User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0 Build ID: 20121128204232 Steps to reproduce: Hi Folks, I found a new cross-domain content extraction method that could be used in order to exploit UI Redressing issue under Firefox. The extraction method is extremely simple: instead of performing a drag&drop action of sensitive data, from a framed vulnerable web page to the framing one (attacker-controlled), the victim is triggered to navigate a malicious html page that includes two iframes: the former frames the vulnerable page - where the sensitive content resides - while the latter frames another attacker's page that is used to drop the extracted content. Firefox is not able to block this kind of attack because no check on cross-domain drag&drop between iframes is performed. The (iframe-to-iframe) method was tested against the latest version of Firefox. Further details can be found here: blog.nibblesec.org Thanks, Luca
As noted at http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-firefox-0day-and.html dragging from a frame to a cross-origin parent was blocked by the fix in bug 605991. It could be we don't want to address the drag and drop aspect of this--I bet it breaks a lot of things--but instead kill support for view-source: in anything but a top-level window/tab. I'm sure that will break things too (it'll break one of my old bookmarklets, for example) but since they will be Gecko-only things it's more defensible.
In addition to the nibblesec blog this was referenced at the end of a recent ThreatPost article, http://threatpost.com/en_us/blogs/chrome-clickjacking-vulnerability-could-expose-user-information-google-amazon-010213
Disabling "view-source:" for iframes won't really solve this, because plenty of sensitive data is shown as text. Sounds to me like we just need to complete the fix for bug 605991, so it also applies to iframe-to-iframe dragging.
Neil want to take this one?
So the idea is to block dragging from a content frame to another content frame within the same toplevel parent?
sounds like so. It is strict, but how else could this be resolved.