Make WordPress Core

Opened 14 years ago

Closed 12 years ago

#12293 closed defect (bug) (fixed)

Frame Busting in the Admin

Reported by: ryan's profile ryan Owned by: ryan's profile ryan
Milestone: 3.1 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description (last modified by ryan)

We discussed this before when Twitter was suffering from the iframe clickjacking attacks. Such attacks are harder and less tempting to do on individual WP sites than on big sites like Twitter and They are still possible though, so we should consider integrating frame busting. The problem is that frame busting does break some plugins. Plugins would need API to turn of frame busting for their pages and would have to update to use that API.

Attachments (2)

frame-breakout.php (436 bytes) - added by ryan 14 years ago.
12293.diff (2.1 KB) - added by ryan 13 years ago.

Download all attachments as: .zip

Change History (19)

#1 @ryan
14 years ago

  • Description modified (diff)

#2 @matt
14 years ago

If a plugin turned it off for a few pages, wouldn't those pages be vulnerable to clickjacking?

#3 @ryan
14 years ago

We have to turn if off for our uploader too. Maybe someone knows a way of adding secure exceptions.

14 years ago

#4 @ryan
14 years ago

Simple example that adds an exception for the upload iframe.

#5 @ryan
14 years ago

That's the classic technique. Maybe one of the billion new flavors of frame busting would smoothly handle plugins and the uploader.

#6 @ryan
14 years ago

Maybe start sending X-FRAME-OPTIONS

#7 @miqrogroove
14 years ago

Food for thought: I use this on all of my websites. I can tell you from experience that almost every search engine except for Google is incompatible with frame busting. It's even money that any particular search engine will either block the site entirely, or will cover the search results with a message that says, "clicking here will cause you to leave the search engine (whine) please open the link in a new window."

Of course, I ignore all of them because everyone uses Google anyway. :P

#8 @ryan
14 years ago

This is only for the admin, so I think we're good.

#9 @miqrogroove
14 years ago

oh.. aah. Excellent, then.

#10 @miqrogroove
14 years ago

Hopefully wp-login too.

#11 @mdawaffe
14 years ago

To address the uploader and any plugins with iframes, how about we not frame bust if there's a valid nonce in the query string?

#12 @nacin
14 years ago

  • Keywords early added
  • Milestone changed from 3.0 to 3.1

#13 @nacin
14 years ago

  • Keywords 3.2-early added; early removed
  • Milestone changed from Awaiting Triage to Future Release

With IFRAME_REQUEST this could be done easier. Also mda's comment about valid nonce checks.

#14 @markjaquith
13 years ago

The big three browsers now support this. Let's hit this in 3.2.

13 years ago

#15 @ryan
13 years ago

In [17826]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

#16 @ryan
13 years ago

In [18013]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

#17 @ryan
12 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.1
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.