<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199605] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199605">199605</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-04-15 12:49:58 -0700 (Fri, 15 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Remove support for X-Frame-Options in `<meta>`
https://bugs.webkit.org/show_bug.cgi?id=156625
<rdar://problem/25748714>
Reviewed by Darin Adler.
Source/WebCore:
Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.
Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.
LayoutTests:
Revise tests to match our desired behavior based on RFC 7034 (Section 4).
* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
* inspector/console/x-frame-options-message-expected.txt: Rebaselined.
* platform/win/TestExpectations:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframeinbodyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframeparentsameorigindenyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframehtml">trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html</a></li>
<li><a href="#trunkLayoutTestsinspectorconsolexframeoptionsmessageexpectedtxt">trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformwinTestExpectations">trunk/LayoutTests/platform/win/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataginbodyexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataginbodyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameoriginallowexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameoriginallowhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameorigindenyexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameorigindenyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataghtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsignoredexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsignoredhtml">trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataginbodyexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataginbodyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameoriginallowexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameoriginallowhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameorigindenyexpectedtxt">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameorigindenyhtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataghtml">trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionshtml">trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/ChangeLog 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,3 +1,39 @@
</span><ins>+2016-04-15 Brent Fulgham <bfulgham@apple.com>
+
+ Remove support for X-Frame-Options in `<meta>`
+ https://bugs.webkit.org/show_bug.cgi?id=156625
+ <rdar://problem/25748714>
+
+ Reviewed by Darin Adler.
+
+ Revise tests to match our desired behavior based on RFC 7034 (Section 4).
+
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
+ * inspector/console/x-frame-options-message-expected.txt: Rebaselined.
+ * platform/win/TestExpectations:
+
</ins><span class="cx"> 2016-04-15 Jiewen Tan <jiewen_tan@apple.com>
</span><span class="cx">
</span><span class="cx"> Mark inspector/formatting/formatting-javascript.html as flaky on mac
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframeinbodyhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -2,8 +2,8 @@
</span><span class="cx"> <head>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <p>FAIL: This should show up and disappear immediately.</p>
</del><ins>+ <p>PASS: This should be displayed.</p>
</ins><span class="cx"> <meta http-equiv="x-frame-options" content="deny" />
</span><del>- <p>FAIL: This should never show up.</p>
</del><ins>+ <p>PASS: This should also be displayed.</p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframeparentsameorigindenyhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -3,6 +3,6 @@
</span><span class="cx"> <meta http-equiv="x-frame-options" content="sameorigin" />
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <p>FAIL: This should not show up as the parent is not in the same origin.</p>
</del><ins>+ <p>PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.</p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsresourcesxframeoptionsdenymetatagsubframehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -3,6 +3,6 @@
</span><span class="cx"> <meta http-equiv="x-frame-options" content="deny" />
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <p>FAIL: This should not show up.</p>
</del><ins>+ <p>PASS: This should be displayed.</p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,19 +0,0 @@
</span><del>-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataginbodyexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,18 +0,0 @@
</span><del>-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataginbodyhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,21 +0,0 @@
</span><del>-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = document.querySelector('iframe').contentWindow.location.href;
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html" onload="checkIfDone()"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameoriginallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,12 +0,0 @@
</span><del>-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
-ALERT: PASS: onload fired.
-There should be content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS: This should show up as the parent is in the same origin.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameoriginallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,10 +0,0 @@
</span><del>-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- }
-</script>
-
-<p>There should be content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html" onload="alert('PASS: onload fired.');"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameorigindenyexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,19 +0,0 @@
</span><del>-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html">
-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameorigindenyhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,21 +0,0 @@
</span><del>-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = document.querySelector('iframe').contentWindow.location.href;
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html" onload="checkIfDone()"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataghtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,21 +0,0 @@
</span><del>-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = document.querySelector('iframe').contentWindow.location.href;
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html" onload="checkIfDone()"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataginbodyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
+CONSOLE MESSAGE: line 6: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
+
+PASS: This should also be displayed.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataginbodyhtmlfromrev199570trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataginbodyhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html) (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = document.querySelector('iframe').contentWindow.location.href;
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html" onload="checkIfDone()"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameoriginallowexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+ALERT: PASS: onload fired.
