Bug 110857

Summary: X-Frame-Options should accept ALLOWALL as a valid value.
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, beidson, japhet, mjs, sam, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Mike West
Reported 2013-02-26 00:58:42 PST
Doubleclick, among others, serves `X-Frame-Options: ALLOWALL` with the intent of allowing framing everywhere. We should accept it as a valid value rather than warning about it's invalidity.
Attachments
Patch (6.80 KB, patch)
2013-02-26 01:03 PST, Mike West 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2013-02-26 01:03:31 PST
Created attachment 190233 [details] Patch
WebKit Review Bot
Comment 2 2013-02-26 14:02:02 PST
Comment on attachment 190233 [details] Patch Clearing flags on attachment: 190233 Committed r144105: <http://trac.webkit.org/changeset/144105>
WebKit Review Bot
Comment 3 2013-02-26 14:02:06 PST
All reviewed patches have been landed. Closing bug.
Brady Eidson
Comment 4 2013-04-16 17:42:28 PDT
Why did we do this when it wasn't spec'd behavior?
Adam Barth
Comment 5 2013-04-16 18:20:43 PDT
See explanation in ChangeLog.
Brady Eidson
Comment 6 2013-04-16 21:39:36 PDT
I see. The ChangeLog explains the motivation but not necessarily why it was worth it, or why it was the right course of action. Was it the right thing to do because IE supports it? Was it the right thing to do because advertisers/trackers send the header and expect it to work? Was it the right thing to do because we'd rather not clutter up the JS console? If it was the right thing to do why has WebSec/WebAppSec not added it?
Note You need to log in before you can comment on or make changes to this bug.