259070 2010-12-07 02:50:20 +0000 Konqueror should support X-FRAME-OPTIONS header to protect against clickjacking 2022-11-17 05:12:57 +0000 1 1 2 Applications konqueror khtml 4.5.2 Gentoo Packages Linux RESOLVED WORKSFORME NOR normal --- 0 hanno konqueror-bugs-null aj rdieter than tim 0 oldest_to_newest 1054639 0 hanno 2010-12-07 02:50:20 +0000 Version: 4.5.2 (using KDE 4.5.4) OS: Linux Clickjacking is a way to use invisible iframes and javascript to force users to click on actions on web applications. It's similar to CSRF. Most other browsers now support a header X-FRAME-OPTIONS, which can be set to "DENY" or "SAMEORIGIN" so web applications can avoid being displayed within iframes. konqueror does not support that yet and leaves users vulnerable to clickjacking. Reproducible: Always Steps to Reproduce: See http://int21.de/frametest/ Actual Results: You see red iframes. Expected Results: Red iframes should not be displayed. 1262292 1 LpSolit 2012-06-04 18:47:14 +0000 This is definitely a security issue and all major browsers support it, see the "Browser compatibility" section at: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header For instance, Bugzilla uses it to protect sensitive bugs and attachments. All Konqueror users are exposed to clickjacking attacks. 1394638 2 tim 2013-09-02 22:48:06 +0000 I think and hope the problem is solved after two years. In my Installation Konqueror passed frametest http://int21.de/frametest/ listet in the first comment. But i can't say if the test actually works correctly. 1394744 3 hanno 2013-09-03 11:56:08 +0000 Just had some private E-Mail exchange with Tim. The issue is fixed if Konqueror is used with Webkit, but it is not fixed with KHTML (which is still the default). 1433857 4 rdieter 2014-03-04 22:12:51 +0000 Re: comment #3 With recent kwebkitpart installs, it takes default priority over khtml (if installed). 1433922 5 than 2014-03-05 13:06:11 +0000 Hanno, i saw your CVE request on oss-sec, http://seclists.org/oss-sec/2014/q1/476 2162429 6 justin.zobel 2022-10-17 22:53:35 +0000 Thank you for reporting this bug in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you! 2162564 7 hanno 2022-10-18 07:16:18 +0000 It seems konqueror now implements x-frame-options. I guess this change happened with the switch to qtwebengine. 2167813 8 bug-janitor 2022-11-02 05:05:37 +0000 Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! 2174263 9 bug-janitor 2022-11-17 05:12:57 +0000 This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!