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should show up as the parent is in the same origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameoriginallowhtmlfromrev199570trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameoriginallowhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html) (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html" onload="alert('PASS: onload fired.');"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameorigindenyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 13: FAIL: Could not read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetatagparentsameorigindenyhtmlfromrev199570trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetatagparentsameorigindenyhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html) (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = document.querySelector('iframe').contentWindow.location.href;
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html" onload="checkIfDone()"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsignoredenymetataghtmlfromrev199570trunkLayoutTestshttptestssecurityXFrameOptionsxframeoptionsdenymetataghtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html) (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = document.querySelector('iframe').contentWindow.location.href;
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html" onload="checkIfDone()"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E' in a frame because it set 'X-Frame-Options' to 'deny'.
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsignoredexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: line 4: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionsignoredhtmlfromrev199570trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionshtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html (from rev 199570, trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html) (0 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+ testRunner.waitUntilDone();
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<iframe onload="done()" src="http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E">
+</iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshxframeoptionshtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,22 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- testRunner.waitUntilDone();
-}
-
-function done()
-{
- if (window.testRunner)
- testRunner.notifyDone();
-}
-</script>
-</head>
-<body>
-<iframe onload="done()" src="http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E">
-</iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestsinspectorconsolexframeoptionsmessageexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 41: Refused to display 'x-frame-options-message.html' in a frame because it set 'X-Frame-Options' to 'deny'.
</del><ins>+CONSOLE MESSAGE: line 41: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> == Running test suite: Console.XFrameOptionsMessages
</span></span></pre></div>
<a id="trunkLayoutTestsplatformwinTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/win/TestExpectations (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/win/TestExpectations 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/platform/win/TestExpectations 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -2184,10 +2184,10 @@
</span><span class="cx"> webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-cached.html [ Crash ]
</span><span class="cx"> webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny.html [ Failure ]
</span><span class="cx"> webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html [ Crash ]
</span><del>-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html [ Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html [ Crash Failure ]
</del><ins>+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html [ Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html [ Crash Failure ]
</ins><span class="cx"> webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-invalid.html [ Failure ]
</span><span class="cx"> webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html [ Failure ]
</span><span class="cx"> webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html [ Failure ]
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/Source/WebCore/ChangeLog 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-04-15 Brent Fulgham <bfulgham@apple.com>
+
+ Remove support for X-Frame-Options in `<meta>`
+ https://bugs.webkit.org/show_bug.cgi?id=156625
+ <rdar://problem/25748714>
+
+ Reviewed by Darin Adler.
+
+ Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
+ a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.
+
+ Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
+ http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.
+
</ins><span class="cx"> 2016-04-15 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> Audio elements should be able to have a controls manager.
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (199604 => 199605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-04-15 19:49:58 UTC (rev 199605)
</span><span class="lines">@@ -3304,15 +3304,8 @@
</span><span class="cx"> unsigned long requestIdentifier = 0;
</span><span class="cx"> if (frameLoader.activeDocumentLoader() && frameLoader.activeDocumentLoader()->mainResourceLoader())
</span><span class="cx"> requestIdentifier = frameLoader.activeDocumentLoader()->mainResourceLoader()->identifier();
</span><del>- if (frameLoader.shouldInterruptLoadForXFrameOptions(content, url(), requestIdentifier)) {
- String message = "Refused to display '" + url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
- frameLoader.stopAllLoaders();
- // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's
- // intent, we must navigate away from the possibly partially-rendered document to a location that
- // doesn't inherit the parent's SecurityOrigin.
- frame->navigationScheduler().scheduleLocationChange(this, securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
- addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, requestIdentifier);
- }
</del><ins>+
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier);
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>