Identity/Security/Tos-PP in an iframe

From MozillaWiki

< Identity‎ | Security

Revision as of 05:52, 2 May 2013 by Fmarier (talk | contribs) (→‎Possible mitigations: formatting)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Opening Terms of Service and Privacy Policy links in an iframe inside the dialog

See the original discussion on https://groups.google.com/d/topic/mozilla.dev.identity/KWWFBhU0HMY/discussion

Risks

ToS or PP page frame-busting and replacing the dialog with a visually identical phishing page

Mitigations

sandbox attribute on the iframe:
- disables JavaScript, plugins
- IE10+, Safari, Chrome, Firefox
- http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
- http://caniuse.com/#search=iframe-sandbox
security="restricted" attribute on the iframe
- disables JavaScript, plugins
- IE8+
- http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx
- http://msdn.microsoft.com/en-us/library/ms537186%28v=vs.85%29.aspx#high
nothing for Opera?

Background

Cross-Frame Scripting:
- https://owasp.org/index.php/Cross_Frame_Scripting
Cick-jacking and frame busting:
- https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf
- http://seclab.stanford.edu/websec/framebusting/framebust.pdf

Retrieved from "https://wiki.mozilla.org/index.php?title=Identity/Security/Tos-PP_in_an_iframe&oldid=651366"