Closed
Bug 872531
Opened 11 years ago
Closed 11 years ago
Marketplace missing X-Frame-Options to prevent clickjacking
Categories
(Marketplace Graveyard :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: sec-low)
From: Erik Romijn <eromijn@solidlinks.nl> Subject: Mozilla security bug report: marketplace lacking clickjacking protection Date: Wed, 15 May 2013 13:31:36 +0200 To: security@mozilla.org -----//----- Hi, Apologies for my empty mail from a few minutes ago - wrong shortcut. I noticed that marketplace.firefox.com does not protect against clickjacking by sending an X-Frame-Options header. As far as I could see right now, there is also no other clickjacking protection in place, leaving the marketplace open to clickjacking attacks. kind regards, Erik Romijn
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Assignee: fbraun → nobody
Flags: sec-bounty?
Comment 2•11 years ago
|
||
We had to remove the x-frame-options header in order to ship the packaged app. This was a conscious decision and we won't be able to change it for the near future (since devices are shipping). CCing rforbes for any additional details there, but since we can't fix this bug I'm marking wontfix.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Comment 3•11 years ago
|
||
It would not be possible to fix this until bug 852720 lands
Comment 4•11 years ago
|
||
This is a sec-low issue so it doesn't qualify for bounty.
Flags: sec-bounty? → sec-bounty-
Comment 6•11 years ago
|
||
https://marketplace.firefox.com/ is a sensitive page so for that there is also protection against Click Jacking. Should setup XFO.
Comment 7•11 years ago
|
||
https://marketplace.firefox.com/ is a sensitive page so for that there is also no protection against Click Jacking. Should setup XFO.
Updated•9 years ago
|
Group: client-services-security
Comment 18•8 years ago
|
||
Is the decision to wontfix this still relevant? There was some discussion this was for FireFox OS, which is why I'm asking.
You need to log in
before you can comment on or make changes to this bug.
Description
•