New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 783174 link

Starred by 1 user
Status: WontFix
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

multiple x-frame-options not working

Reported by han.tin...@gmail.com, Nov 9 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Create 2 Joomla websites where both websites use an iframe to include a page from the other website
2. Configure httpd.conf to set the header x-frame-options to SAMEORIGIN. This will block the content in the iframes but allows the Joomla administrator to see the images in media. (there iframes are used as well)
3. Add "header x-frame-options always append allow-from <website2>" in the root of website1 and vice versa

What is the expected behavior?
I expect the websites to correctly show the page of the other website in the article with the iframe
And I expect the images being shown in the media of the Joomla backend. 

What went wrong?
The Joomla backend does not show the images

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 27.0 r0

I checked the apache configuration by viewing the websites with Internet Explorer. That works OK.

Comment 1 by dtapu...@chromium.org, Nov 12 2017

Components: Blink>SecurityFeature>XFrameOptions

Comment 2 by mkwst@chromium.org, Nov 13 2017 

Two things:

1.  If you append multiple `X-Frame-Options` headers with different values, we fail closed by treating it as `DENY` (you can see that expectation in http://w3c-test.org/x-frame-options/multiple.sub.html, for example). I would expect you to see a console message to that effect, but it sounds like this might be working as intended.

2.  Chrome doesn't support `ALLOW-FROM`. I'd recommend that you take a look at the `frame-ancestors` Content Security Policy directive instead: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors. That directive aims to deprecate `X-Frame-Options` entirely (see https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options).

Comment 3 by mkwst@chromium.org, Nov 13 2017

Owner: mkwst@chromium.org

Comment 4 by mkwst@chromium.org, Nov 15 2017

Labels: Needs-Feedback
Ping? If the answer above applies to your situation, I'll close this out. If not, I'd like to understand what's broken. :)

Comment 5 by mkwst@chromium.org, Nov 16 2017

Status: WontFix (was: Unconfirmed)

Comment 6 by han.tin...@gmail.com, Dec 19 2017 

I solved the problem by removing the x-frame-options staement and replacing that with a content-security-policy statement.
Thank you for the suggestion.

Sign in to add a comment