[Webkit-unassigned] [Bug 186090] New: REGRESSION: Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Options' to 'SAMEORIGIN')

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 30 07:14:40 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=186090

            Bug ID: 186090
           Summary: REGRESSION: Unable to buy Odeon cinema tickets in STP
                    (bogus 'X-Frame-Options' to 'SAMEORIGIN')
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: geoffers+webkit at gmail.com

On https://www.odeon.co.uk I am unable to buy tickets in STP 56, but can in Safari 11.1 (13605.1.33.1.4).

Ultimately, this fails with a frame navigation being refused because 'X-Frame-Options' is set to 'SAMEORIGIN'.

Repro steps:

1. Load https://www.odeon.co.uk/
2. Scroll to "Quick Links", choose any cinema/film/date, hit "Go".
3. Click on one of the times displayed below.
4. Click on the "Book now" link that appears.
5. Click on "Book as guest" after navigation.
6. Select "1" adult ticket (this probably doesn't matter) and click "Confirm tickets".
7. Choose seat (if required), click "Continue".
8. Click "Confirm Order".
9. Enter name and email address, click "Enter card details".
10. Enter card details (Visa test card number 4111111111111111 suffices, card security code "123", expiry any future date).
11. Click "Pay and complete order".

At this point, I expect a navigation or two to happen and then the tickets to be booked (or, using the test card number, a payment failure).

Instead, however, we get logged to the console:

Refused to display 'https://www.odeon.co.uk/bookingserver_ng_live6//booking/paymentHCCReturn.dhtml?bookingProcessId=763dfc57f501c9d639f0b35cc43d3172571753f2&accessible=1&useGETjsessionid=1&dts_reference=3100108257386587' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

As far as I can tell, this is trying to navigate the externalUrlIframe iframe, and note that externalUrlIframe.parent.origin == "https://www.odeon.co.uk" hence my belief that this X-Frame-Options failure is bogus.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180530/f067e556/attachment.html>

More information about the webkit-unassigned mailing list