Intent to deprecate and remove: `X-Frame-Options` processing inside `<meta>`.

Skip to first unread message

Mike West

Apr 13, 2016, 8:15:04 AM4/13/16
to blink-dev
# Primary eng (and PM) emails

# Summary
'X-Frame-Options' will be ignored when present inside a `<meta>` tag (e.g. `<meta http-equiv="X-Frame-Options" contents="DENY">`). It will continue to be supported as an HTTP header.

# Motivation
We currently try to support `X-Frame-Options` inside `<meta>` tags  by cancelling the page load when we parse the tag, and navigating to a blank page instead. This is somewhat functional, but not exactly a reliable protection.

In fact, all of our XFO implementation is somewhat unreliable, as it's all implemented in Blink. We're working on migrating it up to the browser process, but that's going to be difficult to do cleanly if we need to support the `<meta>` implementation. We'll either need implementations in both Blink and //content, or we'll need another IPC.

I'd prefer to simply remove the functionality.

# Compatibility Risk
The spec notes that the feature must be sent as an HTTP header, and is ignored inside `<meta>` ( Both Firefox and IE/Edge follow this advice, ignoring XFO inside `<meta>`.

Safari supports it in a similar way to today's Chrome, with similar caveats.

No page that contains this `<meta>` tag would break outright if we removed support, they would instead lose the marginal clickjacking protection that XFO provides in a page that has already loaded. They still have the option of using the header, or using an imperative anti-clickjacking mechanism (` = whatever`). This, of course, is exactly what's happening in IE/Edge and Firefox today.

# Usage Metrics
We don't have UseCounter metrics, but internal tools tell me somewhat reliably that ~20k pages on 154 domains contain a meta tag that we would begin ignoring:

* is responsible for ~5k of those pages, and won't be affected at all, as they serve the X-Frame-Options header.
* is responsible for ~4k of those pages, and won't be affected at all, as they have commented out the tag.

# OWP Launch Tracking Bug

# Entry on the feature dashboard
I added for XFO itself. I'm not sure it's worth adding another for this removal, given it's usage, but I'll certainly add one if y'all disagree!

# Requesting approval to remove too?


Dimitri Glazkov

Apr 13, 2016, 12:50:59 PM4/13/16
to Mike West, blink-dev

Jochen Eisinger

Apr 13, 2016, 1:05:46 PM4/13/16
to Dimitri Glazkov, Mike West, blink-dev


Philip Jägenstedt

Apr 14, 2016, 10:22:22 AM4/14/16
to Jochen Eisinger, Dimitri Glazkov, Mike West, blink-dev
LGTM3. I'll defer to your judgement, but maybe it's worth emitting a
console message when this and other HTTP-only headers are used in
meta, if that isn't already happening?
> --
> You received this message because you are subscribed to the Google Groups
> "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to

Rick Byers

Apr 14, 2016, 10:45:08 AM4/14/16
to Philip Jägenstedt, Mike West, Jochen Eisinger, blink-dev, Dimitri Glazkov

Thanks for the great compat impact (and interop) data!  Clearly safe IMHO.

Mike West

Apr 15, 2016, 7:48:51 AM4/15/16
to Philip Jägenstedt, Joe Medley, Jochen Eisinger, Dimitri Glazkov, blink-dev
I added a chromestatus entry at based on folks' suggestions.

Philip: added a warning for the specific case of `X-Frame-Options`. We don't currently have a "We don't understand this <meta> tag." message, though. Perhaps we should?



Philip Jägenstedt

Apr 15, 2016, 8:32:35 AM4/15/16
to Mike West, Joe Medley, Jochen Eisinger, Dimitri Glazkov, blink-dev
Thanks Mike! To warn about all unsupported http-equiv names would be annoying when some new header isn't yet supported, and it does happen that people add code to avoid spurious messages, so I think what you landed makes sense :)


Apr 15, 2016, 9:16:49 AM4/15/16
to Mike West, Joe Medley, Jochen Eisinger, Dimitri Glazkov, blink-dev
Did you talk to WebKit folks in order to align WebKit with this new behavior as well?

They really should really be notified about any WebKitism we remove...


Mike West

Apr 15, 2016, 9:27:28 AM4/15/16
to PhistucK, Joe Medley, Jochen Eisinger, Dimitri Glazkov, blink-dev
Reply all
Reply to author
0 new messages