Changeset 244589 in webkit

Timestamp:

Apr 24, 2019 8:43:09 AM (5 years ago)

Author:

Chris Dumez

Message:

X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
​https://bugs.webkit.org/show_bug.cgi?id=197226
<rdar://problem/50155649>

Reviewed by Alex Christensen.

Source/WebCore:

X-Frame-Options header should be ignored when frame-ancestors CSP directive is present:

• ​https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options

Specification says:
"""
In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the
X-Frame-Options header. If a resource is delivered with an policy that includes a directive named
frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored.
"""

Gecko and Blink follow the specification, WebKit does not. As a result, page [1] is broken with
WebKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result.

[1] ​https://www.schwab.com/public/schwab/investing/investment_help/investment_research/etf_research/etfs.html?&path=/Prospect/Research/etfs/overview/oneSourceETFs.asp

Test: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options.html

• loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::responseReceived):

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::overridesXFrameOptions const):

• page/csp/ContentSecurityPolicy.h:
• page/csp/ContentSecurityPolicyDirectiveList.h:

(WebCore::ContentSecurityPolicyDirectiveList::hasFrameAncestorsDirective const):

Source/WebKit:

• NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):

LayoutTests:

Add layout test coverage.

• http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options.html: Added.
• http/tests/security/contentSecurityPolicy/resources/frame-ancestors-self-x-frame-options-deny.pl: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-self-x-frame-options-deny.pl (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/DocumentLoader.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-04-24  Chris Dumez  <cdumez@apple.com>
+
+        X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
+        https://bugs.webkit.org/show_bug.cgi?id=197226
+        <rdar://problem/50155649>
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/frame-ancestors-self-x-frame-options-deny.pl: Added.
+
 2019-04-24  chris fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-04-24  Chris Dumez  <cdumez@apple.com>
+
+        X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
+        https://bugs.webkit.org/show_bug.cgi?id=197226
+        <rdar://problem/50155649>
+
+        Reviewed by Alex Christensen.
+
+        X-Frame-Options header should be ignored when frame-ancestors CSP directive is present:
+        - https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options
+
+        Specification says:
+        """
+        In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the
+        X-Frame-Options header. If a resource is delivered with an policy that includes a directive named
+        frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored.
+        """
+
+        Gecko and Blink follow the specification, WebKit does not. As a result, page [1] is broken with
+        WebKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result.
+
+        [1] https://www.schwab.com/public/schwab/investing/investment_help/investment_research/etf_research/etfs.html?&path=/Prospect/Research/etfs/overview/oneSourceETFs.asp
+
+        Test: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-X-Frames-Options.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::overridesXFrameOptions const):
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        (WebCore::ContentSecurityPolicyDirectiveList::hasFrameAncestorsDirective const):
+
 2019-04-24  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/loader/DocumentLoader.cpp

@@ -788 +788 @@
         }
 
-        String frameOptions = response.httpHeaderFields().get(HTTPHeaderName::XFrameOptions);
-        if (!frameOptions.isNull()) {
-            if (frameLoader()->shouldInterruptLoadForXFrameOptions(frameOptions, url, identifier)) {
-                String message = "Refused to display '" + url.stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + frameOptions + "'.";
-                m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
-                stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
-                return;
+        if (!contentSecurityPolicy.overridesXFrameOptions()) {
+            String frameOptions = response.httpHeaderFields().get(HTTPHeaderName::XFrameOptions);
+            if (!frameOptions.isNull()) {
+                if (frameLoader()->shouldInterruptLoadForXFrameOptions(frameOptions, url, identifier)) {
+                    String message = "Refused to display '" + url.stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + frameOptions + "'.";
+                    m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
+                    stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
+                    return;
+                }
             }
         }

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -501 +501 @@
 }
 
+bool ContentSecurityPolicy::overridesXFrameOptions() const
+{
+    // If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition
+    // is "enforce", then the X-Frame-Options header MUST be ignored.
+    // https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options
+    for (auto& policy : m_policies) {
+        if (!policy->isReportOnly() && policy->hasFrameAncestorsDirective())
+            return true;
+    }
+    return false;
+}
+
 bool ContentSecurityPolicy::allowFrameAncestors(const Vector<RefPtr<SecurityOrigin>>& ancestorOrigins, const URL& url, bool overrideContentSecurityPolicy) const
 {

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -100 +100 @@
     bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
     WEBCORE_EXPORT bool allowFrameAncestors(const Vector<RefPtr<SecurityOrigin>>& ancestorOrigins, const URL&, bool overrideContentSecurityPolicy = false) const;
+    WEBCORE_EXPORT bool overridesXFrameOptions() const;
 
     enum class RedirectResponseReceived { No, Yes };

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -77 +77 @@
 
     bool hasBlockAllMixedContentDirective() const { return m_hasBlockAllMixedContentDirective; }
+    bool hasFrameAncestorsDirective() const { return !!m_frameAncestors; }
 
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-04-24  Chris Dumez  <cdumez@apple.com>
+
+        X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
+        https://bugs.webkit.org/show_bug.cgi?id=197226
+        <rdar://problem/50155649>
+
+        Reviewed by Alex Christensen.
+
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
+
 2019-04-24  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

@@ -397 +397 @@
     if (!contentSecurityPolicy.allowFrameAncestors(m_parameters.frameAncestorOrigins, url))
         return true;
-    String xFrameOptions = m_response.httpHeaderField(HTTPHeaderName::XFrameOptions);
-    if (!xFrameOptions.isNull() && shouldInterruptLoadForXFrameOptions(xFrameOptions, response.url())) {
-        String errorMessage = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + xFrameOptions + "'.";
-        send(Messages::WebPage::AddConsoleMessage { m_parameters.webFrameID,  MessageSource::Security, MessageLevel::Error, errorMessage, identifier() }, m_parameters.webPageID);
-        return true;
+
+    if (!contentSecurityPolicy.overridesXFrameOptions()) {
+        String xFrameOptions = m_response.httpHeaderField(HTTPHeaderName::XFrameOptions);
+        if (!xFrameOptions.isNull() && shouldInterruptLoadForXFrameOptions(xFrameOptions, response.url())) {
+            String errorMessage = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + xFrameOptions + "'.";
+            send(Messages::WebPage::AddConsoleMessage { m_parameters.webFrameID,  MessageSource::Security, MessageLevel::Error, errorMessage, identifier() }, m_parameters.webPageID);
+            return true;
+        }
     }
     return false;