<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[147086] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/147086">147086</a></dd>
<dt>Author</dt> <dd>mkwst@chromium.org</dd>
<dt>Date</dt> <dd>2013-03-28 01:59:00 -0700 (Thu, 28 Mar 2013)</dd>
</dl>

<h3>Log Message</h3>
<pre>X-Frame-Options: Multiple headers are ignored completely.
https://bugs.webkit.org/show_bug.cgi?id=113387

Reviewed by Nate Chapin.

Source/WebCore:

If a server sends multiple 'X-Frame-Options' headers, we end up with a
value like 'SAMEORIGIN, SAMEORIGIN'. Currently, we're treating that as
invalid, and ignoring the header. It would be safer to follow Gecko's
lead[1] by:

- Folding duplicated entries into their common value (that is:
  'sameorigin, sameorigin' -&gt; 'sameorigin').

- Failing closed in the case of conflicts (that is:
  'sameorigin, allowall' -&gt; 'deny').

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=761655

Tests: http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html
       http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html
       http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
    Call out to parseXFrameOptionsHeader to get the header's disposition
    and deal with each case in a switch statement for clarity. Add a new
    console warning for the conflict case described above.
* platform/network/HTTPParsers.cpp:
(WebCore::parseXFrameOptionsHeader):
* platform/network/HTTPParsers.h:
    Move X-Frame-Options parsing out into HTTPParsers, as it's getting
    more and more complicated. To do this, the patch defines a new enum
    to pass around the header's disposition.

LayoutTests:

