[Webkit-unassigned] [Bug 94836] New: Support for X-Frame-Options: Allow-From [uri]

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 23 12:55:13 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=94836

           Summary: Support for X-Frame-Options: Allow-From [uri]
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: philames at google.com
                CC: sam at webkit.org, abarth at webkit.org


Related to https://bugs.webkit.org/show_bug.cgi?id=23907 (hence the initial CC's)

Attached is a patch which enables support for “Allow-From [uri]” notation in the X-Frame-Options header.  I compared the behavior of patched Chrome with IE9 with the below values (syntax:IE permitted/patched Chrome permitted/header-value) which was sent by a cross-origin site (the top origin was http://www.intra.net/)

Probably the most substantial difference is that IE doesn’t seem to regard the port number.  A similar patch for Firefox which I will be submitting soon (to https://bugzilla.mozilla.org/show_bug.cgi?id=690168) produces the same behavior as this patch to Chrome, though.

N/N/X-Frame-Options: Allow-From
N/N/X-Frame-Options: Allow-From xyz
N/N/X-Frame-Options: Allow-From www.intra.net
Y/Y/X-Frame-Options: Allow-From http://www.intra.net
Y/Y/X-Frame-Options: Allow-From http://www.intra.net/
Y/Y/X-Frame-Options: Allow-From http://www.intra.net:80/
Y/N/X-Frame-Options: Allow-From http://www.intra.net:81/
Y/N/X-Frame-Options: Allow-From http://www.intra.net:443/
Y/Y/X-Frame-Options: Allow-From http://www.intra.net/foo/bar/

Please also note that although I modelled the LayoutTests after the ones that I found in the existing tree, I was not actually able to get them to run on my development environment, so they may require some tweaking (sorry, if anyone is at Google and wants to spend a few minutes helping me troubleshoot / get it working, I’d be happy to test and send an additional diff). The results in the table above are solely from ‘empirical’ testing/observation.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list