[Webkit-unassigned] [Bug 185120] New: Make main resource loads look successful on From-Origin violation

Sun Apr 29 10:18:55 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=185120

            Bug ID: 185120
           Summary: Make main resource loads look successful on
                    From-Origin violation
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dbates at webkit.org
                CC: beidson at apple.com, wilander at apple.com,
                    youennf at gmail.com

Follow up on my remark in bug 184560, comment 62:

[[
>From my understanding From-Origin can be used to achieve the same effect as X-Frame-Options when delivered in the HTTP response to a document. We need to take the same approach as we do for handling a X-Frame-Options violation and make it appear that the page did load successfully because failing the load the way this code does reveals the existence of the document, which is sensitive. In particular, we need to cancel the load, logging a console message, sandboxing the iframe that load was destined for and dispatching a DOM load event to the destination frame. For subresources we need to keep the current behavior and fail the load.

A side benefit of taking this approach is that we can remove the use of the setTimeout() from the test sandboxed-sub-frame-from-origin-same-blocked.html and instead end the test once we get a DOM load event for the frame.
]]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180429/94d19368/attachment.html>