Bug 259070

Summary: Konqueror should support X-FRAME-OPTIONS header to protect against clickjacking
Product: [Applications] konqueror Reporter: hanno
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED WORKSFORME    
Severity: normal CC: aj, rdieter, than, tim
Priority: NOR    
Version: 4.5.2   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description hanno 2010-12-07 02:50:20 UTC 
Version:           4.5.2 (using KDE 4.5.4) 
OS:                Linux

Clickjacking is a way to use invisible iframes and javascript to force users to click on actions on web applications. It's similar to CSRF.

Most other browsers now support a header X-FRAME-OPTIONS, which can be set to "DENY" or "SAMEORIGIN" so web applications can avoid being displayed within iframes. konqueror does not support that yet and leaves users vulnerable to clickjacking.

Reproducible: Always

Steps to Reproduce:
See http://int21.de/frametest/

Actual Results:  
You see red iframes.

Expected Results:  
Red iframes should not be displayed.
Comment 1 Frédéric Buclin 2012-06-04 18:47:14 UTC 
This is definitely a security issue and all major browsers support it, see the "Browser compatibility" section at:
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

For instance, Bugzilla uses it to protect sensitive bugs and attachments. All Konqueror users are exposed to clickjacking attacks.
Comment 2 tim 2013-09-02 22:48:06 UTC 
I think and hope the problem is solved after two years. In my Installation Konqueror passed frametest http://int21.de/frametest/ listet in the first comment. But i can't say if the test actually works correctly.
Comment 3 hanno 2013-09-03 11:56:08 UTC 
Just had some private E-Mail exchange with Tim. The issue is fixed if Konqueror is used with Webkit, but it is not fixed with KHTML (which is still the default).
Comment 4 Rex Dieter 2014-03-04 22:12:51 UTC 
Re: comment #3

With recent kwebkitpart installs, it takes default priority over khtml (if installed).
Comment 5 Than Ngo 2014-03-05 13:06:11 UTC 
Hanno, i saw your CVE request on oss-sec, http://seclists.org/oss-sec/2014/q1/476
Comment 6 Justin Zobel 2022-10-17 22:53:35 UTC 
Thank you for reporting this bug in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you!
Comment 7 hanno 2022-10-18 07:16:18 UTC 
It seems konqueror now implements x-frame-options. I guess this change happened with the switch to qtwebengine.
Comment 8 Bug Janitor Service 2022-11-02 05:05:37 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 9 Bug Janitor Service 2022-11-17 05:12:57 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!