Issue metadata
Sign in to add a comment
|
Security: Clickjacking on any website (ignoring x-frame-options)
Reported by
qie...@gmail.com,
Jun 15 2018
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Hello, I noticed that in the latest update google chrome ignores x-frame-options: origin (or deny), you can load any site in the frame. Firefox at this time reacts as needed (screenshot). Steps to play: 1. Click the link https://securityz.net/cj.html. 2. Enter any site with x-frame-options, for example google.com (I remember, before google bug bounty paid $ 5000 for clickjacking google.com). Impact: Clickjacking on any site. VERSION Chrome Version: 67.0.3396.87 (latest) Operating System: OS Windows PoC video: https://youtu.be/ORnNLpE0TZQ
,
Jun 15 2018
This doesn't reproduce for me in 67.0.3396.87 or Canary. Do you have any particular flags enabled? CCing alexmos@ and arthursonzogni@, as I'm already OOO and away from a computer for the evening, just in case this reproduces for them.
,
Jun 15 2018
I also cannot repro with 67.0.3396.87 (Official Build) (64-bit) (cohort: Stable) running with --disable-extensions in a new profile. I get: Refused to display 'https://www.google.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. OP: can you paste you chrome://version "variations" line. it should be a long list of hex numbers.
,
Jun 15 2018
No repro for me either (I checked Stable, Canary, and ToT). OP: does it still repro if you start Chrome with --disable-extensions?
,
Jun 15 2018
Thanks for everyone testing this. I'll close this as unreproducible next week, if no further details come in.
,
Jun 15 2018
Hmm, I just checked it in incognito mode (no extensions) and the bug did not work https://youtu.be/9XTjarhb4UI . I think this ignoring of x-frame-options is due to some kind of extension, I'll try to find it tomorrow.
,
Jun 15 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 15 2018
Okay, thanks for the update. That seems like quite a bad thing for an extension to do, I'd be interested which one is causing it, but it sounds like this can be closed WontFix. I'll keep an eye on the bug though if you have further updates.
,
Jun 15 2018
Interesting that https://gmail.com can't load because of CSP errors
,
Jun 15 2018
okay.
,
Jun 18 2018
The NextAction date has arrived: 2018-06-18
,
Sep 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, Jun 15 2018Components: Blink>SecurityFeature>XFrameOptions Blink>SecurityFeature
2.4 KB
2.4 KB View Download