Closed Bug 602063 Opened 9 years ago Closed 9 years ago

CSP frame-ancestors violation sends request headers from from framing site

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED INVALID

People

(Reporter: bsterne, Assigned: geekboy)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

The site that doesn't want to be framed shouldn't get the request headers from the site that tried to frame them.  Conversely this makes stealing cookies as simple as injecting an iframe to an evil site in the target site, which is generally easier than injecting JavaScript.  Possibly overreacting with sg:high, but playing it safe for now.  Sid, can you take this?
I'm a dumbass.  I verified with :geekboy that this is invalid and that the report that is sent contains the request-headers from the _framed_ site and the blocked-uri from the _framing_ site.  Sigh.
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
not sg:high if it's invalid.

What if the framed site redirects to a site with session id's in the URL, that has a no-framing CSP policy? Now the private URL is being shipped off to the framing site when normally only the user's browser knows about it. The session could depend on user cookie info that the framer now gets.
Group: core-security
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Whiteboard: [sg:high]
(In reply to comment #2)
> What if the framed site redirects to a site with session id's in the URL, that
> has a no-framing CSP policy? Now the private URL is being shipped off to the
> framing site when normally only the user's browser knows about it. The session
> could depend on user cookie info that the framer now gets.

Instead of morphing this bug I filed bug 604177.  Closing this one.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.