Issue metadata
Sign in to add a comment
|
Security: X-Frame-Options checking only the top-most frame
Reported by
michael....@gmail.com,
Jan 29 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS X-Frame-options is blocking content only by checking the top-most frame. So if an attacker is able to host an iframe on the main domain (Of another domain) containing an iframe of the original domain it can be used for Clickjacking attacks bypassing the X-Frame-options protection. VERSION Chrome Version: Chrome/55.0.2883.87 - Stable Operating System: Windows 10 REPRODUCTION CASE See Dropbox for example. When uploading html files to dropbox, they are uploaded to https://dl.dropboxusercontent.com but there is also a preview of these files in the dropbox.com main domain. All of the "dropbox.com" pages return an X-Frame-options value of SAMEORIGIN. But if an attacker uploads a files which contains an iframe of the main domain it is framed on the preview window - bypassing the X-Frame-options protection. As a poc you can see the following file: https://www.dropbox.com/s/pyz587e1s9himfm/test.html?dl=0 - you can see that the topmost frame is dropbox.com, it contains a frame of https://dl.dropboxusercontent.com which in its turn contains a frame of dropbox.com - and it shows this frame despite the header.
,
Jan 29 2017
Thanks for the report. It looks like this has been discussed (and a fix attempted but then reverted) before.
,
Jul 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jan 29 2017Components: Blink>SecurityFeature
Labels: Security_Severity-Medium Security_Impact-Stable OS-Windows
Owner: est...@chromium.org
Status: Assigned (was: Unconfirmed)