New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 696665 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
elawrence@chromium.org
akh...@dropbox.com
m...@dropbox.com
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Consider a console warning if XFO is overridden by frame-ancestors

Project Member Reported by est...@chromium.org, Feb 27 2017 
Per https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options, when frame-ancestors is present, X-Frame-Options should be ignored. This is anecdotally surprising to some developers, so we could consider printing a console warning when it happens.

Comment 1 by mkwst@chromium.org, Mar 2 2017

Labels: -OS-All OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Do you have a suggestion for warning text?

I worry a bit that this will annoy developers who actually choose to deliver both, relying on the tighter processing model of `frame-ancestors` to fall back to the looser XFO processing if the former is unsupported.

Comment 2 by elawrence@chromium.org, Mar 2 2017 

One reason this is likely surprising to developers is that IE, Edge, Safari, and Firefox don't work like this. Test page: http://www.enhanceie.com/test/clickjack/CSPTrumpsXFO.asp

Comment 3 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 4 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment