Page MenuHomePhabricator

Prevent clickjacking in the Wikibase UI
Open, Needs TriagePublic

Description

As pointed out in T186726, there is a possible to trick users of Wikibase UI to click on malicious things (clickjacking), e.g. when item page would be included in a HTML frame.

More description authored by @Bawolff in the said ticket, including possible ways to solve the problem.

Since this allows edit interaction directly on wikipage, it should take steps to prevent click jacking. Either javascript should detect when the page is being framed, and refuse to load the editing related js code (Since the editing related code only happens if js is enabled, its safe to detect this condition in JS), or the extension can call OutputPage::preventClickjacking() (Which will totally disables frames altogether for both js and non-js users).

Event Timeline

I've actually been thinking about this recently.

MediaWiki is doing a subpar job with clickjacking in general. I'm now thinking that resource loader should in general just refuse to load any JS if the page is in a frame.

Lydia_Pintscher raised the priority of this task from Medium to Needs Triage.Sep 2 2018, 3:25 PM