New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 603002 link

Starred by 4 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: May 2016
Cc:
jochen@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Proj-Servicification

Blocking:
issue 555418



Sign in to add a comment

Remove support for X-Frame-Options inside <meta>

Project Member Reported by mkwst@chromium.org, Apr 13 2016 
We currently try to support `X-Frame-Options` inside `<meta>` tags  by cancelling the page load when we parse the tag, and navigating to a blank page instead. This is somewhat functional, but not exactly a reliable protection.

In fact, all of our XFO implementation is somewhat unreliable, as it's all implemented in Blink. We're working on migrating it up to the browser process, but that's going to be difficult to do cleanly if we need to support the `<meta>` implementation. We'll either need implementations in both Blink and //content, or we'll need another IPC.

I'd prefer to simply remove the functionality.
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a2d5fc7049d414031a0acc39939ffff67081db17

commit a2d5fc7049d414031a0acc39939ffff67081db17
Author: mkwst <mkwst@chromium.org>
Date: Thu Apr 14 19:06:19 2016

Ignore 'X-Frame-Options' inside '<meta>' tags.

We currently try to support 'X-Frame-Options' inside '<meta>' tags by
cancelling the page load when we parse the tag, and navigating to a
blank page instead. This is somewhat functional, but not exactly a
reliable protection.

In fact, all of our XFO implementation is somewhat unreliable, as it's
all implemented in Blink. We're working on migrating it up to the
browser process, but that's going to be difficult to do cleanly if we
need to support the '<meta>' implementation. We'll either need
implementations in both Blink and //content, or we'll need another IPC.

I'd prefer to simply remove the functionality.

If this lands, I'll remove the rest of the XFO plumbing in
https://codereview.chromium.org/1617043002 as part of moving everything
up out of Blink and into //content.

Intent to Remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/R1gkjKZI0J8

BUG= 603002 

Review URL: https://codereview.chromium.org/1889433003

Cr-Commit-Position: refs/heads/master@{#387381}

[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/fast/parser/x-frame-options-detached-document-crash-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/fast/parser/x-frame-options-detached-document-crash.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/misc/onload-write-during-xframe-deny-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/misc/onload-write-during-xframe-deny.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html
[delete] https://crrev.com/030834b4ab7ec2f0ff398e123745d224baf39d29/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html
[modify] https://crrev.com/a2d5fc7049d414031a0acc39939ffff67081db17/third_party/WebKit/Source/core/loader/HttpEquiv.cpp

Comment 2 by as19790...@gmail.com, Apr 17 2016 

=1

Comment 3 by mkwst@chromium.org, May 6 2016

Status: Fixed (was: Started)

Comment 4 by laforge@google.com, Nov 7 2017

Components: Internals>Network>Service

Comment 5 by laforge@google.com, Nov 7 2017

Components: -Internals>Network>Service Internals>Services>Network
Apologies, applied the wrong component in bulk.

Sign in to add a comment