`X-Frame-Options` does not support the `allow-from` directive.
|Reported by ashesh1...@gmail.com, Jul 18 2015||Back to list|
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36 Steps to reproduce the problem: 1. Go to http://www.enhanceie.com/test/clickjack/ 2. Check out the 9th Frame with text "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page) " 3. Chrome is allowing that URL to be loaded into IFRAME What is the expected behavior? Chrome Should block it because the specified Allow-From origin does not match outermost page. What went wrong? Chrome is allowing the IFRAMIMG. Did this work before? N/A Chrome version: 44.0.2403.89 Channel: beta OS Version: 6.3 Flash Version: Shockwave Flash 18.0 r0 http://www.enhanceie.com/test/clickjack/
Jul 18 2015,
mkwst can you help triage this report please?
Jul 19 2015,
Chrome doesn't support `allow-from` (as you can see in the console: "Invalid 'X-Frame-Options' header encountered when loading 'http://www.ericlawrence.com/test/ClickJack/vicAllowFrom.asp': 'ALLOW-FROM http://www.EnhanceIE.com/' is not a recognized directive. The header will be ignored."). Arguably, we should treat `allow-from` as `deny` or `sameorigin`, but that would likely break content that depends on it (because IE and Firefox support the feature). Ignoring it was an intentional decision way back when we decided to implement `Content-Security-Policy: frame-ancestors` instead. I guess I'm open to implementing the behavior in the future, but `x-frame-options` has fundamentally poor behavior with regard to origin matching (e.g. it only matches against the top-level browsing context's address) that we can't change without breaking things. As long as that's the case, `frame-ancestors` is strictly better, and what we ought to be pointing developers towards. Will, I'll leave it up to you to either open this bug up to the public, or to decide that we really should implement this feature. :)
Jul 20 2015,
re-labeling as a security feature, and assigning to jww to decide :)
Sep 7 2015,
It looks related to (or even duplicate of) https://code.google.com/p/chromium/issues/detail?id=129139
Sep 8 2015,
Yup. I don't think we plan to implement this. Duping against the older bug.
Sign in to add a comment