Closed Bug 770239 Opened 7 years ago Closed 7 years ago

Re-enable X-Frame-Options in b2g

Categories

(Firefox OS Graveyard :: General, defect)

x86_64
Linux
defect
Not set

Tracking

(blocking-kilimanjaro:?)

RESOLVED FIXED
blocking-kilimanjaro ?

People

(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)

References

(Blocks 1 open bug)

Details

(Keywords: sec-moderate)

Attachments

(2 files)

We disabled X-Frame-Options in b2g in bug 707893, because it ran-afoul of <iframe mozbrowser>.  We need to make it mozbrowser-aware and re-enable it.
We should treat this as a security bug because lack of XFO support will make users vulnerable to clickjacking attacks on popular web services. Torn on whether to rate this moderate (only some sites affected) or high (damage could include account compromise on those sites).
blocking-kilimanjaro: --- → ?
Keywords: sec-moderate
Attached patch Patch, v1Splinter Review
Attachment #639992 - Flags: review?(bzbarsky)
Attached patch Tests, v1Splinter Review
Attachment #639993 - Flags: review?(bzbarsky)
Assignee: nobody → justin.lebar+bug
Comment on attachment 639992 [details] [diff] [review]
Patch, v1

r=me
Attachment #639992 - Flags: review?(bzbarsky) → review+
Comment on attachment 639993 [details] [diff] [review]
Tests, v1

r=me, but I hope you understand that I'm at best skimming these test patches....  Please let me know if you think I should be reviewing them more carefully.
Attachment #639993 - Flags: review?(bzbarsky) → review+
> Please let me know if you think I should be reviewing them more carefully.

I will, thanks.
Depends on: 772076
Depends on: 774235
Depends on: 774676
You need to log in before you can comment on or make changes to this bug.