Changeset 147086 in webkit

Timestamp:

Mar 28, 2013 1:59:00 AM (11 years ago)

Author:

mkwst@chromium.org

Message:

X-Frame-Options: Multiple headers are ignored completely.
​https://bugs.webkit.org/show_bug.cgi?id=113387

Reviewed by Nate Chapin.

Source/WebCore:

If a server sends multiple 'X-Frame-Options' headers, we end up with a
value like 'SAMEORIGIN, SAMEORIGIN'. Currently, we're treating that as
invalid, and ignoring the header. It would be safer to follow Gecko's
lead[1] by:

• Folding duplicated entries into their common value (that is: 'sameorigin, sameorigin' -> 'sameorigin').

• Failing closed in the case of conflicts (that is: 'sameorigin, allowall' -> 'deny').

[1]: ​https://bugzilla.mozilla.org/show_bug.cgi?id=761655

Tests: http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html

http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html
http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):

Call out to parseXFrameOptionsHeader to get the header's disposition
and deal with each case in a switch statement for clarity. Add a new
console warning for the conflict case described above.

• platform/network/HTTPParsers.cpp:

(WebCore::parseXFrameOptionsHeader):

• platform/network/HTTPParsers.h:

Move X-Frame-Options parsing out into HTTPParsers, as it's getting
more and more complicated. To do this, the patch defines a new enum
to pass around the header's disposition.

LayoutTests:

• http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi: Added.
• http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
• http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: Added.
• platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
• platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
• platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi (added)
• LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (added)
• LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html (added)
• LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (2 diffs)
• Source/WebCore/platform/network/HTTPParsers.cpp (modified) (1 diff)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Multiple headers are ignored completely.
+        https://bugs.webkit.org/show_bug.cgi?id=113387
+
+        Reviewed by Nate Chapin.
+
+        * http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi: Added.
+        * http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
+
 2013-03-28  Mihai Tica  <mitica@adobe.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Multiple headers are ignored completely.
+        https://bugs.webkit.org/show_bug.cgi?id=113387
+
+        Reviewed by Nate Chapin.
+
+        If a server sends multiple 'X-Frame-Options' headers, we end up with a
+        value like 'SAMEORIGIN, SAMEORIGIN'. Currently, we're treating that as
+        invalid, and ignoring the header. It would be safer to follow Gecko's
+        lead[1] by:
+
+        - Folding duplicated entries into their common value (that is:
+          'sameorigin, sameorigin' -> 'sameorigin').
+
+        - Failing closed in the case of conflicts (that is:
+          'sameorigin, allowall' -> 'deny').
+
+        [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=761655
+
+        Tests: http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html
+               http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html
+               http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
+            Call out to parseXFrameOptionsHeader to get the header's disposition
+            and deal with each case in a switch statement for clarity. Add a new
+            console warning for the conflict case described above.
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::parseXFrameOptionsHeader):
+        * platform/network/HTTPParsers.h:
+            Move X-Frame-Options parsing out into HTTPParsers, as it's getting
+            more and more complicated. To do this, the patch defines a new enum
+            to pass around the header's disposition.
+
 2013-03-28  Mihnea Ovidenie  <mihnea@adobe.com>
 

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -2957 +2957 @@
         return false;
 
-    if (equalIgnoringCase(content, "deny"))
-        return true;
-    else if (equalIgnoringCase(content, "sameorigin")) {
+    XFrameOptionsDisposition disposition = parseXFrameOptionsHeader(content);
+
+    switch (disposition) {
+    case XFrameOptionsSameOrigin: {
         FeatureObserver::observe(m_frame->document(), FeatureObserver::XFrameOptionsSameOrigin);
         RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
@@ -2970 +2971 @@
             }
         }
-    } else if (!equalIgnoringCase(content, "allowall")) {
-        String message = "Invalid 'X-Frame-Options' header encountered when loading '" + url.elidedString() + "': '" + content + "' is not a recognized directive. The header will be ignored.";
-        m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, message, requestIdentifier);
-    }
-
-    return false;
+        return false;
+    }
+    case XFrameOptionsDeny:
+        return true;
+    case XFrameOptionsAllowAll:
+        return false;
+    case XFrameOptionsConflict:
+        m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Multiple 'X-Frame-Options' headers with conflicting values ('" + content + "') encountered when loading '" + url.elidedString() + "'. Falling back to 'DENY'.", requestIdentifier);
+        return true;
+    case XFrameOptionsInvalid:
+        m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Invalid 'X-Frame-Options' header encountered when loading '" + url.elidedString() + "': '" + content + "' is not a recognized directive. The header will be ignored.", requestIdentifier);
+        return false;
+    default:
+        ASSERT_NOT_REACHED();
+        return false;
+    }
 }
 

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

@@ -456 +456 @@
 }
 
+XFrameOptionsDisposition parseXFrameOptionsHeader(const String& header)
+{
+    XFrameOptionsDisposition result = XFrameOptionsNone;
+
+    if (header.isEmpty())
+        return result;
+
+    Vector<String> headers;
+    header.split(',', headers);
+
+    for (size_t i = 0; i < headers.size(); i++) {
+        String currentHeader = headers[i].stripWhiteSpace();
+        XFrameOptionsDisposition currentValue = XFrameOptionsNone;
+        if (equalIgnoringCase(currentHeader, "deny"))
+            currentValue = XFrameOptionsDeny;
+        else if (equalIgnoringCase(currentHeader, "sameorigin"))
+            currentValue = XFrameOptionsSameOrigin;
+        else if (equalIgnoringCase(currentHeader, "allowall"))
+            currentValue = XFrameOptionsAllowAll;
+        else
+            currentValue = XFrameOptionsInvalid;
+
+        if (result == XFrameOptionsNone)
+            result = currentValue;
+        else if (result != currentValue)
+            return XFrameOptionsConflict;
+    }
+    return result;
+}
+
 bool parseRange(const String& range, long long& rangeOffset, long long& rangeEnd, long long& rangeSuffixLength)
 {

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -55 +55 @@
 #endif
 
+enum XFrameOptionsDisposition {
+    XFrameOptionsNone,
+    XFrameOptionsDeny,
+    XFrameOptionsSameOrigin,
+    XFrameOptionsAllowAll,
+    XFrameOptionsInvalid,
+    XFrameOptionsConflict
+};
+
 ContentDispositionType contentDispositionType(const String&);
 bool isValidHTTPHeaderValue(const String&);
@@ -66 +75 @@
 ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
 String extractReasonPhraseFromHTTPStatusLine(const String&);
+XFrameOptionsDisposition parseXFrameOptionsHeader(const String&);
 
 // -1 could be set to one of the return parameters to indicate the value is not specified.