WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 2 years ago

#12293 closed defect (bug) (fixed)

Frame Busting in the Admin

Reported by: ryan Owned by: ryan
Milestone: 3.1 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description (last modified by ryan)

We discussed this before when Twitter was suffering from the iframe clickjacking attacks. Such attacks are harder and less tempting to do on individual WP sites than on big sites like Twitter and wp.com. They are still possible though, so we should consider integrating frame busting. The problem is that frame busting does break some plugins. Plugins would need API to turn of frame busting for their pages and would have to update to use that API.

Attachments (2)

frame-breakout.php (436 bytes) - added by ryan 4 years ago.
12293.diff (2.1 KB) - added by ryan 3 years ago.

Download all attachments as: .zip

Change History (19)

comment:1 ryan4 years ago

  • Description modified (diff)

comment:2 matt4 years ago

If a plugin turned it off for a few pages, wouldn't those pages be vulnerable to clickjacking?

comment:3 ryan4 years ago

We have to turn if off for our uploader too. Maybe someone knows a way of adding secure exceptions.

ryan4 years ago

comment:4 ryan4 years ago

Simple example that adds an exception for the upload iframe.

comment:5 ryan4 years ago

That's the classic technique. Maybe one of the billion new flavors of frame busting would smoothly handle plugins and the uploader.

comment:6 ryan4 years ago

Maybe start sending X-FRAME-OPTIONS

comment:7 miqrogroove4 years ago

Food for thought: I use this on all of my websites. I can tell you from experience that almost every search engine except for Google is incompatible with frame busting. It's even money that any particular search engine will either block the site entirely, or will cover the search results with a message that says, "clicking here will cause you to leave the search engine (whine) please open the link in a new window."

Of course, I ignore all of them because everyone uses Google anyway. :P

comment:8 ryan4 years ago

This is only for the admin, so I think we're good.

comment:9 miqrogroove4 years ago

oh.. aah. Excellent, then.

comment:10 miqrogroove4 years ago

Hopefully wp-login too.

comment:11 mdawaffe4 years ago

To address the uploader and any plugins with iframes, how about we not frame bust if there's a valid nonce in the query string?

comment:12 nacin4 years ago

  • Keywords early added
  • Milestone changed from 3.0 to 3.1

comment:13 nacin3 years ago

  • Keywords 3.2-early added; early removed
  • Milestone changed from Awaiting Triage to Future Release

With IFRAME_REQUEST this could be done easier. Also mda's comment about valid nonce checks.

comment:14 markjaquith3 years ago

The big three browsers now support this. Let's hit this in 3.2.

ryan3 years ago

comment:15 ryan3 years ago

In [17826]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

comment:16 ryan3 years ago

In [18013]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

comment:17 ryan2 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.1
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.