sites from framing the content, except sites within the same domain. The "DENY" setting is recommended unless a specific need has been identified for framing.
|
||
Comment 1•14 years ago
|
||
Can someone pick this up before 1.8 goes out tomorrow?
|
|
||
Updated•14 years ago
|
Target Milestone: --- → 1.9
|
|
||
Updated•14 years ago
|
Priority: -- → P1
|
||
Updated•14 years ago
|
Whiteboard: [infrasec:access] → [infrasec:crossdomain]
|
Assignee | |
Comment 2•14 years ago
|
||
Commonware is our friend. Fix and test: http://github.com/fwenzel/reporter/commit/0d10493 QA: Since we don't use (i)frames on Input, every response should contain that header ("DENY") now.
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 3•14 years ago
|
||
Verified FIXED: http://input.stage.mozilla.com/en-US/themes/ GET /en-US/themes/ HTTP/1.1 Host: input.stage.mozilla.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://input.stage.mozilla.com/en-US/ <snip> HTTP/1.1 200 OK Date: Fri, 01 Oct 2010 19:03:54 GMT Server: Apache/2.2.3 (Red Hat) Expires: Fri, 01 Oct 2010 19:08:54 GMT Last-Modified: Fri, 01 Oct 2010 19:03:54 GMT Etag: "5b6faf2a4df7677f85c727f5f7d32811" Cache-Control: max-age=300 x-frame-options: DENY Keep-Alive: timeout=5, max=631 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Component: Input → General
Product: Webtools → Input
|
||
Updated•12 years ago
|
Group: webtools-security → websites-security
|
||
Comment 4•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•