New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 129139 link

Starred by 51 users

Issue metadata

Status: WontFix
Owner:
OOO until 4th
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 335489



Sign in to add a comment

Chrome not support Allow-From in X-Frame-Options header

Reported by yaoke...@gmail.com, May 22 2012

Issue description

Chrome Version       : 19.0.1084.46 m
URLs (if applicable) : http://www.enhanceie.com/test/clickjack/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:Not tested
  Firefox 4.x: Failed, described in  https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header, this is not supported
       IE 7/8/9:Passed in IE9

What steps will reproduce the problem?
1.visit http://www.enhanceie.com/test/clickjack/, check the 8th section with title include "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only"


What is the expected result?
The iframe content is blocked

What happens instead?
the iframe content show correctly

Please provide any additional information below. Attach a screenshot if
possible.
 
Labels: -Area-Undefined Internals-Network-Auth Area-Internals

Comment 2 by phila...@google.com, Aug 24 2012

FYI, there's a patch for this here:

https://bugs.webkit.org/show_bug.cgi?id=94836 (chrome/webkit)
https://bugzilla.mozilla.org/show_bug.cgi?id=690168 (ff)
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Internals-Network-Auth -Area-Internals Cr-Internals Cr-Internals-Network-Auth
Labels: -OS-Windows OS-All Hotlist-GoogleApps
Spec is here: http://tools.ietf.org/html/rfc7034
Any news on that subject? Here is an alternative test scenario: http://erlend.oftedal.no/blog/tools/xframeoptions/

The spec is already implemented fully in IE9 and Firefox 18, so it would be great for Webkit browsers to close the implementation gap as well.
Labels: -Cr-Internals-Network-Auth Cr-Blink
Cc: phila...@google.com abarth@chromium.org
abarth, did the spec in comment #4 end up addressing the concerns you mentioned back here https://bugs.webkit.org/show_bug.cgi?id=94836#c11 ?


Comment 8 by mkwst@chromium.org, Jan 22 2014

Owner: mkwst@chromium.org
Status: Started
Paul, I've talked with Adam about this a few times. He'll correct me if something has changed, but my understanding is that we're not going to add features to XFO, but instead implement them through CSP.

https://codereview.chromium.org/91353002/ implements the 'frame-ancestors' directive as part of CSP 1.1[1]. and I expect to land that shortly. I think that's the right way to move forward with this feature.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors

Comment 9 by mkwst@chromium.org, Jan 22 2014

Blocking: chromium:335489
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 23 2014

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165629

------------------------------------------------------------------------
r165629 | mkwst@chromium.org | 2014-01-23T11:17:28.990438Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629

CSP 1.1: Implement the 'frame-ancestors' directive.

As defined at [1]. This patch will have no web-visible impact, as the directive
remains trapped behind the runtime flag that's governing all CSP 1.1 hotness.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
BUG= 129139 , 335489 

Review URL: https://codereview.chromium.org/91353002
------------------------------------------------------------------------
This appears to be working correctly for me 34.0.1809.0 canary. Is it still behind a flag?
This is still behind the "Experimental Web Platform Features" flag, yes. It'll come out to play in stable once we ship CSP 1.1, which I'm hoping will be Real Soon Now.
Any updates on CSP?
Looks like frame-ancestors should be supported in Chrome by default (no command line flag needed)
So are we calling this fixed then?
Actually I can still repro on 37.0.2008.2, so I guess not.

mkwst, any more updates on when CSP 1.1 is coming?

Comment 17 by Deleted ...@, Sep 24 2014

Getting the following in console : Refused to display 'xxxx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.twitter.com". 

However the content is still shown in the iframe, this is on a localhost web server.

Comment 18 by mkwst@chromium.org, Sep 24 2014

#17: Yes. This was broken, I've just fixed it in  https://crbug.com/411600 . Should work today in Canary.
Cc: mkwst@chromium.org jochen@chromium.org
 Issue 511521  has been merged into this issue.
Status: WontFix
WONTFIXing this bug. I don't believe we should support `Allow-From` with X-Frame-Options' broken checking behavior. 'frame-ancestors' is shipping in both Chrome and Firefox, and is the right way to support this functionality.
Cc: elawrence@chromium.org
 Issue 729909  has been merged into this issue.
 Issue 805964  has been merged into this issue.

Sign in to add a comment