Repro'ed. Will take a closer look later today.

The response in question has a Content-Security-Policy directive of 

   frame-ancestors 'self' 

... which I understand trumps the X-F-O directive? The comment at https://cs.chromium.org/chromium/src/content/browser/frame_host/ancestor_throttle.cc?type=cs&l=261 referencing  Issue 555418  seems interesting.

Is there a repro that doesn't require using the Developer Tools?

I believe we ran into this without developer tools. But I haven't been able to get to a proper repro. Let me see if I am able to find one.

also, I am not sure frame-ancestors self trumps XFO; but even if it does, the top level frame is paper.dropbox.com so the frame-ancestors should also be blocking the load, right? Is that a separate bug?

Regarding `frame-ancestors` and `X-Frame-Options`: Eric is correct, if the former is present, the latter should be ignored. https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options is the intent, and even though I apparently forgot to copy-paste it over to the CSP3 spec, it is what I meant.

Does this only happen if devtools is open and you're injecting via the console? If so, we're likely treating the devtools injection in the same way that we treat extension injection, and allowing it to bypass the page's policy. If you're seeing it outside the devtools context, then I'd be a little more worried. Is that the case?

I am pretty sure that's the case. @mike do you remember more context? (lets chat on slack if you are not sure what you can share here)

ohh wait .. the frame-ancestors directive on that is 'self' and 'paper.dropbox.com' so I guess it makes sense that this framing works, if x-frame-options deny is ignored.

fwiw, I was able to repro by installing requestly and setting a redirect rule for 
https://www.dropbox.com/scl/fi/se6q8lhu7ymnqv8ts6j4w/Get%20Started%20with%20Dropbox.pdf?dl=0&embed=1&xframed=1

to go to

https://www.dropbox.com/scl/fi/se6q8lhu7ymnqv8ts6j4w/Get%20Started%20with%20Dropbox.pdf?dl=0


If XFO deny is ignored, should the browser send a warning in the console?

> If XFO deny is ignored, should the browser send a warning in the console?

That might be noisy (because sites might reasonably want to use XFO: DENY for any client that doesn't implement Frame-Ancestors) but it would help raise awareness of the fact that CSP trumps XFO.

> frame-ancestors directive on that is 'self' and 'paper.dropbox.com'

I'm not sure I understand. On this response: https://www.dropbox.com/s/zwhlw8vhjugnxxh/Get%20Started%20with%20Dropbox.pdf?dl=0, I see XFO: Deny and frame-ancestors: self. I don't see any reference to paper.dropbox.com?

Having said that, at step #3 of your repro, when I click on the item, the window it opens starts at paper.dropbox.com but redirects to www.dropbox.com, so the frame-ancestors: self rule appears to be respected?

Deleted: DBRepro.png 27.9 KB

	DBRepro.png 27.9 KB View Download

ohh.. wow. sorry. 

So, when I first gave repro steps, there was no new window. I think the product behavior changed for logged out users.

Can you login to some Dropbox account and try the repro? you will see the image that you can click to zoom and will create the frame. There should be no new popup.

estark: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Ping: Emily, Dev, it's not clear to me from the conversation here whether this is a bug or not. Help? :)

not a bug; we can close this out. I think showing a warning when frame-ancestors overrides x-f-o is still something useful though.

estark: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Closing in favor of issue 696665. Leaving the view restriction since this contains Dropbox product details that they might not want to be public.

Thanks for the report!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot