Remove support for X-Frame-Options in `<meta>`
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Apr 2016 19:49:58 +0000 (19:49 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Apr 2016 19:49:58 +0000 (19:49 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156625
<rdar://problem/25748714>

Reviewed by Darin Adler.

Source/WebCore:

Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.

Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
       http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
       http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
       http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
       http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.

LayoutTests:

Revise tests to match our desired behavior based on RFC 7034 (Section 4).

* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
* http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
* http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
* inspector/console/x-frame-options-message-expected.txt: Rebaselined.
* platform/win/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199605 268f45cc-cd09-0410-ab3c-d52691b4dbfc

22 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt [deleted file]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt [deleted file]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt [deleted file]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html [moved from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html with 76% similarity]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt [moved from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt with 67% similarity]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html [moved from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html with 100% similarity]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html [moved from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html with 77% similarity]
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html [moved from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html with 76% similarity]
LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt [deleted file]
LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html [moved from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html with 100% similarity]
LayoutTests/inspector/console/x-frame-options-message-expected.txt
LayoutTests/platform/win/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index 9a14755..b916364 100644 (file)
@@ -1,3 +1,39 @@
+2016-04-15  Brent Fulgham  <bfulgham@apple.com>
+
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+
+        Reviewed by Darin Adler.
+
+        Revise tests to match our desired behavior based on RFC 7034 (Section 4).
+
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
+        * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
+        * inspector/console/x-frame-options-message-expected.txt: Rebaselined.
+        * platform/win/TestExpectations:
+
 2016-04-15  Jiewen Tan  <jiewen_tan@apple.com>
 
         Mark inspector/formatting/formatting-javascript.html as flaky on mac
index 888fdc9..5be09c6 100644 (file)
@@ -2,8 +2,8 @@
 <head>
 </head>
 <body>
-    <p>FAIL: This should show up and disappear immediately.</p>
+    <p>PASS: This should be displayed.</p>
     <meta http-equiv="x-frame-options" content="deny" />
-    <p>FAIL: This should never show up.</p>
+    <p>PASS: This should also be displayed.</p>
 </body>
 </html>
index a277c46..bdccfbc 100644 (file)
@@ -3,6 +3,6 @@
     <meta http-equiv="x-frame-options" content="sameorigin" />
 </head>
 <body>
-    <p>FAIL: This should not show up as the parent is not in the same origin.</p>
+    <p>PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.</p>
 </body>
 </html>
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt
deleted file mode 100644 (file)
index 3ba55da..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt
deleted file mode 100644 (file)
index 8898b04..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt
deleted file mode 100644 (file)
index a533148..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html">
-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt
new file mode 100644 (file)
index 0000000..e41a9f8
--- /dev/null
@@ -0,0 +1,13 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt
new file mode 100644 (file)
index 0000000..4264e43
--- /dev/null
@@ -0,0 +1,15 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
+CONSOLE MESSAGE: line 6: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
+
+PASS: This should also be displayed.
         var url = document.querySelector('iframe').contentWindow.location.href;
 
         if (!url)
-            console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
-            console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
     }
 </script>
 
-<p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html" onload="checkIfDone()"></iframe>
@@ -1,6 +1,7 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
 ALERT: PASS: onload fired.
 There should be content in the iframe below
 
diff --git a/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt b/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt
new file mode 100644 (file)
index 0000000..89d291a
--- /dev/null
@@ -0,0 +1,14 @@
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 13: FAIL: Could not read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.
         var url = document.querySelector('iframe').contentWindow.location.href;
 
         if (!url)
-            console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
-            console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
     }
 </script>
 
-<p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html" onload="checkIfDone()"></iframe>
         var url = document.querySelector('iframe').contentWindow.location.href;
 
         if (!url)
-            console.log("PASS: Could not read contentWindow.location.href");
+            console.log("FAIL: Could not read contentWindow.location.href");
         else
-            console.log("FAIL: Could read contentWindow.location.href");
+            console.log("PASS: Could read contentWindow.location.href");
         testRunner.notifyDone();
     }
 </script>
 
-<p>There should be no content in the iframe below</p>
+<p>There should be content in the iframe below</p>
 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html" onload="checkIfDone()"></iframe>
diff --git a/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt b/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt
deleted file mode 100644 (file)
index 28b8d1c..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E' in a frame because it set 'X-Frame-Options' to 'deny'.
-
diff --git a/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt b/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt
new file mode 100644 (file)
index 0000000..f9bf244
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 4: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+
index 8769bcd..c4ce6df 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 41: Refused to display 'x-frame-options-message.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+CONSOLE MESSAGE: line 41: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
 
 
 == Running test suite: Console.XFrameOptionsMessages
index c7f3271..1355b2d 100644 (file)
@@ -2184,10 +2184,10 @@ webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-allowall.h
 webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-cached.html [ Crash ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny.html [ Failure ]
 webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html [ Crash ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html [ Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html [ Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html [ Crash Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-invalid.html [ Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html [ Failure ]
 webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html [ Failure ]
index de2fd3f..a891d1b 100644 (file)
@@ -1,3 +1,23 @@
+2016-04-15  Brent Fulgham  <bfulgham@apple.com>
+
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+
+        Reviewed by Darin Adler.
+
+        Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
+        a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.
+
+        Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
+               http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
+               http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.
+
 2016-04-15  Jer Noble  <jer.noble@apple.com>
 
         Audio elements should be able to have a controls manager.
index b94325f..0aceff9 100644 (file)
@@ -3304,15 +3304,8 @@ void Document::processHttpEquiv(const String& equiv, const String& content, bool
             unsigned long requestIdentifier = 0;
             if (frameLoader.activeDocumentLoader() && frameLoader.activeDocumentLoader()->mainResourceLoader())
                 requestIdentifier = frameLoader.activeDocumentLoader()->mainResourceLoader()->identifier();
-            if (frameLoader.shouldInterruptLoadForXFrameOptions(content, url(), requestIdentifier)) {
-                String message = "Refused to display '" + url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
-                frameLoader.stopAllLoaders();
-                // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's
-                // intent, we must navigate away from the possibly partially-rendered document to a location that
-                // doesn't inherit the parent's SecurityOrigin.
-                frame->navigationScheduler().scheduleLocationChange(this, securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
-                addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, requestIdentifier);
-            }
+
+            addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier);
         }
         break;