diff options
| author | Shawn O. Pearce <sop@google.com> | 2009-02-12 19:08:26 -0800 |
|---|---|---|
| committer | Shawn O. Pearce <sop@google.com> | 2009-02-12 19:08:26 -0800 |
| commit | 79280a6cb66102f6ef06249895a509ef1b692993 (patch) | |
| tree | b1218416e0a486cebb41ae45d4ce4612974a523b | |
| parent | 9a8261ceab3de520789dd9bdcdfa334cecb54cd7 (diff) | |
Bust out of an <iframe> if Gerrit is embedded in one
Its a security risk to permit other web pages to insert a Gerrit
window into an iframe. They could use CSS tricks to layer some
innocent object over our page and mask the UI, so that the user
thinks they are clicking on a button to view a cute kitten, when
in fact they are submitting a change in ownership for an object
in Gerrit, like a project.
Since Gerrit isn't really intended to be used in a mashup, but
is instead a code review system that needs to be fairly paranoid
about the data it controls, its reasonable to require that we are
always the top level window for the browser.
This particular frame busting trick doesn't work in IE if the
attacker page turns off JavaScript in our <iframe>, but then
we wouldn't be able to render any of our widgets anyway, or do
any RPC calls, so no state could change as a result of such an
embedding attack.
I'm putting the code for this inside of the module load, so we
can't easily strip it out of a host page by accident, or through
some evil pre-processing trick. Its tightly compiled into the
obfuscated output, which makes it rather horrid to bypass.
We have to test for "GWT.isScript()" in order to bypass this in
the hosted mode debugging shell. That shell appears to at least
initially load Gerrit into some sort of <iframe> like environment,
and running this code there busts the debugger entirely. Since we
are only running locally from a controlled developer environment,
its not a security risk to bypass the frame busting code there.
Signed-off-by: Shawn O. Pearce <sop@google.com>
| -rw-r--r-- | src/main/java/com/google/gerrit/client/Gerrit.java | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/main/java/com/google/gerrit/client/Gerrit.java b/src/main/java/com/google/gerrit/client/Gerrit.java index c5f88986ef..68db5f2318 100644 --- a/src/main/java/com/google/gerrit/client/Gerrit.java +++ b/src/main/java/com/google/gerrit/client/Gerrit.java @@ -172,6 +172,11 @@ public class Gerrit implements EntryPoint { } public void onModuleLoad() { + if (GWT.isScript() && amInsideIFrame()) { + bustOutOfIFrame(Window.Location.getHref()); + return; + } + initHistoryHooks(); populateBottomMenu(); @@ -192,6 +197,12 @@ public class Gerrit implements EntryPoint { }); } + private static native boolean amInsideIFrame() + /*-{ return top.location != $wnd.location; }-*/; + + private static native void bustOutOfIFrame(String newloc) + /*-{ top.location.href = newloc }-*/; + private static ArrayList<JavaScriptObject> historyHooks; private static native void initHistoryHooks() |