hackmdio/codimd

<iframe> tag cause open redirect

Open

#959 opened on Sep 18, 2018

View on GitHub
 (2 comments) (0 reactions) (0 assignees)JavaScript (8,949 stars) (1,038 forks)batch import
Hacktoberfesthelp wantedsecurity

Description

If the source website has the script like this:

<script type="text/javascript">
if(window != top) {
    top.location.href = location.href;
}
</script>

It may cause a open redirect issue on codimd. I use www.plurk.com which has anti-clickjacking code to demo.

Demo Link in demo.codimd.org

<iframe src="https://www.plurk.com/k1tten_">

Broswer verison:

Safari 11.0.2: triggered
Firefox Quantum 62.0 : triggered
Chrome 68.0.3440.106: not triggered

Contributor guide

Tech stack
javascripthtmlcss
Domain
securityfrontend
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Content Security PolicyHTTP headers
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate where HTTP headers are set in the server code (likely in app.js or server.js). Add a Content Security Policy header with the 'frame ancestors' directive set to 'none' or 'self' to prevent embedding. Also consider adding an X Frame Options header set to 'DENY' for broader browser support. Test the fix by embedding the page in an iframe and verifying no redirect occurs.
<iframe> tag cause open redirect · hackmdio/codimd#959 | Good First Issue