Context Navigation

← Previous Changeset
Next Changeset →

Changeset 199605 in webkit

Timestamp:

Apr 15, 2016, 12:49:58 PM (9 years ago)

Author:

Brent Fulgham

Message:

Remove support for X-Frame-Options in <meta>
https://bugs.webkit.org/show_bug.cgi?id=156625
<rdar://problem/25748714>

Reviewed by Darin Adler.

Source/WebCore:

Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.

Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html

http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html

dom/Document.cpp:

(WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.

LayoutTests:

Revise tests to match our desired behavior based on RFC 7034 (Section 4).

http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
inspector/console/x-frame-options-message-expected.txt: Rebaselined.
platform/win/TestExpectations:

Location:

trunk

Files:

: 5 added
: 5 deleted
: 8 edited
: 5 moved

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-              r199604
+              r199605
+-04-15  Brent Fulgham  <bfulgham@apple.com>
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+        Reviewed by Darin Adler.
+        Revise tests to match our desired behavior based on RFC 7034 (Section 4).
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
+        * inspector/console/x-frame-options-message-expected.txt: Rebaselined.
+        * platform/win/TestExpectations:
 -04-15  Jiewen Tan  <jiewen_tan@apple.com>

trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html

-              r42333
+              r199605
 </head>
 <body>
     <p>FAIL: This should show up and disappear immediately.</p>
+    <p>PASS: This should be displayed.</p>
     <meta http-equiv="x-frame-options" content="deny" />
     <p>FAIL: This should never show up.</p>
+    <p>PASS: This should also be displayed.</p>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html

r42333	r199605
4	4	</head>
5	5	<body>
6		<p>~~FAIL: This should not show up as the parent is not in the same origin~~.</p>
	6	<p>PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.</p>
7	7	</body>
8	8	</html>

trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html

r42333	r199605
4	4	</head>
5	5	<body>
6		<p>~~FAIL: This should not show up~~.</p>
	6	<p>PASS: This should be displayed.</p>
7	7	</body>
8	8	</html>

trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html

-              r199570
+              r199605
         if (!url)
             console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
             console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
+    }
 </script>
 <p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html" onload="checkIfDone()"></iframe>

trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html

-              r199570
+              r199605
         if (!url)
             console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
             console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
+    }
 </script>
 <p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html" onload="checkIfDone()"></iframe>

trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html

-              r199570
+              r199605
         if (!url)
             console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
             console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
+    }
 </script>
 <p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html" onload="checkIfDone()"></iframe>

trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt

r188598	r199605
1		CONSOLE MESSAGE: line 41: ~~Refused to display 'x-frame-options-message.html' in a frame because it set 'X-Frame-Options' to 'deny'~~.
	1	CONSOLE MESSAGE: line 41: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
2	2
3	3

trunk/LayoutTests/platform/win/TestExpectations

-              r199585
+              r199605
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny.html [ Failure ]
 webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html [ Crash ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html [ Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html [ Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html [ Crash Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-invalid.html [ Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html [ Failure ]

trunk/Source/WebCore/ChangeLog

-              r199603
+              r199605
+-04-15  Brent Fulgham  <bfulgham@apple.com>
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+        Reviewed by Darin Adler.
+        Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
+        a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.
+        Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
+               http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.
 -04-15  Jer Noble  <jer.noble@apple.com>

trunk/Source/WebCore/dom/Document.cpp

-              r199538
+              r199605
             if (frameLoader.activeDocumentLoader() && frameLoader.activeDocumentLoader()->mainResourceLoader())
                 requestIdentifier = frameLoader.activeDocumentLoader()->mainResourceLoader()->identifier();
+            if (frameLoader.shouldInterruptLoadForXFrameOptions(content, url(), requestIdentifier)) {
+                String message = "Refused to display '" + url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
+                frameLoader.stopAllLoaders();
+                // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's
+                // intent, we must navigate away from the possibly partially-rendered document to a location that
+                // doesn't inherit the parent's SecurityOrigin.
+                frame->navigationScheduler().scheduleLocationChange(this, securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
+                addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, requestIdentifier);
+            }
+            addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier);
+        }
         break;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 199605 in webkit

Legend:

Download in other formats: