Google Git
Sign in
gerrit/gerrit/79280a6cb66102f6ef06249895a509ef1b692993^!/.
commit
79280a6cb66102f6ef06249895a509ef1b692993
[log]
author
Shawn O. Pearce <sop@google.com>
Thu Feb 12 19:08:26 2009 -0800
committer
Shawn O. Pearce <sop@google.com>
Thu Feb 12 19:08:26 2009 -0800
tree
b1218416e0a486cebb41ae45d4ce4612974a523b
parent
9a8261ceab3de520789dd9bdcdfa334cecb54cd7 [diff]
Bust out of an <iframe> if Gerrit is embedded in one

Its a security risk to permit other web pages to insert a Gerrit
window into an iframe.  They could use CSS tricks to layer some
innocent object over our page and mask the UI, so that the user
thinks they are clicking on a button to view a cute kitten, when
in fact they are submitting a change in ownership for an object
in Gerrit, like a project.

Since Gerrit isn't really intended to be used in a mashup, but
is instead a code review system that needs to be fairly paranoid
about the data it controls, its reasonable to require that we are
always the top level window for the browser.

This particular frame busting trick doesn't work in IE if the
attacker page turns off JavaScript in our <iframe>, but then
we wouldn't be able to render any of our widgets anyway, or do
any RPC calls, so no state could change as a result of such an
embedding attack.

I'm putting the code for this inside of the module load, so we
can't easily strip it out of a host page by accident, or through
some evil pre-processing trick.  Its tightly compiled into the
obfuscated output, which makes it rather horrid to bypass.

We have to test for "GWT.isScript()" in order to bypass this in
the hosted mode debugging shell.  That shell appears to at least
initially load Gerrit into some sort of <iframe> like environment,
and running this code there busts the debugger entirely.  Since we
are only running locally from a controlled developer environment,
its not a security risk to bypass the frame busting code there.

Signed-off-by: Shawn O. Pearce <sop@google.com>

diff --git a/src/main/java/com/google/gerrit/client/Gerrit.java b/src/main/java/com/google/gerrit/client/Gerrit.java
index c5f8898..68db5f2 100644
--- a/src/main/java/com/google/gerrit/client/Gerrit.java
+++ b/src/main/java/com/google/gerrit/client/Gerrit.java

@@ -172,6 +172,11 @@
   }
 
   public void onModuleLoad() {
+    if (GWT.isScript() && amInsideIFrame()) {
+      bustOutOfIFrame(Window.Location.getHref());
+      return;
+    }
+
     initHistoryHooks();
     populateBottomMenu();
 
@@ -192,6 +197,12 @@
     });
   }
 
+  private static native boolean amInsideIFrame()
+  /*-{ return top.location != $wnd.location; }-*/;
+
+  private static native void bustOutOfIFrame(String newloc)
+  /*-{ top.location.href = newloc }-*/;
+
   private static ArrayList<JavaScriptObject> historyHooks;
 
   private static native void initHistoryHooks()