Issue metadata
Sign in to add a comment
|
Remove support for X-Frame-Options inside <meta> |
||||||||||||||||||||||||
Issue descriptionWe currently try to support `X-Frame-Options` inside `<meta>` tags by cancelling the page load when we parse the tag, and navigating to a blank page instead. This is somewhat functional, but not exactly a reliable protection. In fact, all of our XFO implementation is somewhat unreliable, as it's all implemented in Blink. We're working on migrating it up to the browser process, but that's going to be difficult to do cleanly if we need to support the `<meta>` implementation. We'll either need implementations in both Blink and //content, or we'll need another IPC. I'd prefer to simply remove the functionality.
,
Apr 17 2016
=1
,
May 6 2016
,
Nov 7 2017
,
Nov 7 2017
Apologies, applied the wrong component in bulk. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by bugdroid1@chromium.org
, Apr 14 2016