Closed
Bug 761655
(CVE-2012-1961)
Opened 13 years ago
Closed 13 years ago
Firefox ignores X-Frame-Options when set to SAMEORIGIN, SAMEORIGIN (duplicated header)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: LpSolit, Assigned: geekboy)
References
()
Details
(Keywords: sec-moderate, Whiteboard: [advisory-tracking+][qa-])
Attachments
(2 files, 1 obsolete file)
13.96 KB,
patch
|
geekboy
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
13.83 KB,
patch
|
geekboy
:
review+
dveditz
:
review+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
Firefox ignores the "X-Frame-Options: SAMEORIGIN, SAMEORIGIN" header when the SAMEORIGIN value is duplicated. Some websites incorrectly have this duplicated header for some unknown reasons, see e.g. bug 761046.
It would probably be fine to change the way nsDSURIContentListener::CheckFrameOptions parses this header to accept duplicated headers.
Comment 1•13 years ago
|
||
Not an enhancement, a bug pure and simple. We need to enhance x-f-o support anyway, see bug 690168; maybe we can do both at the same time.
Blocks: 761046
Severity: enhancement → normal
Updated•13 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 2•13 years ago
|
||
This is probably due to combining of multiple instances of the header (that's what the comma says to me). AFAIK, the "spec" (working draft: http://tools.ietf.org/html/draft-gondrom-frame-options) doesn't say what to do about this.
There are two ways to fix this:
1. Split the header value and use the most restrictive policy
2. If there's a comma (multiple values), fall back to the policy "DENY"
I don't think we should ignore the header when there are multiple instances, since that would cater to header-injection-based bypasses.
Assignee | ||
Comment 3•13 years ago
|
||
I guess there's a third option too:
3. If there's a comma (multiple values), choose what's stated if there's only one and it is duplicated, choose "DENY" if there are different values.
Assignee | ||
Comment 4•13 years ago
|
||
Here's a patch that does option 1: splits on commas, parses all the policies, and if the framing situation violates any of them, blocks the load. Policies with unrecognized directives (i.e, not "deny" or "sameorigin") are ignored. Patch includes two new tests for the bug.
Comment 5•13 years ago
|
||
Comment on attachment 631201 [details] [diff] [review]
fix
- In content/base/test/file_x-frame-options_page.sjs
+ else if (query['xfo'] == "sameorigin2") {
+ response.setHeader("X-Frame-Options", "SAMEORIGIN, SAMEORIGIN", false);
+ }
Should we add tests here that test various white space combination around the comma as well, and maybe more than two values too while we're at it?
- In nsDSURIContentListener::CheckOneFrameOptionsPolicy():
+ printf("policy: %s\n", NS_ConvertUTF16toUTF8(policy).get());
Remove the printf.
+ if (policy.LowerCaseEqualsLiteral("deny")) {
+ NS_ASSERTION(policy.LowerCaseEqualsLiteral("deny"),
+ "How did we get here with some random header value?");
That assertion will never fire, same condition as the if check we're in.
r=jst with that.
Attachment #631201 -
Flags: review?(jst) → review+
Assignee | ||
Comment 6•13 years ago
|
||
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #5)
> Should we add tests here that test various white space combination around
> the comma as well, and maybe more than two values too while we're at it?
Done. Added a few more tests for two commas and for multiple values.
> + printf("policy: %s\n", NS_ConvertUTF16toUTF8(policy).get());
>
> Remove the printf.
Ack, yes, done.
> That assertion will never fire, same condition as the if check we're in.
Good catch -- artifact of code reorganization. Deleted it. I pushed an updated patch to try, will attach it here after making sure it succeeds.
Assignee | ||
Comment 7•13 years ago
|
||
Addressed review comments, worked fine on Try. Carrying over r=jst.
Attachment #631201 -
Attachment is obsolete: true
Attachment #632300 -
Flags: review+
Assignee | ||
Comment 8•13 years ago
|
||
Pushed to inbound.
https://hg.mozilla.org/integration/mozilla-inbound/rev/62b3098ddd9b
Target Milestone: --- → mozilla16
Reporter | ||
Comment 9•13 years ago
|
||
Is there a chance to see this bug fixed into Fx 14 and 15, as it's security related?
Comment 10•13 years ago
|
||
(In reply to Frédéric Buclin from comment #9)
> Is there a chance to see this bug fixed into Fx 14 and 15, as it's security
> related?
I'd be way more interested in finding and fixing whatever is causing Bugzilla to spit out multiple SAMEORIGIN headers.
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to Reed Loden [:reed] from comment #10)
> I'd be way more interested in finding and fixing whatever is causing
> Bugzilla to spit out multiple SAMEORIGIN headers.
Bugzilla is not the single website in the world. That's unrelated.
Comment 12•13 years ago
|
||
(In reply to Frédéric Buclin from comment #11)
In what real world cases are we actually seeing this occur, aside from the issue found in bug 761046 (which has to do with duplication in another header as well)?
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
Comment 13•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Updated•13 years ago
|
Updated•13 years ago
|
Group: core-security
Comment 14•13 years ago
|
||
Please request branch approvals if these are appropriate patches, or attach additional back-ported patches if necessary and request approvals on those. Thanks.
Assignee | ||
Comment 15•13 years ago
|
||
Comment on attachment 632300 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): problem in initial implementation of feature.
User impact if declined: Users will not be protected from clickjacking on some sites.
Testing completed (on m-c, etc.): m-c, baked there for a while.
Risk to taking this patch (and alternatives if risky): Not very risky.
String or UUID changes made by this patch: None
This patch (in m-c) applies cleanly to aurora and beta, but not esr10. New patch is coming for that.
Attachment #632300 -
Flags: approval-mozilla-beta?
Attachment #632300 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 16•13 years ago
|
||
The patch that landed on m-c did not apply cleanly to esr10, so here's a patch that does. Applies, compiles and x-frame-options tests succeed on esr10. There are only trivial differences so I'm carrying over jst's r+.
Attachment #639776 -
Flags: review+
Comment 17•13 years ago
|
||
Comment on attachment 639776 [details] [diff] [review]
fix for esr10
r=dveditz on the backport
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Firefox will be sole modern browser to fail to protect users on some sites
User impact if declined: clickjacking attacks possible
Fix Landed on Version: Firefox 14 (soon)
Risk to taking this patch (and alternatives if risky): relatively minor
String or UUID changes made by this patch: none
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #639776 -
Flags: review+
Attachment #639776 -
Flags: approval-mozilla-esr10?
Updated•13 years ago
|
Attachment #632300 -
Flags: approval-mozilla-beta?
Attachment #632300 -
Flags: approval-mozilla-beta+
Attachment #632300 -
Flags: approval-mozilla-aurora?
Attachment #632300 -
Flags: approval-mozilla-aurora+
Comment 18•13 years ago
|
||
Comment on attachment 639776 [details] [diff] [review]
fix for esr10
low risk patch, go ahead and land to all three branches, see https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details on ESR landings.
Attachment #639776 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Assignee | ||
Comment 19•13 years ago
|
||
Thanks Lukas. Landed on all three branches.
Assignee | ||
Comment 20•13 years ago
|
||
Updated•13 years ago
|
Whiteboard: [advisory-tracking+]
Updated•13 years ago
|
Alias: CVE-2012-1961
Comment 21•13 years ago
|
||
Is there something QA can do to verify this fix?
Whiteboard: [advisory-tracking+] → [advisory-tracking+][qa?]
Updated•13 years ago
|
Group: core-security
Updated•12 years ago
|
Whiteboard: [advisory-tracking+][qa?] → [advisory-tracking+][qa-]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•