Don't allow unfiltered HTML comments from a frame
|Reported by:||nacin||Owned by:||ryan|
As of #12293 we issue a X-Frame-Options header in the admin and on wp-login.php. We avoided this for the frontend, as we need to balance security and usability on this. Many sites are loaded in frames, often without the knowledge or foresight of the administrator (think Stumbleupon and other toolbars).
We have not classified the posting of a comment in itself a vulnerability, whether via CSRF or an email imposter. We guard against CSRF for unfiltered HTML. We should also guard against frames.