Bug 110857

Summary:

X-Frame-Options should accept ALLOWALL as a valid value.

Product:

WebKit

Reporter:

Mike West <mkwst>

Component:

WebCore Misc.

Assignee:

Mike West <mkwst>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, ap, beidson, japhet, mjs, sam, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Mike West 2013-02-26 00:58:42 PST

Doubleclick, among others, serves `X-Frame-Options: ALLOWALL` with the intent of allowing framing everywhere. We should accept it as a valid value rather than warning about it's invalidity.

Comment 1 Mike West 2013-02-26 01:03:31 PST

Created attachment 190233 [details]
Patch

Comment 2 WebKit Review Bot 2013-02-26 14:02:02 PST

Comment on attachment 190233 [details]
Patch

Clearing flags on attachment: 190233

Committed r144105: <http://trac.webkit.org/changeset/144105>

Comment 3 WebKit Review Bot 2013-02-26 14:02:06 PST

All reviewed patches have been landed.  Closing bug.

Comment 4 Brady Eidson 2013-04-16 17:42:28 PDT

Why did we do this when it wasn't spec'd behavior?

Comment 5 Adam Barth 2013-04-16 18:20:43 PDT

See explanation in ChangeLog.

Comment 6 Brady Eidson 2013-04-16 21:39:36 PDT

I see.

The ChangeLog explains the motivation but not necessarily why it was worth it, or why it was the right course of action.

Was it the right thing to do because IE supports it?
Was it the right thing to do because advertisers/trackers send the header and expect it to work?
Was it the right thing to do because we'd rather not clutter up the JS console?

If it was the right thing to do why has WebSec/WebAppSec not added it?