Issue metadata
Sign in to add a comment
|
Security: Clickjacking when client server set X-Frame-Options:ALLOW-FROM
Reported by
bastian....@gmail.com,
Jun 6 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS I see that Chrome browser will ignore X-Frame-Options header when client server use X-Frame-Options:ALLOW-FROM. Means a clickjacking will works if client server use X-Frame-Options:ALLOW-FROM. VERSION Chrome Version: Version 59.0.3071.86 Operating System: Ubuntu 16.04.4 (64-bit) REPRODUCTION CASE 1.Create a test file in client server with header X-Frame-Options:ALLOW-FROM https://test.com/ 2.Create an HTML in your PC that embed it. 3.Open it in your PC and you will see the X-Frame-Options header will be ignored.
,
Jun 6 2017
I don't think that implementing `ALLOW-FROM` is a priority. I wouldn't reject a patch that implemented it, but it's not on any roadmap I know of. So, I think I agree with myself from those bugs you pointed to. :) I'd also note that we're now walking the whole frame tree when evaluating `SAMEORIGIN`, and would presumably want to do the same for `ALLOW-FROM` in a theoretical implementation. It's not clear to me that we'd be able to do that in a way that didn't break sites that rely on other browser's behavior. *shrug* `frame-ancestors` seems like the right thing to encourage. It's both more accurate and more flexible.
,
Jun 6 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jun 6 2017Components: Blink>SecurityFeature
Labels: -Restrict-View-SecurityTeam allpublic