872531 - Marketplace missing X-Frame-Options to prevent clickjacking

Status: RESOLVED WONTFIX

(Marketplace Graveyard :: Security, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

From: Erik Romijn <eromijn@solidlinks.nl>
Subject: Mozilla security bug report: marketplace lacking clickjacking
	protection
Date: Wed, 15 May 2013 13:31:36 +0200
To: security@mozilla.org
-----//-----
Hi,

Apologies for my empty mail from a few minutes ago - wrong shortcut.

I noticed that marketplace.firefox.com does not protect against clickjacking by sending an X-Frame-Options header. As far as I could see right now, there is also no other clickjacking protection in place, leaving the marketplace open to clickjacking attacks.

kind regards,
Erik Romijn

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

assigned to freddby for verification

Comment 2

[Wil Clouser [:clouserw]]

We had to remove the x-frame-options header in order to ship the packaged app.  This was a conscious decision and we won't be able to change it for the near future (since devices are shipping).

CCing rforbes for any additional details there, but since we can't fix this bug I'm marking wontfix.

Comment 3

[Kumar McMillan [:kumar]]

It would not be possible to fix this until bug 852720 lands

Comment 4

[Al Billings [:abillings - ex-MoCo]]

This is a sec-low issue so it doesn't qualify for bounty.

Comment 6

[Rishiraj Sharma]

https://marketplace.firefox.com/ is a sensitive page so for that there is also protection against Click Jacking. Should setup XFO.

Comment 7

[Rishiraj Sharma]

https://marketplace.firefox.com/ is a sensitive page so for that there is also no protection against Click Jacking. Should setup XFO.

Comment 18

[Jonathan Claudius [:claudijd] (use NEEDINFO)]

Is the decision to wontfix this still relevant? There was some discussion this was for FireFox OS, which is why I'm asking.