[tahoe-lafs-trac-stream] [tahoe-lafs] #1455: WUI: ambiently accessible pages should framebust in order to prevent UI redressing attacks
tahoe-lafs
trac at tahoe-lafs.org
Sat Jul 30 16:33:18 PDT 2011
#1455: WUI: ambiently accessible pages should framebust in order to prevent UI
redressing attacks
---------------------------------------------+---------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: minor | Milestone: undecided
Component: code-frontend-web | Version: 1.8.2
Keywords: security ambient wui redressing | Launchpad Bug:
---------------------------------------------+---------------------------
If an ambiently accessible WUI page (one that does not require a
capability to access, such as the Welcome page) is loaded in a frame or
iframe, the loading frame might be able to perform some UI redressing or
clickjacking attacks.
For example, the loading frame could entice the user to click the "Create
a directory" button, when it should not have the authority to create a
directory on that grid.
This is not a very strong attack. In any case, it can be prevented by
including some framebusting code on ambiently accessible WUI pages (or all
WUI pages).
--
Ticket URL: <http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1455>
tahoe-lafs <http://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list