Security, XSS attack with iframe bypassing weak same-origin-policy #3

fix · 2016-03-16T12:39:52Z

If in your dapp index.html you include this single frame

<iframe name="attackit" src="/"></iframe>

The dapp has access to the main dashboard using for instance:

$('[ui-sref="main.contacts"]', frames['attackit'].document)

And basically script whatever action in the LISK dashboard...

It is possible to prevent this by using a combination of those ideas:
http://stackoverflow.com/questions/2896623/how-to-prevent-my-site-page-to-be-loaded-via-3rd-party-site-frame-of-iframe

Denying <frame>, <iframe>, <object>, <embed> or <applet>.

Master

karmacoma self-assigned this Mar 16, 2016

karmacoma added this to the Mainnet Launch milestone Mar 16, 2016

karmacoma added the security label Mar 16, 2016

karmacoma closed this as completed in c8bcf80 Apr 5, 2016

karmacoma pushed a commit that referenced this issue Apr 10, 2016

Fixes #3. Setting X-Frame-Options/CSP headers.

b3d3d7a

Denying <frame>, <iframe>, <object>, <embed> or <applet>.

Isabello pushed a commit that referenced this issue May 2, 2017

Merge pull request #3 from LiskHQ/master

56ffce8

Master

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security, XSS attack with iframe bypassing weak same-origin-policy #3

Security, XSS attack with iframe bypassing weak same-origin-policy #3

fix commented Mar 16, 2016

Security, XSS attack with iframe bypassing weak same-origin-policy #3

Security, XSS attack with iframe bypassing weak same-origin-policy #3

Comments

fix commented Mar 16, 2016