Closed rfk closed 8 years ago
from mtg: @rfk what should we do regarding this bug?
I'll take this for triage into aha or similar
@shane-tomlinson has been working on a plan for this, I'm re-delegating this issue to him for revamping, closing, feature-carding or whatever seems appropriate.
Here's my plan:
?origin=current_origin
service=sync
& origin
is specified. If so, check the passed in origin against a list of allowed origins. If the origin is not a member of the list, some appropriate error is displayed. Stop.iframe-ancestor
CSP directive with the origin.Addendum:
Have firstrun/sync flows open the iframe with a new query parameter, ?origin=current_origin
I'm a bit out of the loop on this, why is this needed, can we just use browser apis to check the origin?
why is this needed
Because the postMessage dance has timing problems.
use browser apis to check the origin?
Which browser APIs? If they are supported on our supported platforms, I'd like to consider it.
IIUC, both x-frame-options
and iframe-ancestor
require you to know the parent iframe's origin up-front, hence the little dance with ?origin=current_origin
.
I'm not aware of a js api for directly checking the parent frame's origin.
Also, I like this plan, especially this part:
Let the browser deal with problems from there.
\o/
@shane-tomlinson revisiting this bug, is firstrun the only iframe source now? Should we just check for that and decline everything else?
@shane-tomlinson revisiting this bug, is firstrun the only iframe source now? Should we just check for that and decline everything else?
Yup - that's what we currently do. This bug has morphed into something slightly different - replace the postMessage dance w/ x-frame-options ALLOW-FROM
and iframe-ancestor
CSP declarations. I should update the title...tomorrow.
I just thought I would include this bug since I think it is related to this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1262892
They posted a comment on it today and sent me a message to see if and when we could prioritize this. Let's discuss this issue in our next planning.
In discussion with @shane-tomlinson he described a number of scenarios by which a malicious site could embed FxA in an iframe for phising or similar purposes. Unfortunately we can't blanketly deny iframing because we need it for some reliers, but we should try to be as restrictive about it as possible.
Consider this a meta-bug for "allow less iframability"; @shane-tomlinson can you please fill in concrete suggestions for things we should tighten up when you get a chance?