Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

[HackerOne] about: pages may be clickjacked #4885

Closed
diracdeltas opened this issue Oct 18, 2016 · 6 comments
Closed

[HackerOne] about: pages may be clickjacked #4885

diracdeltas opened this issue Oct 18, 2016 · 6 comments

Comments

@diracdeltas
Copy link
Member

they should have the frame-ancestors header
reported at https://hackerone.com/reports/175990

@diracdeltas diracdeltas added this to the 0.12.5dev milestone Oct 18, 2016
@diracdeltas diracdeltas self-assigned this Oct 18, 2016
bbondy pushed a commit that referenced this issue Oct 18, 2016
Fix #4885

Auditors: @bbondy

Test Plan:
1. go to http://web.mit.edu/zyan/Public/xframe.html
2. verify that the iframe is empty and there is a CSP error in the console
@luixxiul
Copy link
Contributor

luixxiul commented Oct 18, 2016

This fix disables a flash placeholder on y8.com, which was also confirmed by @alexwykoff and @srirambv.

clipboard01

Please look at the 2nd line there.

@diracdeltas
Copy link
Member Author

great catch, fixing

@bbondy bbondy modified the milestones: 0.12.6dev, 0.12.5dev Oct 18, 2016
@bbondy
Copy link
Member

bbondy commented Oct 18, 2016

no easy fix for 0.12.5 so this is being moved to 0.12.6.

@srirambv
Copy link
Collaborator

Shows preferences page and not blank frame

image

@srirambv srirambv reopened this Oct 20, 2016
@diracdeltas
Copy link
Member Author

@bbondy did this make it into the preview build?

@diracdeltas
Copy link
Member Author

looks like it didn't, but it should be fixed on master so i'm closing this

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants