X-Frame-Options: Multiple headers are ignored completely.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 08:59:00 +0000 (08:59 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 08:59:00 +0000 (08:59 +0000)
commitb32bf171ec176e5031caa965518f1e2b6601ab60
tree7646d3d1227070bac811c348301af9fed67b5bb8
parente813befc5bdc0c81cc58848e8892f97cc470e152
X-Frame-Options: Multiple headers are ignored completely.
https://bugs.webkit.org/show_bug.cgi?id=113387

Reviewed by Nate Chapin.

Source/WebCore:

If a server sends multiple 'X-Frame-Options' headers, we end up with a
value like 'SAMEORIGIN, SAMEORIGIN'. Currently, we're treating that as
invalid, and ignoring the header. It would be safer to follow Gecko's
lead[1] by:

- Folding duplicated entries into their common value (that is:
  'sameorigin, sameorigin' -> 'sameorigin').

- Failing closed in the case of conflicts (that is:
  'sameorigin, allowall' -> 'deny').

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=761655

Tests: http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html
       http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html
       http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
    Call out to parseXFrameOptionsHeader to get the header's disposition
    and deal with each case in a switch statement for clarity. Add a new
    console warning for the conflict case described above.
* platform/network/HTTPParsers.cpp:
(WebCore::parseXFrameOptionsHeader):
* platform/network/HTTPParsers.h:
    Move X-Frame-Options parsing out into HTTPParsers, as it's getting
    more and more complicated. To do this, the patch defines a new enum
    to pass around the header's disposition.

LayoutTests:

* http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi: Added.
* http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt: Added.
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147086 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-conflict.cgi [new file with mode: 0755]
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi [new file with mode: 0755]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/platform/network/HTTPParsers.cpp
Source/WebCore/platform/network/HTTPParsers.h