Possible Clickjacking vulnerability on TrustedFirmware.org website

Description

We received the following on the security@lists.trustefirmware.org alias. Could you please advise how serious this is and if/when it will be fixed?

While performing security testing of your website i have found the Clickjack vulnerability.

Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

POC:

when you run this html code in your browser you can see your website in iframe which is very dangerous

SOLUTION:

Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Employing defensive code in the UI to ensure that the current frame is the most top level window

Environment

None

Engineering Progress Update

None

Activity

Show:

Dan Handley August 2, 2022 at 8:32 AM

OK thanks. I’ll leave it up to you whether to address or not (I have no strong opinion). We’ll not treat this as a security incident our end.

Philip Colmer August 2, 2022 at 8:25 AM

when you run this html code in your browser you can see your website in iframe which is very dangerous

No, it isn’t “very dangerous”. It is simply a reflection of how web browsers work.

While I agree that clickjacking is dangerous, there is nothing on any of Linaro’s websites that could be taken advantage of or used to mislead users through embedding the site in an iFrame.

We can certainly implement the suggested fix but I don’t think it is necessary to do so.

Benjamin Copeland August 2, 2022 at 8:19 AM

@Philip Colmer I believe this is one for you.

Done

Details

Assignee

Benjamin Copeland

Reporter

Dan Handley

Upstream

Priority

Undecided

Checklist

Sentry

Created August 1, 2022 at 4:31 PM

Updated October 23, 2023 at 1:44 PM

Resolved August 4, 2022 at 8:16 AM

Configure