Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 49 users
Status: WontFix
Owner:
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 335489



Sign in to add a comment
Chrome not support Allow-From in X-Frame-Options header
Reported by yaoke...@gmail.com, May 22 2012 Back to list
Chrome Version       : 19.0.1084.46 m
URLs (if applicable) : http://www.enhanceie.com/test/clickjack/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:Not tested
  Firefox 4.x: Failed, described in  https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header, this is not supported
       IE 7/8/9:Passed in IE9

What steps will reproduce the problem?
1.visit http://www.enhanceie.com/test/clickjack/, check the 8th section with title include "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only"


What is the expected result?
The iframe content is blocked

What happens instead?
the iframe content show correctly

Please provide any additional information below. Attach a screenshot if
possible.
 
Labels: -Area-Undefined Internals-Network-Auth Area-Internals
Comment 2 by phila...@google.com, Aug 24 2012
FYI, there's a patch for this here:

https://bugs.webkit.org/show_bug.cgi?id=94836 (chrome/webkit)
https://bugzilla.mozilla.org/show_bug.cgi?id=690168 (ff)
Project Member Comment 3 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Internals-Network-Auth -Area-Internals Cr-Internals Cr-Internals-Network-Auth
Labels: -OS-Windows OS-All Hotlist-GoogleApps
Spec is here: http://tools.ietf.org/html/rfc7034
Any news on that subject? Here is an alternative test scenario: http://erlend.oftedal.no/blog/tools/xframeoptions/

The spec is already implemented fully in IE9 and Firefox 18, so it would be great for Webkit browsers to close the implementation gap as well.
Labels: -Cr-Internals-Network-Auth Cr-Blink
Cc: phila...@google.com abarth@chromium.org
abarth, did the spec in comment #4 end up addressing the concerns you mentioned back here https://bugs.webkit.org/show_bug.cgi?id=94836#c11 ?


Comment 8 by mkwst@chromium.org, Jan 22 2014
Owner: mkwst@chromium.org
Status: Started
Paul, I've talked with Adam about this a few times. He'll correct me if something has changed, but my understanding is that we're not going to add features to XFO, but instead implement them through CSP.

https://codereview.chromium.org/91353002/ implements the 'frame-ancestors' directive as part of CSP 1.1[1]. and I expect to land that shortly. I think that's the right way to move forward with this feature.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
Comment 9 by mkwst@chromium.org, Jan 22 2014
Blocking: chromium:335489
Project Member Comment 10 by bugdroid1@chromium.org, Jan 23 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165629

------------------------------------------------------------------------
r165629 | mkwst@chromium.org | 2014-01-23T11:17:28.990438Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629

CSP 1.1: Implement the 'frame-ancestors' directive.

As defined at [1]. This patch will have no web-visible impact, as the directive
remains trapped behind the runtime flag that's governing all CSP 1.1 hotness.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
BUG= 129139 , 335489 

Review URL: https://codereview.chromium.org/91353002
------------------------------------------------------------------------
This appears to be working correctly for me 34.0.1809.0 canary. Is it still behind a flag?
This is still behind the "Experimental Web Platform Features" flag, yes. It'll come out to play in stable once we ship CSP 1.1, which I'm hoping will be Real Soon Now.
Any updates on CSP?
Looks like frame-ancestors should be supported in Chrome by default (no command line flag needed)
So are we calling this fixed then?
Actually I can still repro on 37.0.2008.2, so I guess not.

mkwst, any more updates on when CSP 1.1 is coming?
Comment 17 by Deleted ...@, Sep 24 2014
Getting the following in console : Refused to display 'xxxx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.twitter.com". 

However the content is still shown in the iframe, this is on a localhost web server.
Comment 18 by mkwst@chromium.org, Sep 24 2014
#17: Yes. This was broken, I've just fixed it in  https://crbug.com/411600 . Should work today in Canary.
Cc: mkwst@chromium.org jochen@chromium.org
 Issue 511521  has been merged into this issue.
Status: WontFix
WONTFIXing this bug. I don't believe we should support `Allow-From` with X-Frame-Options' broken checking behavior. 'frame-ancestors' is shipping in both Chrome and Firefox, and is the right way to support this functionality.
Cc: elawre...@chromium.org
 Issue 729909  has been merged into this issue.
Sign in to add a comment