* http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi: Added.
* http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPParserscpp">trunk/Source/WebCore/platform/network/HTTPParsers.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPParsersh">trunk/Source/WebCore/platform/network/HTTPParsers.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsmultipleheadersconflictcgi">trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsmultipleheaderssameorigincgi">trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflictexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflicthtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflictexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (147085 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2013-03-28 08:48:37 UTC (rev 147085)
+++ trunk/LayoutTests/ChangeLog        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2013-03-28  Mike West  &lt;mkwst@chromium.org&gt;
+
+        X-Frame-Options: Multiple headers are ignored completely.
+        https://bugs.webkit.org/show_bug.cgi?id=113387
+
+        Reviewed by Nate Chapin.
+
+        * http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi: Added.
+        * http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
+
</ins><span class="cx"> 2013-03-28  Mihai Tica  &lt;mitica@adobe.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [CSS Regions] Convert layout tests region-style-block-background-color[2] to ref-tests
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsmultipleheadersconflictcgi"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print &quot;Content-Type: text/html\n&quot;;
+print &quot;Cache-Control: no-cache, no-store\n&quot;;
+print &quot;X-FRAME-OPTIONS: ALLOWALL\n&quot;;
+print &quot;X-FRAME-OPTIONS: DENY\n\n&quot;;
+
+print &quot;&lt;p&gt;FAIL: This page should be blocked.&lt;/p&gt;\n&quot;;
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsmultipleheaderssameorigincgi"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print &quot;Content-Type: text/html\n&quot;;
+print &quot;Cache-Control: no-cache, no-store\n&quot;;
+print &quot;X-FRAME-OPTIONS: SAMEORIGIN\n&quot;;
+print &quot;X-FRAME-OPTIONS: SAMEORIGIN\n\n&quot;;
+
+print &quot;&lt;p&gt;This page should load iff it's same origin with it's parent.&lt;/p&gt;\n&quot;;
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflictexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi - willSendRequest &lt;NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html, http method GET&gt; redirectResponse (null)
+&lt;unknown&gt; - didFinishLoading
+CONSOLE MESSAGE: Multiple 'X-Frame-Options' headers with conflicting values ('ALLOWALL, DENY') encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi'. Falling back to 'DENY'.
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi' in a frame because it set 'X-Frame-Options' to 'ALLOWALL, DENY'.
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi - didFailLoadingWithError: &lt;NSError domain NSURLErrorDomain, code -999, failing URL &quot;http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi&quot;&gt;
+The frame below should not load, and a console message should be generated that notes the invalid header.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflicthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+    &lt;script&gt;
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.dumpChildFramesAsText();
+            testRunner.dumpResourceLoadCallbacks();
+        }
+    &lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+    &lt;p&gt;The frame below should not load, and a console message should be generated that notes the invalid header.&lt;/p&gt;
+    &lt;iframe style=&quot;width:500px; height:500px&quot; src=&quot;http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi&quot;&gt;&lt;/iframe&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest &lt;NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html, http method GET&gt; redirectResponse (null)
+&lt;unknown&gt; - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didReceiveResponse &lt;NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, http status code 200&gt;
+The frame below should load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+This page should load iff it's same origin with it's parent.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+    &lt;script&gt;
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.dumpChildFramesAsText();
+            testRunner.dumpResourceLoadCallbacks();
+        }
+    &lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+    &lt;p&gt;The frame below should load, proving that 'sameorigin, sameorigin' === 'sameorigin'.&lt;/p&gt;
+    &lt;iframe style=&quot;width:500px; height:500px&quot; src=&quot;http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi&quot;&gt;&lt;/iframe&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest &lt;NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html, http method GET&gt; redirectResponse (null)
+&lt;unknown&gt; - didFinishLoading
+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: &lt;NSError domain NSURLErrorDomain, code -999, failing URL &quot;http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi&quot;&gt;
+The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+    &lt;script&gt;
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.dumpChildFramesAsText();
+            testRunner.dumpResourceLoadCallbacks();
+        }
+    &lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+    &lt;p&gt;The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.&lt;/p&gt;
+    &lt;iframe style=&quot;width:500px; height:500px&quot; src=&quot;http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi&quot;&gt;&lt;/iframe&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheadersconflictexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt                                (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi - willSendRequest &lt;NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html, http method GET&gt; redirectResponse (null)
+CONSOLE MESSAGE: Multiple 'X-Frame-Options' headers with conflicting values ('ALLOWALL, DENY') encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi'. Falling back to 'DENY'.
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi' in a frame because it set 'X-Frame-Options' to 'ALLOWALL, DENY'.
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi - didFailLoadingWithError: &lt;NSError domain NSURLErrorDomain, code -999, failing URL &quot;http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi&quot;&gt;
+The frame below should not load, and a console message should be generated that notes the invalid header.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameoriginallowexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt                                (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest &lt;NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html, http method GET&gt; redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didReceiveResponse &lt;NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, http status code 200&gt;
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFinishLoading
+The frame below should load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+This page should load iff it's same origin with it's parent.
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecurityXFrameOptionsxframeoptionsmultipleheaderssameorigindenyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (0 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt                                (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest &lt;NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html, http method GET&gt; redirectResponse (null)
+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: &lt;NSError domain NSURLErrorDomain, code -999, failing URL &quot;http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi&quot;&gt;
+The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
+
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (147085 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2013-03-28 08:48:37 UTC (rev 147085)
