Warn when parsing an invalid X-Frame-Options header.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Nov 2012 09:43:17 +0000 (09:43 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Nov 2012 09:43:17 +0000 (09:43 +0000)
commitae66f00b37c90907a89ab0309ae13b55ada5bce8
tree79f065c519799f09a22efa47f6dfde60ab57512e
parent66d8068daa2d400248801b59036da7748d29b87c
Warn when parsing an invalid X-Frame-Options header.
https://bugs.webkit.org/show_bug.cgi?id=101447

Reviewed by Adam Barth.

Source/WebCore:

An 'X-Frame-Options' header that contains an invalid option (that is,
neither 'DENY' nor 'SAMEORIGIN') is ignored. This patch adds a console
warning to notify developers that they've made a mistake.

Test: http/tests/security/XFrameOptions/x-frame-options-invalid.html

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv):
    Move the request identifier generation out of the failure block in
    order to pass it into 'shouldInterruptLoadForXFrameOptions'. This
    ensures that the console message is properly tied to a request.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
* loader/FrameLoader.h:
(FrameLoader):
    'shouldInterruptLoadForXFrameOptions' now accepts a request
    identifier as a parameter, and generates a console message if the
    load is blocked.
* loader/MainResourceLoader.cpp:
(WebCore::MainResourceLoader::didReceiveResponse):
    Pass the request identifier into 'shouldInterruptLoadForXFrameOptions'.

LayoutTests:

* http/tests/security/XFrameOptions/resources/x-frame-options-invalid.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-invalid-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-invalid.html: Added.
    New test with an invalid frame option value.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@133868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-invalid.cgi [new file with mode: 0755]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-invalid-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-invalid.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/loader/FrameLoader.h
Source/WebCore/loader/MainResourceLoader.cpp