Opened 15 years ago
Closed 13 years ago
#12293 closed defect (bug) (fixed)
Frame Busting in the Admin
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.1 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
We discussed this before when Twitter was suffering from the iframe clickjacking attacks. Such attacks are harder and less tempting to do on individual WP sites than on big sites like Twitter and wp.com. They are still possible though, so we should consider integrating frame busting. The problem is that frame busting does break some plugins. Plugins would need API to turn of frame busting for their pages and would have to update to use that API.
Attachments (2)
Change History (19)
#3
@
15 years ago
We have to turn if off for our uploader too. Maybe someone knows a way of adding secure exceptions.
#5
@
15 years ago
That's the classic technique. Maybe one of the billion new flavors of frame busting would smoothly handle plugins and the uploader.
#7
@
15 years ago
Food for thought: I use this on all of my websites. I can tell you from experience that almost every search engine except for Google is incompatible with frame busting. It's even money that any particular search engine will either block the site entirely, or will cover the search results with a message that says, "clicking here will cause you to leave the search engine (whine) please open the link in a new window."
Of course, I ignore all of them because everyone uses Google anyway. :P
#11
@
15 years ago
To address the uploader and any plugins with iframes, how about we not frame bust if there's a valid nonce in the query string?
If a plugin turned it off for a few pages, wouldn't those pages be vulnerable to clickjacking?