Version: 4.5.2 (using KDE 4.5.4) OS: Linux Clickjacking is a way to use invisible iframes and javascript to force users to click on actions on web applications. It's similar to CSRF. Most other browsers now support a header X-FRAME-OPTIONS, which can be set to "DENY" or "SAMEORIGIN" so web applications can avoid being displayed within iframes. konqueror does not support that yet and leaves users vulnerable to clickjacking. Reproducible: Always Steps to Reproduce: See http://int21.de/frametest/ Actual Results: You see red iframes. Expected Results: Red iframes should not be displayed.
This is definitely a security issue and all major browsers support it, see the "Browser compatibility" section at: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header For instance, Bugzilla uses it to protect sensitive bugs and attachments. All Konqueror users are exposed to clickjacking attacks.
I think and hope the problem is solved after two years. In my Installation Konqueror passed frametest http://int21.de/frametest/ listet in the first comment. But i can't say if the test actually works correctly.
Just had some private E-Mail exchange with Tim. The issue is fixed if Konqueror is used with Webkit, but it is not fixed with KHTML (which is still the default).
Re: comment #3 With recent kwebkitpart installs, it takes default priority over khtml (if installed).
Hanno, i saw your CVE request on oss-sec, http://seclists.org/oss-sec/2014/q1/476
Thank you for reporting this bug in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you!
It seems konqueror now implements x-frame-options. I guess this change happened with the switch to qtwebengine.
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!