New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 51 users

Issue metadata

Status: WontFix
Owner:
Buried. Ping if important.
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 335489



Sign in to add a comment
link

Issue 129139: Chrome not support Allow-From in X-Frame-Options header

Reported by yaoke...@gmail.com, May 22 2012

Issue description

Chrome Version       : 19.0.1084.46 m
URLs (if applicable) : http://www.enhanceie.com/test/clickjack/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:Not tested
  Firefox 4.x: Failed, described in  https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header, this is not supported
       IE 7/8/9:Passed in IE9

What steps will reproduce the problem?
1.visit http://www.enhanceie.com/test/clickjack/, check the 8th section with title include "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only"


What is the expected result?
The iframe content is blocked

What happens instead?
the iframe content show correctly

Please provide any additional information below. Attach a screenshot if
possible.
 

Comment 1 by rdsmith@chromium.org, May 23 2012

Labels: -Area-Undefined Internals-Network-Auth Area-Internals

Comment 2 by phila...@google.com, Aug 24 2012

Comment 3 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Internals-Network-Auth -Area-Internals Cr-Internals Cr-Internals-Network-Auth

Comment 4 by rsch...@chromium.org, Nov 22 2013

Labels: -OS-Windows OS-All Hotlist-GoogleApps
Spec is here: http://tools.ietf.org/html/rfc7034

Comment 5 by frederic...@gmail.com, Dec 27 2013

Any news on that subject? Here is an alternative test scenario: http://erlend.oftedal.no/blog/tools/xframeoptions/

The spec is already implemented fully in IE9 and Firefox 18, so it would be great for Webkit browsers to close the implementation gap as well.

Comment 6 by asanka@chromium.org, Jan 6 2014

Labels: -Cr-Internals-Network-Auth Cr-Blink

Comment 7 by paulir...@chromium.org, Jan 8 2014

Cc: phila...@google.com abarth@chromium.org
abarth, did the spec in comment #4 end up addressing the concerns you mentioned back here https://bugs.webkit.org/show_bug.cgi?id=94836#c11 ?

Comment 8 by mkwst@chromium.org, Jan 22 2014

Owner: mkwst@chromium.org
Status: Started
Paul, I've talked with Adam about this a few times. He'll correct me if something has changed, but my understanding is that we're not going to add features to XFO, but instead implement them through CSP.

https://codereview.chromium.org/91353002/ implements the 'frame-ancestors' directive as part of CSP 1.1[1]. and I expect to land that shortly. I think that's the right way to move forward with this feature.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors

Comment 9 by mkwst@chromium.org, Jan 22 2014

Blocking: chromium:335489

Comment 10 by bugdroid1@chromium.org, Jan 23 2014

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165629

------------------------------------------------------------------------
r165629 | mkwst@chromium.org | 2014-01-23T11:17:28.990438Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629

CSP 1.1: Implement the 'frame-ancestors' directive.

As defined at [1]. This patch will have no web-visible impact, as the directive
remains trapped behind the runtime flag that's governing all CSP 1.1 hotness.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
BUG= 129139 , 335489 

Review URL: https://codereview.chromium.org/91353002
------------------------------------------------------------------------

Comment 11 by rsch...@chromium.org, Jan 28 2014

This appears to be working correctly for me 34.0.1809.0 canary. Is it still behind a flag?

Comment 12 by mkwst@chromium.org, Feb 6 2014

This is still behind the "Experimental Web Platform Features" flag, yes. It'll come out to play in stable once we ship CSP 1.1, which I'm hoping will be Real Soon Now.

Comment 13 by rsch...@chromium.org, Apr 29 2014

Any updates on CSP?

Comment 14 by abarth@chromium.org, Apr 29 2014

Looks like frame-ancestors should be supported in Chrome by default (no command line flag needed)

Comment 15 by rsch...@chromium.org, May 21 2014

So are we calling this fixed then?

Comment 16 by rsch...@chromium.org, Jun 3 2014

Actually I can still repro on 37.0.2008.2, so I guess not.

mkwst, any more updates on when CSP 1.1 is coming?

Comment 17 by Deleted ...@, Sep 24 2014

Getting the following in console : Refused to display 'xxxx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.twitter.com". 

However the content is still shown in the iframe, this is on a localhost web server.

Comment 18 by mkwst@chromium.org, Sep 24 2014

#17: Yes. This was broken, I've just fixed it in  https://crbug.com/411600 . Should work today in Canary.

Comment 19 by mkwst@chromium.org, Sep 8 2015

Cc: mkwst@chromium.org jochen@chromium.org
 Issue 511521  has been merged into this issue.

Comment 20 by mkwst@chromium.org, Sep 8 2015

Status: WontFix
WONTFIXing this bug. I don't believe we should support `Allow-From` with X-Frame-Options' broken checking behavior. 'frame-ancestors' is shipping in both Chrome and Firefox, and is the right way to support this functionality.

Comment 21 by elawrence@chromium.org, Jun 6 2017

Cc: elawrence@chromium.org
 Issue 729909  has been merged into this issue.

Comment 22 by elawrence@chromium.org, Jan 25 2018

 Issue 805964  has been merged into this issue.

Sign in to add a comment