Issue 129139 in chromium: Chrome not support Allow-From in X-Frame-Options header

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined OS-Windows

New issue 129139 by yaoke...@gmail.com: Chrome not support Allow-From in
X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

Chrome Version : 19.0.1084.46 m
URLs (if applicable) : http://www.enhanceie.com/test/clickjack/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:Not tested
Firefox 4.x: Failed, described in
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header, this
is not supported
IE 7/8/9:Passed in IE9

What steps will reproduce the problem?
1.visit http://www.enhanceie.com/test/clickjack/, check the 8th section
with title include "A same-origin victim IFRAME, which is configured to
ALLOW-FROM a different origin only"


What is the expected result?
The iframe content is blocked

What happens instead?
the iframe content show correctly

Please provide any additional information below. Attach a screenshot if
possible.

[chro...@googlecode.com]

Comment #2 on issue 129139 by phila...@google.com: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

FYI, there's a patch for this here:

https://bugs.webkit.org/show_bug.cgi?id=94836 (chrome/webkit)
https://bugzilla.mozilla.org/show_bug.cgi?id=690168 (ff)

[chro...@googlecode.com]

Updates:
Labels: -OS-Windows OS-All Hotlist-GoogleApps

Comment #4 on issue 129139 by rsch...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

Spec is here: http://tools.ietf.org/html/rfc7034

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #5 on issue 129139 by frederic...@gmail.com: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

Any news on that subject? Here is an alternative test scenario:
http://erlend.oftedal.no/blog/tools/xframeoptions/

The spec is already implemented fully in IE9 and Firefox 18, so it would be
great for Webkit browsers to close the implementation gap as well.

[chro...@googlecode.com]

Updates:
Cc: aba...@chromium.org phila...@google.com

Comment #7 on issue 129139 by paulir...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

abarth, did the spec in comment #4 end up addressing the concerns you
mentioned back here https://bugs.webkit.org/show_bug.cgi?id=94836#c11 ?

[chro...@googlecode.com]

Updates:
Status: Started
Owner: mk...@chromium.org

Comment #8 on issue 129139 by mk...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

Paul, I've talked with Adam about this a few times. He'll correct me if
something has changed, but my understanding is that we're not going to add
features to XFO, but instead implement them through CSP.

https://codereview.chromium.org/91353002/ implements the 'frame-ancestors'
directive as part of CSP 1.1[1]. and I expect to land that shortly. I think
that's the right way to move forward with this feature.

[1]:
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors

[chro...@googlecode.com]

Issue 129139: Chrome not support Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

This issue is now blocking issue chromium:335489.
See http://code.google.com/p/chromium/issues/detail?id=335489

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #10 on issue 129139 by bugdro...@chromium.org: Chrome not support
Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139#c10

The following revision refers to this bug:
http://src.chromium.org/viewvc/blink?view=rev&rev=165629

------------------------------------------------------------------------
r165629 | mk...@chromium.org | 2014-01-23T11:17:28.990438Z

Changed paths:
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
M
http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
M
http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors.pl?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
M
http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
A
http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629

CSP 1.1: Implement the 'frame-ancestors' directive.

As defined at [1]. This patch will have no web-visible impact, as the
directive
remains trapped behind the runtime flag that's governing all CSP 1.1
hotness.

[1]:
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
BUG=129139,335489

Review URL: https://codereview.chromium.org/91353002
------------------------------------------------------------------------

--

[chro...@googlecode.com]

Comment #12 on issue 129139 by mk...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

This is still behind the "Experimental Web Platform Features" flag, yes.
It'll come out to play in stable once we ship CSP 1.1, which I'm hoping
will be Real Soon Now.

[chro...@googlecode.com]

Comment #16 on issue 129139 by rsch...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
http://code.google.com/p/chromium/issues/detail?id=129139

Actually I can still repro on 37.0.2008.2, so I guess not.

mkwst, any more updates on when CSP 1.1 is coming?

[chro...@googlecode.com]

Comment #17 on issue 129139 by chrissba...@mac.com: Chrome not support
Allow-From in X-Frame-Options header
https://code.google.com/p/chromium/issues/detail?id=129139

Getting the following in console : Refused to display 'xxxx' in a frame
because an ancestor violates the following Content Security Policy
directive: "frame-ancestors *.twitter.com".

However the content is still shown in the iframe, this is on a localhost
web server.

[chro...@googlecode.com]

Comment #18 on issue 129139 by mk...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
https://code.google.com/p/chromium/issues/detail?id=129139

#17: Yes. This was broken, I've just fixed it in https://crbug.com/411600.
Should work today in Canary.

[chro...@googlecode.com]

Updates:
Cc: mk...@chromium.org joc...@chromium.org

Comment #19 on issue 129139 by mk...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
https://code.google.com/p/chromium/issues/detail?id=129139

Issue 511521 has been merged into this issue.

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #20 on issue 129139 by mk...@chromium.org: Chrome not support

Allow-From in X-Frame-Options header
https://code.google.com/p/chromium/issues/detail?id=129139

WONTFIXing this bug. I don't believe we should support `Allow-From` with
X-Frame-Options' broken checking behavior. 'frame-ancestors' is shipping in
both Chrome and Firefox, and is the right way to support this functionality.