New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 129139
Last visit > 30 days ago
Closed: Sep 2015
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Sign in to add a comment

Issue 511521: `X-Frame-Options` does not support the `allow-from` directive.

Reported by, Jul 18 2015

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36

Steps to reproduce the problem:
1. Go to

2. Check out the 9th Frame with text "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)

3. Chrome is allowing that URL to be loaded into IFRAME

What is the expected behavior?
Chrome Should block it because  the specified Allow-From origin does not match outermost page.

What went wrong?
Chrome is allowing the IFRAMIMG.

Did this work before? N/A 

Chrome version: 44.0.2403.89  Channel: beta
OS Version: 6.3
Flash Version: Shockwave Flash 18.0 r0

Comment 1 by, Jul 18 2015

Labels: Cr-Blink
mkwst can you help triage this report please?

Comment 2 by, Jul 19 2015

Labels: Cr-Blink-SecurityFeature
Summary: `X-Frame-Options` does not support the `allow-from` directive. (was: X-Frame-option Bypass)
Chrome doesn't support `allow-from` (as you can see in the console: "Invalid 'X-Frame-Options' header encountered when loading '': 'ALLOW-FROM' is not a recognized directive. The header will be ignored.").

Arguably, we should treat `allow-from` as `deny` or `sameorigin`, but that would likely break content that depends on it (because IE and Firefox support the feature). Ignoring it was an intentional decision way back when we decided to implement `Content-Security-Policy: frame-ancestors` instead.

I guess I'm open to implementing the behavior in the future, but `x-frame-options` has fundamentally poor behavior with regard to origin matching (e.g. it only matches against the top-level browsing context's address) that we can't change without breaking things. As long as that's the case, `frame-ancestors` is strictly better, and what we ought to be pointing developers towards.

Will, I'll leave it up to you to either open this bug up to the public, or to decide that we really should implement this feature. :)

Comment 3 by, Jul 20 2015

Labels: -Restrict-View-SecurityTeam -Type-Bug-Security -OS-Windows -Arch-x86_64 Cr-Security Type-Feature OS-All
Status: Assigned
re-labeling as a security feature, and assigning to jww to decide :)

Comment 4 by, Sep 7 2015

It looks related to (or even duplicate of)

Comment 5 by, Sep 8 2015

Mergedinto: 129139
Status: Duplicate
Yup. I don't think we plan to implement this. Duping against the older bug.

Sign in to add a comment