New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 511521

Starred by 2 users
Status: Duplicate
Merged: issue 129139
Owner:
jww@chromium.org
Closed: Sep 2015
Cc:
jochen@chromium.org
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

`X-Frame-Options` does not support the `allow-from` directive.

Reported by ashesh1...@gmail.com, Jul 18 2015 
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36

Steps to reproduce the problem:
1. Go to http://www.enhanceie.com/test/clickjack/

2. Check out the 9th Frame with text "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)
"

3. Chrome is allowing that URL to be loaded into IFRAME

What is the expected behavior?
Chrome Should block it because  the specified Allow-From origin does not match outermost page.

What went wrong?
Chrome is allowing the IFRAMIMG.

Did this work before? N/A 

Chrome version: 44.0.2403.89  Channel: beta
OS Version: 6.3
Flash Version: Shockwave Flash 18.0 r0

http://www.enhanceie.com/test/clickjack/

Comment 1 by wfh@chromium.org, Jul 18 2015

Cc: jww@chromium.org
Labels: Cr-Blink
Owner: mkwst@chromium.org
mkwst can you help triage this report please?

Comment 2 by mkwst@chromium.org, Jul 19 2015

Cc: mkwst@chromium.org
Labels: Cr-Blink-SecurityFeature
Owner: wfh@chromium.org
Summary: `X-Frame-Options` does not support the `allow-from` directive. (was: X-Frame-option Bypass)
Chrome doesn't support `allow-from` (as you can see in the console: "Invalid 'X-Frame-Options' header encountered when loading 'http://www.ericlawrence.com/test/ClickJack/vicAllowFrom.asp': 'ALLOW-FROM http://www.EnhanceIE.com/' is not a recognized directive. The header will be ignored.").

Arguably, we should treat `allow-from` as `deny` or `sameorigin`, but that would likely break content that depends on it (because IE and Firefox support the feature). Ignoring it was an intentional decision way back when we decided to implement `Content-Security-Policy: frame-ancestors` instead.

I guess I'm open to implementing the behavior in the future, but `x-frame-options` has fundamentally poor behavior with regard to origin matching (e.g. it only matches against the top-level browsing context's address) that we can't change without breaking things. As long as that's the case, `frame-ancestors` is strictly better, and what we ought to be pointing developers towards.

Will, I'll leave it up to you to either open this bug up to the public, or to decide that we really should implement this feature. :)

Comment 3 by wfh@chromium.org, Jul 20 2015

Cc: -jww@chromium.org jochen@chromium.org
Labels: -Restrict-View-SecurityTeam -Type-Bug-Security -OS-Windows -Arch-x86_64 Cr-Security Type-Feature OS-All
Owner: jww@chromium.org
Status: Assigned
re-labeling as a security feature, and assigning to jww to decide :)

Comment 4 by frederic...@free.fr, Sep 7 2015 

It looks related to (or even duplicate of)
https://code.google.com/p/chromium/issues/detail?id=129139

Comment 5 by mkwst@chromium.org, Sep 8 2015

Mergedinto: 129139
Status: Duplicate
Yup. I don't think we plan to implement this. Duping against the older bug.

Sign in to add a comment