CSP frame-ancestors violation sends request headers from from framing site

RESOLVED INVALID

Status

()

Core
DOM: Core & HTML
--
critical
RESOLVED INVALID
7 years ago
4 years ago

People

(Reporter: bsterne, Assigned: geekboy)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 481051 [details]
testcase (ships off bugzilla request info - not logged)

The site that doesn't want to be framed shouldn't get the request headers from the site that tried to frame them.  Conversely this makes stealing cookies as simple as injecting an iframe to an evil site in the target site, which is generally easier than injecting JavaScript.  Possibly overreacting with sg:high, but playing it safe for now.  Sid, can you take this?
(Reporter)

Comment 1

7 years ago
I'm a dumbass.  I verified with :geekboy that this is invalid and that the report that is sent contains the request-headers from the _framed_ site and the blocked-uri from the _framing_ site.  Sigh.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
not sg:high if it's invalid.

What if the framed site redirects to a site with session id's in the URL, that has a no-framing CSP policy? Now the private URL is being shipped off to the framing site when normally only the user's browser knows about it. The session could depend on user cookie info that the framer now gets.
Group: core-security
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Whiteboard: [sg:high]
(Reporter)

Comment 3

7 years ago
(In reply to comment #2)
> What if the framed site redirects to a site with session id's in the URL, that
> has a no-framing CSP policy? Now the private URL is being shipped off to the
> framing site when normally only the user's browser knows about it. The session
> could depend on user cookie info that the framer now gets.

Instead of morphing this bug I filed bug 604177.  Closing this one.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.