[Webkit-unassigned] [Bug 186090] REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Options' to 'SAMEORIGIN')
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 25 17:10:22 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186090
--- Comment #3 from Daniel Bates <dbates at webkit.org> ---
Currently as a performance optimization we compare the request URL (associated with response that includes the X-Frame-Options header) against the source origin of the document that initiated the request when applying the X-Frame-Options policy at <https://trac.webkit.org/browser/trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp?rev=233157#L377>. This is incorrect. We need to compare against the origin of the document in the top-most frame.
Additionally, NetworkResourceLoadParameters::frameAncestorOrigins is computed incorrectly. In particular, it should not include the security origin of the frame associated with the navigation request we are applying the X-Frame-Options policy to because this origin represents the origin of the document that initiated the navigation as we have not navigated the frame, yet.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180626/70084b53/attachment-0001.html>
More information about the webkit-unassigned
mailing list