Bug#602886: iceweasel: Add backported support for X-FRAME-OPTIONS header for clickjacking mitigation
Thomas R.
32768 at typespark.net
Tue Nov 9 05:33:09 UTC 2010
Package: iceweasel
Version: 3.5.15-1
Severity: wishlist
Firefox 3.6.9 and above includes support for the X-FRAME-OPTIONS http header
which allows website authors to prevent their site being victim to clickjacking
(UI redressing) attacks.
This is a wishlist item but effectively also has an effect on security for
users with a logged-in session at certain websites. I have no idea if it would
be easy to patch this for Iceweasel 3.5.x or not - upstream 3.6.9 specifically
introduces no new UI or error messages, just shows about:blank when framing is
not authorised.
This page offers a way of testing if your browser supports the feature:
http://www.enhanceie.com/test/clickjack/
Cheers
-- Package-specific info:
-- Extensions information
Name: CheckPlaces
Location: ${PROFILE_EXTENSIONS}/checkplaces at andyhalford.com
Status: user-disabled
Name: Default
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
Status: enabled
Name: Firebug
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/firebug at software.joehewitt.com
Package: xul-ext-firebug
Status: enabled
Name: Firefox Sync
Location: /usr/lib/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{340c2bbc-ce74-4362-90b5-7c26312808ef}
Package: xul-ext-sync
Status: enabled
Name: Force-TLS
Location: ${PROFILE_EXTENSIONS}/forcetls at sid.stamm
Status: enabled
Name: Html Validator
Location: ${PROFILE_EXTENSIONS}/{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
Status: enabled
Name: Personas
Location: ${PROFILE_EXTENSIONS}/personas at christopher.beard
Status: enabled
-- Plugins information
Name: DivX® Web Player
Location: /usr/lib/mozilla/plugins/libtotem-mully-plugin.so
Package: totem-mozilla
Status: enabled
Name: Java(TM) Plug-in 1.6.0_22
Location: /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/amd64/libnpjp2.so
Package: sun-java6-bin
Status: enabled
Name: QuickTime Plug-in 7.6.6
Location: /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so
Package: totem-mozilla
Status: enabled
Name: Shockwave Flash
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
Name: VLC Multimedia Plugin (compatible Totem 2.30.2)
Location: /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
Package: totem-mozilla
Status: enabled
Name: Windows Media Player Plug-in 10 (compatible; Totem)
Location: /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so
Package: totem-mozilla
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
-- Addons package information
ii iceweasel 3.5.15-1 Web browser based on Firefox
ii rhythmbox-plug 0.12.8-2 plugins for rhythmbox music player
ii sun-java6-bin 6.22-1 Sun Java(TM) Runtime Environment (JRE) 6 (ar
ii totem-mozilla 2.30.2-5 Totem Mozilla plugin
ii xul-ext-firebu 1.5.4-1 web development plugin for Iceweasel/Firefox
ii xul-ext-sync 1.4.3-1 extension to sync bookmarks, passwords and o
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 3.4 Miscellaneous utilities specific t
ii fontconfig 2.8.0-2.1 generic font configuration library
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libstdc++6 4.4.5-4 The GNU Standard C++ Library v3
ii procps 1:3.2.8-9 /proc file system utilities
ii xulrunner-1.9.1 1.9.1.15-1 XUL + XPCOM application runner
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
ii latex-xft-fonts 1.6.7-1 TrueType versions of some TeX font
ii libgssapi-krb5-2 1.8.3+dfsg-2 MIT Kerberos runtime libraries - k
ii libkrb53 1.8.3+dfsg-2 transitional package for MIT Kerbe
pn mozplugger <none> (no description available)
ii ttf-lyx 1.6.7-1 TrueType versions of some TeX font
pn ttf-mathematica4.1 <none> (no description available)
ii xfonts-mathml 4 Type1 Symbol font for MathML
pn xprint <none> (no description available)
Versions of packages xulrunner-1.9.1 depends on:
ii libasound2 1.0.23-2.1 shared library for ALSA applicatio
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-3 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.5-4 GCC support library
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libhunspell-1.2-0 1.2.11-1 spell checker and morphological an
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libmozjs2d 1.9.1.15-1 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.8-1 Network Security Service libraries
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libreadline6 6.1-3 GNU readline and history libraries
ii libsqlite3-0 3.7.3-1 SQLite 3 shared library
ii libstartup-notification 0.10-1 library for program launch feedbac
ii libstdc++6 4.4.5-4 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-3 X11 client-side library
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list