Issue 720221 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	May 2017
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug-Security
Arch-x86_64 allpublic Via-Wizard-Security

Secured website is framable from http

Reported by s.h.h.n....@gmail.com, May 10 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36

Steps to reproduce the problem:
1. Go to http://vuln.shhnjk.com/iframer.php?url=https://bing.com
2. https://bing.com is displayed inside website served over http

What is the expected behavior?
Should be blocked with mixed content warning

What went wrong?
Regression?

Did this work before? N/A 

Chrome version: 58.0.3029.96  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by s.h.h.n....@gmail.com, May 10 2017

Sorry, this was stupid report. I guess I need some sleep :(

Comment 2 by elawrence@chromium.org, May 10 2017

Status: WontFix (was: Unconfirmed)

Indeed, a HTTPS website is framable by any HTTP site unless it uses Content-Security-Policy's FrameAncestors directive or X-Frame-Options to prohibit such framing.

The opposite (framing of a HTTP website by a HTTPS page) is blocked as Active Mixed Content.

Project Member

Comment 3 by sheriffbot@chromium.org, Aug 17 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 720221 link

Issue metadata

Secured website is framable from http

Issue description

Comment 1 by s.h.h.n....@gmail.com, May 10 2017

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, May 10 2017

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Aug 17 2017

Comment 3 Deleted

Sign in to add a comment