|Summary:||Konqueror should support X-FRAME-OPTIONS header to protect against clickjacking|
|Component:||khtml||Assignee:||Konqueror Developers <konq-bugs>|
|Severity:||normal||CC:||aj, rdieter, than, tim|
|Latest Commit:||Version Fixed In:|
Description hanno 2010-12-07 02:50:20 UTC
Comment 1 Frédéric Buclin 2012-06-04 18:47:14 UTC
This is definitely a security issue and all major browsers support it, see the "Browser compatibility" section at: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header For instance, Bugzilla uses it to protect sensitive bugs and attachments. All Konqueror users are exposed to clickjacking attacks.
Comment 2 tim 2013-09-02 22:48:06 UTC
I think and hope the problem is solved after two years. In my Installation Konqueror passed frametest http://int21.de/frametest/ listet in the first comment. But i can't say if the test actually works correctly.
Comment 3 hanno 2013-09-03 11:56:08 UTC
Just had some private E-Mail exchange with Tim. The issue is fixed if Konqueror is used with Webkit, but it is not fixed with KHTML (which is still the default).
Comment 4 Rex Dieter 2014-03-04 22:12:51 UTC
Re: comment #3 With recent kwebkitpart installs, it takes default priority over khtml (if installed).
Comment 5 Than Ngo 2014-03-05 13:06:11 UTC
Hanno, i saw your CVE request on oss-sec, http://seclists.org/oss-sec/2014/q1/476
Comment 6 Justin Zobel 2022-10-17 22:53:35 UTC
Thank you for reporting this bug in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you!
Comment 7 hanno 2022-10-18 07:16:18 UTC
It seems konqueror now implements x-frame-options. I guess this change happened with the switch to qtwebengine.
Comment 8 Bug Janitor Service 2022-11-02 05:05:37 UTC
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
Comment 9 Bug Janitor Service 2022-11-17 05:12:57 UTC
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!