X-Frame-Options: SAMEORIGIN needs to check all ancestor frames
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 May 2018 04:11:16 +0000 (04:11 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 May 2018 04:11:16 +0000 (04:11 +0000)
commiteba74e4c22de366564bcf65291bfc0a13acdc584
tree1e27c8222fa7520de035f1ff2832ae1a9fe18b12
parent46524b7dff32dbfef974f262b0eedceedee45d26
X-Frame-Options: SAMEORIGIN needs to check all ancestor frames
https://bugs.webkit.org/show_bug.cgi?id=185567
<rdar://problem/40175008>

Reviewed by Brent Fulgham.

Source/WebCore:

Change the behavior of "X-Frame-Options: SAMEORIGIN" to ensure that all ancestors frames
are same-origin with the document that delivered this header. This prevents an intermediary
malicious frame from clickjacking a child frame whose document is same-origin with the top-
level frame. It also makes the behavior of X-Frame-Options in WebKit more closely match
the behavior of X-Frame-Options in other browsers, including Chrome and Firefox.

Currently a document delivered with "X-Frame-Options: SAMEORIGIN" must only be same-origin
with the top-level frame's document in order to be displayed. This prevents clickjacking by
a malicious page that embeds a page delivered with "X-Frame-Options: SAMEORIGIN". However,
it does not protect against clickjacking of the "X-Frame-Options: SAMEORIGIN" page (victim)
if embedded by an intermediate malicious iframe, say a "rogue ad", that was embedded in a
document same origin with the victim page. We should protect against such attacks.

Tests: http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-allow.html
       http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):

Source/WebKit:

Change the behavior of "X-Frame-Options: SAMEORIGIN" to ensure that all ancestors frames
are same-origin with the document that delivered this header. This prevents an intermediary
malicious frame from clickjacking a child frame whose document is same-origin with the top-
level frame. It also makes the behavior of X-Frame-Options in WebKit more closely match
the behavior of X-Frame-Options in other browsers, including Chrome and Firefox.

Currently a document delivered with "X-Frame-Options: SAMEORIGIN" must only be same-origin
with the top-level frame's document in order to be displayed. This prevents clickjacking by
a malicious page that embeds a page delivered with "X-Frame-Options: SAMEORIGIN". However,
it does not protect against clickjacking of the "X-Frame-Options: SAMEORIGIN" page (victim)
if embedded by an intermediate malicious iframe, say a "rogue ad", that was embedded in a
document same origin with the victim page. We should protect against such attacks.

* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::shouldInterruptLoadForXFrameOptions):

LayoutTests:

Add tests to ensure that "X-Frame-Options: SAMEORIGIN" checks ancestor frames.

* http/tests/cookies/same-site/fetch-after-navigating-iframe-in-cross-origin-page.html:
* http/tests/cookies/same-site/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page.html:
* http/tests/cookies/same-site/fetch-in-cross-origin-iframe.html:
* http/tests/resources/echo-iframe-src.php: Copied from LayoutTests/http/tests/cookies/same-site/resources/echo-iframe-src.php.
* http/tests/security/XFrameOptions/resources/x-frame-options-ancestors-same-origin-deny.html: Added.
* http/tests/security/XFrameOptions/resources/x-frame-options-frame-ancestors-same-origin-allow.cgi: Added.
* http/tests/security/XFrameOptions/resources/x-frame-options-frame-ancestors-same-origin-deny.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-allow.html: Added.
* http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html: Renamed from LayoutTests/http/tests/cookies/same-site/resources/echo-iframe-src.php.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231730 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/cookies/same-site/fetch-after-navigating-iframe-in-cross-origin-page.html
LayoutTests/http/tests/cookies/same-site/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page.html
LayoutTests/http/tests/cookies/same-site/fetch-in-cross-origin-iframe.html
LayoutTests/http/tests/resources/echo-iframe-src.php [moved from LayoutTests/http/tests/cookies/same-site/resources/echo-iframe-src.php with 100% similarity]
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-ancestors-same-origin-deny.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-frame-ancestors-same-origin-allow.cgi [new file with mode: 0755]
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-frame-ancestors-same-origin-deny.cgi [new file with mode: 0755]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-allow-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-allow.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp