Closed Bug 929233 Opened 11 years ago Closed 10 years ago

Re-enable XFO for marketplace.firefox.com

Categories

(Marketplace Graveyard :: Security, defect, P5)

Avenir
x86_64
Linux
defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 901741

People

(Reporter: dchanm+bugzilla, Assigned: dbialer)

References

Details

(Whiteboard: [see comment 6])

Following up on bug 872531 It appears that the dependent bug for re-enabling XFO has been resolved (bug 852720). We should be able to set X-Frame-Options back to SAMEORIGIN once carriers roll out v1.1hd . Unfortunately, this will break support for v1.0.0 and v1.0.1 FxOS phones.
Blocks: 872531
David: How long do we need to support v1.0.0 and v1.0.1 phones?
Flags: needinfo?(dbialer)
I will try to get info on the plans for this from the Firefox OS team and what they forecast. I am not sure I understand the implications of the bug.
Flags: needinfo?(dbialer)
I suspect enabling this would mean any users on one of those devices would receive a technical (read: not one we write) error message and the marketplace would fail to load until they upgraded their phone. We'd have to try it to be sure though.
Data suggests that the switchover to 1.1 is just starting with 1.0 devices about 80% of the market. I am not sure if all users will be offered the opportunity to upgrade and when this will happen. So, unfortunately, for the foreseeable future, we need to support 1.0, but this depends on what the OEMs do push push out upgrades as new phones have 1.0.
I mean new phones have 1.1.
I have created an automated alert for me when the 1.0 devices drop below 2000 device visits per day. And we will see from there.
david - great, thanks. Marking this P5 and assigning to David so it doesn't keep coming up in triage.
Assignee: nobody → dbialer
Priority: -- → P5
Whiteboard: [see comment 6]
Hmmm i think js frame busters are more efficient than XFO, Just a JS code to verify if the parent/origin is allowed to iframe the marketplace or not. What's your opinion ?! <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = 'Your_Website_URL_Here'; } </script> or <script type="text/javascript"> // Disable frame hijacking if (top != self) top.location.href = location.href; </script>
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.