Issue 883270 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 20
Cc:	rsesek@chromium.org
Components:	Blink>SecurityFeature>XFrameOptions
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic Needs-Triage-M69

Security: X-Frame-Options

Reported by pgaut...@gmail.com, Sep 12

Issue description

Steps to reproduce the problem:

1. Create the html file and insert website page in iframe tag.
2. Host that html file on localhost.
3. Load that file in Chrome Browser.
4. We can see that Chrome Browser is allowing the page to load in an iframe tag.

What is the expected behavior?
Browser should not allow the page to be loaded in the iframe tag if the X-Frame-Options headers are enabled on the server.

What went wrong?
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a 

page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content 

is not embedded into other sites. The added security is only provided if the user accessing the document is using a 

browser supporting X-Frame-Options. X-Frame-Options header is present on the server and chrome browser is still allowing 

the application/page to be loaded in an iframe.

VERSION
Chrome Version: 68.0.3440.106 & 69.0.3497.92 (Official Build) (64-bit)
Operating System: Windows 7 64bit Service Pack 1

clickjacking.html
245 bytes View Download

POC.pdf
497 KB Download

Comment 1 by gov...@chromium.org, Sep 12

Labels: Needs-Triage-M69

Comment 2 by rsesek@chromium.org, Sep 13

Components: Blink>SecurityFeature>XFrameOptions
Labels: Needs-Feedback

I can't reproduce this issue using the small test attached (`go run server.go` and then open iframe-runner.html in the directory listing. setting X-Frame-Options: deny seems to work).

Note that if the framed resource is cached and the XFO header has changed, it may not work (see issue 354080).

Can you please provide more details?

bug-883270.zip
1.0 KB Download

Comment 3 by jochen@chromium.org, Sep 14

have you cleared the cache between the two runs?

Comment 4 by pgaut...@gmail.com, Sep 17

Hi,

I have cleared the cache from browser and now its not working. It seems that previously it was picking the pages from cache memory.

Project Member

Comment 5 by sheriffbot@chromium.org, Sep 17

Cc: rsesek@chromium.org
Labels: -Needs-Feedback

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Sep 20

Status: WontFix (was: Unconfirmed)

Marking as WontFix based on the previous comments.

Project Member

Comment 7 by sheriffbot@chromium.org, Dec 28

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 883270 link

Issue metadata

Security: X-Frame-Options

Issue description

Comment 1 by gov...@chromium.org, Sep 12

Comment 1 Deleted

Comment 2 by rsesek@chromium.org, Sep 13

Comment 2 Deleted

Comment 3 by jochen@chromium.org, Sep 14

Comment 3 Deleted

Comment 4 by pgaut...@gmail.com, Sep 17

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Sep 17

Comment 5 Deleted

Comment 6 by mbarbe...@chromium.org, Sep 20

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Dec 28

Comment 7 Deleted

Sign in to add a comment