+++ trunk/Source/WebCore/ChangeLog        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -1,3 +1,39 @@
</span><ins>+2013-03-28  Mike West  &lt;mkwst@chromium.org&gt;
+
+        X-Frame-Options: Multiple headers are ignored completely.
+        https://bugs.webkit.org/show_bug.cgi?id=113387
+
+        Reviewed by Nate Chapin.
+
+        If a server sends multiple 'X-Frame-Options' headers, we end up with a
+        value like 'SAMEORIGIN, SAMEORIGIN'. Currently, we're treating that as
+        invalid, and ignoring the header. It would be safer to follow Gecko's
+        lead[1] by:
+
+        - Folding duplicated entries into their common value (that is:
+          'sameorigin, sameorigin' -&gt; 'sameorigin').
+
+        - Failing closed in the case of conflicts (that is:
+          'sameorigin, allowall' -&gt; 'deny').
+
+        [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=761655
+
+        Tests: http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html
+               http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html
+               http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
+            Call out to parseXFrameOptionsHeader to get the header's disposition
+            and deal with each case in a switch statement for clarity. Add a new
+            console warning for the conflict case described above.
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::parseXFrameOptionsHeader):
+        * platform/network/HTTPParsers.h:
+            Move X-Frame-Options parsing out into HTTPParsers, as it's getting
+            more and more complicated. To do this, the patch defines a new enum
+            to pass around the header's disposition.
+
</ins><span class="cx"> 2013-03-28  Mihnea Ovidenie  &lt;mihnea@adobe.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [CSSRegions] Consolidate use of RenderRegion::isValid
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (147085 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp        2013-03-28 08:48:37 UTC (rev 147085)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -2956,9 +2956,10 @@
</span><span class="cx">     if (m_frame == topFrame)
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><del>-    if (equalIgnoringCase(content, &quot;deny&quot;))
-        return true;
-    else if (equalIgnoringCase(content, &quot;sameorigin&quot;)) {
</del><ins>+    XFrameOptionsDisposition disposition = parseXFrameOptionsHeader(content);
+
+    switch (disposition) {
+    case XFrameOptionsSameOrigin: {
</ins><span class="cx">         FeatureObserver::observe(m_frame-&gt;document(), FeatureObserver::XFrameOptionsSameOrigin);
</span><span class="cx">         RefPtr&lt;SecurityOrigin&gt; origin = SecurityOrigin::create(url);
</span><span class="cx">         if (!origin-&gt;isSameSchemeHostPort(topFrame-&gt;document()-&gt;securityOrigin()))
</span><span class="lines">@@ -2969,12 +2970,22 @@
</span><span class="cx">                 break;
</span><span class="cx">             }
</span><span class="cx">         }
</span><del>-    } else if (!equalIgnoringCase(content, &quot;allowall&quot;)) {
-        String message = &quot;Invalid 'X-Frame-Options' header encountered when loading '&quot; + url.elidedString() + &quot;': '&quot; + content + &quot;' is not a recognized directive. The header will be ignored.&quot;;
-        m_frame-&gt;document()-&gt;addConsoleMessage(JSMessageSource, ErrorMessageLevel, message, requestIdentifier);
</del><ins>+        return false;
</ins><span class="cx">     }
</span><del>-
-    return false;
</del><ins>+    case XFrameOptionsDeny:
+        return true;
+    case XFrameOptionsAllowAll:
+        return false;
+    case XFrameOptionsConflict:
+        m_frame-&gt;document()-&gt;addConsoleMessage(JSMessageSource, ErrorMessageLevel, &quot;Multiple 'X-Frame-Options' headers with conflicting values ('&quot; + content + &quot;') encountered when loading '&quot; + url.elidedString() + &quot;'. Falling back to 'DENY'.&quot;, requestIdentifier);
+        return true;
+    case XFrameOptionsInvalid:
+        m_frame-&gt;document()-&gt;addConsoleMessage(JSMessageSource, ErrorMessageLevel, &quot;Invalid 'X-Frame-Options' header encountered when loading '&quot; + url.elidedString() + &quot;': '&quot; + content + &quot;' is not a recognized directive. The header will be ignored.&quot;, requestIdentifier);
+        return false;
+    default:
+        ASSERT_NOT_REACHED();
+        return false;
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void FrameLoader::loadProvisionalItemFromCachedPage()
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPParserscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPParsers.cpp (147085 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPParsers.cpp        2013-03-28 08:48:37 UTC (rev 147085)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.cpp        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -455,6 +455,36 @@
</span><span class="cx">     return statusLine.substring(spacePos + 1);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+XFrameOptionsDisposition parseXFrameOptionsHeader(const String&amp; header)
+{
+    XFrameOptionsDisposition result = XFrameOptionsNone;
+
+    if (header.isEmpty())
+        return result;
+
+    Vector&lt;String&gt; headers;
+    header.split(',', headers);
+
+    for (size_t i = 0; i &lt; headers.size(); i++) {
+        String currentHeader = headers[i].stripWhiteSpace();
+        XFrameOptionsDisposition currentValue = XFrameOptionsNone;
+        if (equalIgnoringCase(currentHeader, &quot;deny&quot;))
+            currentValue = XFrameOptionsDeny;
+        else if (equalIgnoringCase(currentHeader, &quot;sameorigin&quot;))
+            currentValue = XFrameOptionsSameOrigin;
+        else if (equalIgnoringCase(currentHeader, &quot;allowall&quot;))
+            currentValue = XFrameOptionsAllowAll;
+        else
+            currentValue = XFrameOptionsInvalid;
+
+        if (result == XFrameOptionsNone)
+            result = currentValue;
+        else if (result != currentValue)
+            return XFrameOptionsConflict;
+    }
+    return result;
+}
+
</ins><span class="cx"> bool parseRange(const String&amp; range, long long&amp; rangeOffset, long long&amp; rangeEnd, long long&amp; rangeSuffixLength)
</span><span class="cx"> {
</span><span class="cx">     // The format of &quot;Range&quot; header is defined in RFC 2616 Section 14.35.1.
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPParsersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (147085 => 147086)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPParsers.h        2013-03-28 08:48:37 UTC (rev 147085)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h        2013-03-28 08:59:00 UTC (rev 147086)
</span><span class="lines">@@ -54,6 +54,15 @@
</span><span class="cx"> };
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><ins>+enum XFrameOptionsDisposition {
+    XFrameOptionsNone,
+    XFrameOptionsDeny,
+    XFrameOptionsSameOrigin,
+    XFrameOptionsAllowAll,
+    XFrameOptionsInvalid,
+    XFrameOptionsConflict
+};
+
</ins><span class="cx"> ContentDispositionType contentDispositionType(const String&amp;);
</span><span class="cx"> bool isValidHTTPHeaderValue(const String&amp;);
</span><span class="cx"> bool isValidHTTPToken(const String&amp;);
</span><span class="lines">@@ -65,6 +74,7 @@
</span><span class="cx"> void findCharsetInMediaType(const String&amp; mediaType, unsigned int&amp; charsetPos, unsigned int&amp; charsetLen, unsigned int start = 0);
</span><span class="cx"> ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String&amp; header, String&amp; failureReason, unsigned&amp; failurePosition, String&amp; reportURL);
</span><span class="cx"> String extractReasonPhraseFromHTTPStatusLine(const String&amp;);
</span><ins>+XFrameOptionsDisposition parseXFrameOptionsHeader(const String&amp;);
</ins><span class="cx"> 
</span><span class="cx"> // -1 could be set to one of the return parameters to indicate the value is not specified.
</span><span class="cx"> bool parseRange(const String&amp;, long long&amp; rangeOffset, long long&amp; rangeEnd, long long&amp; rangeSuffixLength);
</span></span></pre>
</div>
</div>

</body>
</html>