Summary: | X-Frame-Options: Multiple headers are ignored completely. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Mike West <mkwst> | ||||||
Component: | WebCore Misc. | Assignee: | Mike West <mkwst> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | abarth, japhet, mkwst+watchlist, syoichi, tsepez, webkit.review.bot | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Mike West
2013-03-27 04:02:11 PDT
Also filed downstream as https://code.google.com/p/chromium/issues/detail?id=145659. Created attachment 195300 [details]
Patch
Bots seem happy. Nate, would you mind taking a look at this? Comment on attachment 195300 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=195300&action=review One style nit... > Source/WebCore/loader/FrameLoader.cpp:2984 > + default: > + m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Invalid 'X-Frame-Options' header encountered when loading '" + url.elidedString() + "': '" + content + "' is not a recognized directive. The header will be ignored.", requestIdentifier); > + return false; I think it's more common in WebKit (or at least the parts I frequent) to explicitly state all cases and have the default be ASSERT_NOT_REACHED(). Created attachment 195500 [details]
Patch for landing
(In reply to comment #4) > (From update of attachment 195300 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=195300&action=review > > One style nit... > > > Source/WebCore/loader/FrameLoader.cpp:2984 > > + default: > > + m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Invalid 'X-Frame-Options' header encountered when loading '" + url.elidedString() + "': '" + content + "' is not a recognized directive. The header will be ignored.", requestIdentifier); > > + return false; > > I think it's more common in WebKit (or at least the parts I frequent) to explicitly state all cases and have the default be ASSERT_NOT_REACHED(). Thanks Nate. I've taken care of that in the patch up for the CQ. Comment on attachment 195500 [details] Patch for landing Clearing flags on attachment: 195500 Committed r147086: <http://trac.webkit.org/changeset/147086> All reviewed patches have been landed. Closing bug. |