Identity/Security/Tos-PP in an iframe

From MozillaWiki

< Identity‎ | Security

Jump to: navigation, search

Contents

1 Opening Terms of Service and Privacy Policy links in an iframe inside the dialog

Opening Terms of Service and Privacy Policy links in an iframe inside the dialog

See the original discussion on https://groups.google.com/d/topic/mozilla.dev.identity/KWWFBhU0HMY/discussion

Risks

ToS or PP page frame-busting and replacing the dialog with a visually identical phishing page

Mitigations

sandbox attribute on the iframe:
- disables JavaScript, plugins
- IE10+, Safari, Chrome, Firefox
- http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
- http://caniuse.com/#search=iframe-sandbox
security="restricted" attribute on the iframe
- disables JavaScript, plugins
- IE8+
- http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx
- http://msdn.microsoft.com/en-us/library/ms537186%28v=vs.85%29.aspx#high
nothing for Opera?

Background

Cross-Frame Scripting:
- https://owasp.org/index.php/Cross_Frame_Scripting
Cick-jacking and frame busting:
- https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf
- http://seclab.stanford.edu/websec/framebusting/framebust.pdf

Retrieved from "https://wiki.mozilla.org/index.php?title=Identity/Security/Tos-PP_in_an_iframe&oldid=651366"