Contact emails
Spec
https://tools.ietf.org/html/rfc7034
Summary
Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected, because the framed content from evil.com can load and arbitrarily decorate any page in the same origin as the top-level window, and entice the user to interact with it."Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
No change to XFO's current display in devtools (it shows up as a cancelled request, and is flagged with a console warning).
Interoperability and Compatibility Risk
https://www.chromestatus.com/metrics/feature/timeline/popularity/60 is hovering around 0%. This does not seem to pose a large interoperability risk anymore.
Edge: No signals
Firefox: Public support (several years ago in https://bugzilla.mozilla.org/show_bug.cgi?id=725490. I expect they'd follow us if we can successfully change this behavior.)
Safari: No signals
Web developers: Positive (people are generally surprised at SAMEORIGIN's behavior when we explain it to them. See https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=9 for example)
Please include links where possible.
Is this feature fully tested by web-platform-tests?
We have plenty of layout tests, but haven't yet upstreamed them to WPT. I'll work on that as part of this change.
OWP launch tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=250309
Entry on the feature dashboard
https://www.chromestatus.com/feature/4678102647046144
Thanks!
lgtm1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_%2BOfNicx3N-G8Y8GeU2myuSS7Dnmuz6wkuQ%3DijK_K%2BsWg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8KgzVLTq6eh-NgvZB1uCHTbEn8B38nfG2f%3DAt5LnvcgA%40mail.gmail.com.
HTTPArchive shows 22 pages affected. I ran through each of them and see a few trends:
- 11 sites (http://www.televisa.com.mx/, http://www.televisa.com, http://www.esmas.com/, http://www.ecoustics.com/, http://www.ufatime.ru/, http://www.xara.com/, http://www.driven.co.nz/, http://www.chocolatemuffintop.tumblr.com/, http://www.ritmoson.tv/, http://www.viva.co.nz/, https://www.rejuvenation.com/) no longer exhibit this behavior. Ads?
- A tracking pixel through Dotomi would be blocked on https://www.sarahraven.com/, https://www.soma.com/store/, and https://www.whitehouseblackmarket.com/store/.
- http://www.websitealive.com/ embeds http://www.websitealive3.com/ which embeds http://www.websitealive.com/. No visible difference, but I don't know the site well enough to make a value judgement. :)
- The only real usage I see are 7 tumblr sites (http://www.flavor-text-chara.tumblr.com/, http://www.thisiskindagross.tumblr.com/, http://www.kizmetcandy.tumblr.com/, http://www.savage-sims.tumblr.com/, http://strawberryshortsnake.tumblr.com/, http://therobotgeek.tumblr.com/, and http://www.potterfluff7.tumblr.com/) using the SCM media player, which has some interesting behavior that reframes its embedding page (so, `http://example.tumblr.com/` ends up as `http://example.tumblr.com/` with a big iframe containing `http://scmplayer.net/`, which has a frame containing `http://example.tumblr.com/`). For the most part, this is weird and slow, but fine.
However, Tumblr serves its image galleries via an iframe with `X-Frame-Options: SAMEORIGIN`, so the image galleries in the nested frame no longer load.I'll poke at Tumblr folks, I suppose. If this is widely used, they could serve the photos frame with `Content-Security-Policy: 'self' http://scmplayer.net` as a better-targeted solution.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_QafjV83%2BpGpkXTgebjAi4VTV7GYMa9-vVPkRtuZO2fQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ed0ae954-b584-4444-9ba4-431eede9eb4c%40chromium.org.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0c8a5fcd-403f-4c42-8db4-b6a6c5447f2b%40chromium.org.
☆PhistucK
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0c8a5fcd-403f-4c42-8db4-b6a6c5447f2b%40chromium.org.
For what it's worth, this change breaks authorize.net's hosted form iframe/lightbox implementation (https://developer.authorize.net/api/reference/features/accept_hosted.html#Transaction_Response).
I wouldn't find this change so problematic if I could actually use CSP frame-ancestors (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations) or X-Frame-Options ALLOW-FROM (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2). Is there a cross-browser friendly way to allow the iframe communicator (and only the iframe communicator) from an app to be framed by only authorize.net? I can’t see a way outside of nginx hacks, so I’m not sure how best to move forward here. Any help would be much appreciated.
Side note: I’ve looked over this forum and the issue tracker... but I can’t find any information on when this change is supposed to ship. Is there a version of Chrome that this change is slated for?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27bce0a3-3c5c-49df-b839-a68cdd54491a%40chromium.org.
Content-Security-Policy: frame-ancestors 'self' www.chasepaymentechhostedpay-var.com www.chasepaymentechhostedpay.com
Thanks,
Nathan