Closed
Bug 929233
Opened 11 years ago
Closed 10 years ago
Re-enable XFO for marketplace.firefox.com
Categories
(Marketplace Graveyard :: Security, defect, P5)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 901741
People
(Reporter: dchanm+bugzilla, Assigned: dbialer)
References
Details
(Whiteboard: [see comment 6])
Following up on bug 872531
It appears that the dependent bug for re-enabling XFO has been resolved (bug 852720). We should be able to set X-Frame-Options back to SAMEORIGIN once carriers roll out v1.1hd . Unfortunately, this will break support for v1.0.0 and v1.0.1 FxOS phones.
Comment 1•11 years ago
|
||
David: How long do we need to support v1.0.0 and v1.0.1 phones?
Flags: needinfo?(dbialer)
Assignee | ||
Comment 2•11 years ago
|
||
I will try to get info on the plans for this from the Firefox OS team and what they forecast. I am not sure I understand the implications of the bug.
Flags: needinfo?(dbialer)
Comment 3•11 years ago
|
||
I suspect enabling this would mean any users on one of those devices would receive a technical (read: not one we write) error message and the marketplace would fail to load until they upgraded their phone. We'd have to try it to be sure though.
Assignee | ||
Comment 4•11 years ago
|
||
Data suggests that the switchover to 1.1 is just starting with 1.0 devices about 80% of the market. I am not sure if all users will be offered the opportunity to upgrade and when this will happen. So, unfortunately, for the foreseeable future, we need to support 1.0, but this depends on what the OEMs do push push out upgrades as new phones have 1.0.
Assignee | ||
Comment 5•11 years ago
|
||
I mean new phones have 1.1.
Assignee | ||
Comment 6•11 years ago
|
||
I have created an automated alert for me when the 1.0 devices drop below 2000 device visits per day. And we will see from there.
Comment 7•11 years ago
|
||
david - great, thanks. Marking this P5 and assigning to David so it doesn't keep coming up in triage.
Assignee: nobody → dbialer
Priority: -- → P5
Whiteboard: [see comment 6]
Comment 8•10 years ago
|
||
Hmmm i think js frame busters are more efficient than XFO, Just a JS code to verify if the parent/origin is allowed to iframe the marketplace or not. What's your opinion ?!
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = 'Your_Website_URL_Here';
}
</script>
or
<script type="text/javascript">
// Disable frame hijacking
if (top != self)
top.location.href = location.href;
</script>
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•