Changeset 146257 in webkit
- Timestamp:
- Mar 19, 2013 2:12:24 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r146253 r146257 1 2013-03-19 Mike West <mkwst@chromium.org> 2 3 FeatureObserver: Measure X-Frame-Options usage. 4 https://bugs.webkit.org/show_bug.cgi?id=112670 5 6 Reviewed by Adam Barth. 7 8 This patch adds three FeatureObserver entries to gather information 9 about 'X-Frame-Options' usage in general, and in particular usage 10 and potential misunderstanding of the 'SAMEORIGIN' value. 11 12 Three entries are added: 13 14 - XFrameOptions measures the raw number of 'X-Frame-Options' headers. 15 16 - XFrameOptionsSameOrigin measures the number of those headers that 17 set the value to 'SAMEORIGIN'. 18 19 - XFrameOptionsSameOriginWithBadAncestorChain measures the number of 20 occasions in which the frame passed the "top-only" origin check we're 21 currently performing, but would have failed a more strict check 22 against poisoned ancestor chains (that is, an ancestor chain that 23 looks like 'example.com' -> 'evil.com' -> 'example.com'). 24 25 Mozilla is considering changing 'SAMEORIGIN's behavior to block the 26 latter loophole[1], and the UI Safety spec is considering dropping 27 'top-only' entirely[2]. This data will inform those decisions. 28 29 [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=725490 30 [2]: http://lists.w3.org/Archives/Public/public-webappsec/2013Mar/0007.html 31 32 This doesn't change web-visible behavior; it only adds histograms 33 34 * loader/FrameLoader.cpp: 35 (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions): 36 When processing an 'X-Frame-Options' header's value, call out to 37 FeatureObserver when relevant to increment the correct histogram 38 entries. 39 * page/FeatureObserver.h: 40 Added three entries to the FeatureObserver enum: XFrameOptions, 41 XFrameOptionsSameOrigin, and XFrameOptionsSameOriginWithBadAncestorChain. 42 Each is explained above. 43 1 44 2013-03-19 Adam Barth <abarth@webkit.org> 2 45 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r145914 r146257 2951 2951 bool FrameLoader::shouldInterruptLoadForXFrameOptions(const String& content, const KURL& url, unsigned long requestIdentifier) 2952 2952 { 2953 FeatureObserver::observe(m_frame->document(), FeatureObserver::XFrameOptions); 2954 2953 2955 Frame* topFrame = m_frame->tree()->top(); 2954 2956 if (m_frame == topFrame) … … 2958 2960 return true; 2959 2961 else if (equalIgnoringCase(content, "sameorigin")) { 2962 FeatureObserver::observe(m_frame->document(), FeatureObserver::XFrameOptionsSameOrigin); 2960 2963 RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url); 2961 2964 if (!origin->isSameSchemeHostPort(topFrame->document()->securityOrigin())) 2962 2965 return true; 2966 for (Frame* frame = m_frame->tree()->parent(); frame; frame = frame->tree()->parent()) { 2967 if (!origin->isSameSchemeHostPort(frame->document()->securityOrigin())) { 2968 FeatureObserver::observe(m_frame->document(), FeatureObserver::XFrameOptionsSameOriginWithBadAncestorChain); 2969 break; 2970 } 2971 } 2963 2972 } else if (!equalIgnoringCase(content, "allowall")) { 2964 2973 String message = "Invalid 'X-Frame-Options' header encountered when loading '" + url.elidedString() + "': '" + content + "' is not a recognized directive. The header will be ignored."; -
trunk/Source/WebCore/page/FeatureObserver.h
r145782 r146257 102 102 CursorVisibility, 103 103 StorageInfo, 104 XFrameOptions, 105 XFrameOptionsSameOrigin, 106 XFrameOptionsSameOriginWithBadAncestorChain, 104 107 // Add new features above this line. Don't change assigned numbers of each items. 105 108 NumberOfFeatures, // This enum value must be last.
Note: See TracChangeset
for help on using the changeset viewer.