Changeset 144105 in webkit
- Timestamp:
- Feb 26, 2013, 2:00:08 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 4 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi (added)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt (added)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall.html (added)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt (modified) (1 diff)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/loader/FrameLoader.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r144104 r144105 1 2013-02-26 Mike West <mkwst@chromium.org> 2 3 X-Frame-Options should accept ALLOWALL as a valid value. 4 https://bugs.webkit.org/show_bug.cgi?id=110857 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi: Added. 9 * http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt: Added. 10 * http/tests/security/XFrameOptions/x-frame-options-allowall.html: Added. 11 Exciting new test! 12 * http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt: 13 Exciting new baseline for an old test that was already using ALLOWALL! 14 1 15 2013-02-26 Tony Chang <tony@chromium.org> 2 16 -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt
r142068 r144105 1 CONSOLE MESSAGE: Invalid 'X-Frame-Options' header encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/nph-cached-xfo.pl': 'allowall' is not a recognized directive. The header will be ignored.2 1 ALERT: This must fire twice 3 CONSOLE MESSAGE: Invalid 'X-Frame-Options' header encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/nph-cached-xfo.pl': 'allowall' is not a recognized directive. The header will be ignored.4 2 ALERT: This must fire twice 5 3 Check that an X-Frame-Options header added by a 304 response does not override one from the original request. -
trunk/Source/WebCore/ChangeLog
r144104 r144105 1 2013-02-26 Mike West <mkwst@chromium.org> 2 3 X-Frame-Options should accept ALLOWALL as a valid value. 4 https://bugs.webkit.org/show_bug.cgi?id=110857 5 6 Reviewed by Adam Barth. 7 8 DoubleClick, among others, serves ALLOWALL as a 'X-Frame-Options' value 9 with the intent of (shock!) allowing a resource to be framed by all 10 origins. Given its prevelance, and the fact that IE supports the header, 11 we shouldn't call it out as invalid. 12 13 This patch tweaks the warning logic to only throw the warning if the 14 header's value isn't 'ALLOWALL', 'DENY', or 'SAMEORIGIN'. 15 16 Test: http/tests/security/XFrameOptions/x-frame-options-allowall.html 17 18 * loader/FrameLoader.cpp: 19 (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions): 20 1 21 2013-02-26 Tony Chang <tony@chromium.org> 2 22 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r143986 r144105 2938 2938 if (!origin->isSameSchemeHostPort(topFrame->document()->securityOrigin())) 2939 2939 return true; 2940 } else {2940 } else if (!equalIgnoringCase(content, "allowall")) { 2941 2941 String message = "Invalid 'X-Frame-Options' header encountered when loading '" + url.string() + "': '" + content + "' is not a recognized directive. The header will be ignored."; 2942 2942 m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, message, requestIdentifier);
Note:
See TracChangeset
for help on using the changeset viewer.
