Opened at 2011-07-30T23:33:18Z
Last modified at 2018-05-28T12:20:00Z
#1455 closed defect
WUI: ambiently accessible pages should framebust in order to prevent UI redressing attacks — at Initial Version
| Reported by: | davidsarah | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.13.0 |
| Component: | code-frontend-web | Version: | 1.8.2 |
| Keywords: | security ambient wui redressing review-needed | Cc: | |
| Launchpad Bug: |
Description
If an ambiently accessible WUI page (one that does not require a capability to access, such as the Welcome page) is loaded in a frame or iframe, the loading frame might be able to perform some UI redressing or clickjacking attacks.
For example, the loading frame could entice the user to click the "Create a directory" button, when it should not have the authority to create a directory on that grid.
This is not a very strong attack. In any case, it can be prevented by including some framebusting code on ambiently accessible WUI pages (or all WUI pages).
Note: See
TracTickets for help on using
tickets.
